Help! That Fake Virus Scan icon is back on my computer

Hello -
It has been almost a year... but I just got that message saying i needed to update my software. I recognize that blue shield.... it's the bad one.

Can you help me (again??) thanks so much
buff

Hello.

RKill by Grinler
Version 1
Version 2

• Download Version 1.
  
• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  If you are using Vista please right click and run as Admin!
  
• A black screen will briefly flash indicating a successful run.
  
• If this does not occur please delete that application and download Version 2.
  
• Continue process until the tool runs.
  
• If the tool does not run from any of the links tell me about it.
  

This only kills the active infection, the actual infection will not be gone.

Please post the log back from that.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as lcdig on 12/29/2010 at 8:34:54.

Services Stopped:

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\lcdig\Desktop\rkill.scr

Rkill completed on 12/29/2010 at 8:35:01.

ps. i just noticed that my computer's date was incorrect.
ran again. same result only the correct day.
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as lcdig on 09/29/2010 at 8:37:10.

Services Stopped:

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\lcdig\Desktop\rkill.scr

Rkill completed on 09/29/2010 at 8:37:16.

(thanks for the help)

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

ComboFix 10-09-29.01 - lcdig 09/29/2010 15:01:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.534 [GMT -7:00]
Running from: c:\documents and settings\lcdig\My Documents\Downloads\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-12-29 01:06 . 2010-12-29 01:06 -------- d-----w- c:\windows\LastGood
2010-09-23 00:11 . 2010-09-23 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-09-21 17:56 . 2010-09-21 17:57 8 ----a-w- c:\windows\system32\nvModes.dat
2010-09-21 17:55 . 2010-09-21 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-09-21 17:45 . 2006-10-22 19:22 208896 ----a-w- c:\windows\system32\nvudisp.exe
2010-09-21 17:44 . 2006-10-22 22:06 208896 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-09-21 17:43 . 2010-09-21 17:43 -------- d-----w- C:\NVIDIA
2010-09-21 17:32 . 2010-09-21 17:32 -------- d-----w- c:\program files\SystemRequirementsLab
2010-09-21 17:32 . 2010-09-21 17:32 -------- d-----w- c:\documents and settings\lcdig\Application Data\SystemRequirementsLab
2010-09-21 17:32 . 2010-09-21 17:32 290816 ----a-w- c:\documents and settings\lcdig\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-09-21 17:32 . 2010-09-21 17:32 290816 ----a-w- c:\documents and settings\lcdig\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-09-21 17:32 . 2010-09-21 17:32 290816 ----a-w- c:\documents and settings\lcdig\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-09-21 17:32 . 2010-09-21 17:32 290816 ----a-w- c:\documents and settings\lcdig\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-09-21 17:32 . 2010-09-21 17:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-21 17:18 . 2010-09-21 17:18 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-09-15 21:32 . 2010-09-15 21:34 -------- d-----w- c:\program files\QuickTime
2010-09-08 18:00 . 2010-09-08 18:00 -------- d-----w- c:\program files\iPod
2010-09-08 18:00 . 2010-09-08 18:02 -------- d-----w- c:\program files\iTunes
2010-09-08 17:47 . 2010-09-08 17:47 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-29 01:07 . 2010-02-24 17:56 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-28 19:35 . 2008-10-07 16:23 -------- d-----w- c:\program files\DYMO Label
2010-09-27 22:16 . 2009-12-31 19:43 -------- d-----w- c:\documents and settings\lcdig\Application Data\Azureus
2010-09-08 18:00 . 2008-07-03 16:52 -------- d-----w- c:\program files\Common Files\Apple
2010-08-25 17:08 . 2010-08-25 17:08 -------- d-----w- c:\documents and settings\lcdig\Application Data\NSBackup
2010-08-20 23:43 . 2008-08-25 21:38 -------- d-----w- c:\program files\Common Files\Java
2010-08-20 23:42 . 2008-08-25 21:39 -------- d-----w- c:\program files\Java
2010-08-20 00:48 . 2010-08-20 00:48 40624 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-07 23:18 . 2010-08-07 23:18 503808 ----a-w- c:\documents and settings\lcdig\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1d8d48ad-n\msvcp71.dll
2010-08-07 23:18 . 2010-08-07 23:18 499712 ----a-w- c:\documents and settings\lcdig\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1d8d48ad-n\jmc.dll
2010-08-07 23:18 . 2010-08-07 23:18 348160 ----a-w- c:\documents and settings\lcdig\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1d8d48ad-n\msvcr71.dll
2010-08-07 23:18 . 2010-08-07 23:18 61440 ----a-w- c:\documents and settings\lcdig\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-66eceaa1-n\decora-sse.dll
2010-08-07 23:18 . 2010-08-07 23:18 12800 ----a-w- c:\documents and settings\lcdig\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-66eceaa1-n\decora-d3d.dll
2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-16 06:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 12:00 . 2010-05-26 19:14 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 22:24 . 2010-07-09 22:25 53632 ----a-w- c:\documents and settings\lcdig\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-09 22:24 . 2010-04-06 23:53 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-09 22:23 . 2010-07-09 22:22 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-09-11 3042240]
"Aim"="c:\program files\AIM7\aim.exe" [2010-04-19 3972440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2006-10-22 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\lcdig\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [9/23/2010 4:08 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [9/23/2010 4:08 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100901.003\BHDrvx86.sys [8/31/2010 3:57 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [9/23/2010 4:08 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [9/23/2010 4:08 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [9/23/2010 4:07 PM 126392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/12/2008 10:03 AM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/23/2010 1:39 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100928.001\IDSXpx86.sys [12/28/2010 6:04 PM 331640]
.
Contents of the 'Scheduled Tasks' folder

2010-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\lcdig\Application Data\Mozilla\Firefox\Profiles\h8je9slv.default\
FF - prefs.js: browser.startup.homepage - hxxps://secure.accountsupport.com/secure/maillogin.bml
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\lcdig\Application Data\Mozilla\Firefox\Profiles\h8je9slv.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-29 15:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"=""c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe" /s "NIS" /m "c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2416)
c:\windows\system32\WININET.dll
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-09-29 15:13:14
ComboFix-quarantined-files.txt 2010-09-29 22:13

Pre-Run: 176,647,200,768 bytes free
Post-Run: 177,977,372,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8A6EC3CEB446693E1A20943E7DE286EA

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

• Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  
• Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
  
• Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
  
• It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
  
• Once inside the interface, do not fix anything. Click on the Report tab.
  
• Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  
• It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
  
• When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

the rootkit unhooker didn't move for 20 minutes in the Files tab. When i finally hit cancel, it completed the final 2 tabs.(btw, i did this routine 2x with the same result). report follows. Thanks again.
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtAlertResumeThread, Type: Address change 0x80637AD6-->8681F050 [Unknown module filename]
ntoskrnl.exe-->NtAlertThread, Type: Address change 0x8058395D-->867F5050 [Unknown module filename]
ntoskrnl.exe-->NtAllocateVirtualMemory, Type: Address change 0x80570BC5-->8671C2B8 [Unknown module filename]
ntoskrnl.exe-->NtAssignProcessToJobObject, Type: Address change 0x805E8E34-->867CB050 [Unknown module filename]
ntoskrnl.exe-->NtConnectPort, Type: Address change 0x80584D73-->86E27148 [Unknown module filename]
ntoskrnl.exe-->NtCreateKey, Type: Address change 0x80578710-->F2AFB210 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntoskrnl.exe-->NtCreateMutant, Type: Address change 0x80582EA8-->866C6538 [Unknown module filename]
ntoskrnl.exe-->NtCreateSymbolicLinkObject, Type: Address change 0x805E78DA-->86696F38 [Unknown module filename]
ntoskrnl.exe-->NtCreateThread, Type: Address change 0x805959DF-->86E7ECD0 [Unknown module filename]
ntoskrnl.exe-->NtDebugActiveProcess, Type: Address change 0x80662889-->867F0050 [Unknown module filename]
ntoskrnl.exe-->NtDeleteKey, Type: Address change 0x80599783-->F2AFB490 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntoskrnl.exe-->NtDeleteValueKey, Type: Address change 0x805983A2-->F2AFB9F0 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntoskrnl.exe-->NtDuplicateObject, Type: Address change 0x8057EDE5-->866F2F38 [Unknown module filename]
ntoskrnl.exe-->NtFreeVirtualMemory, Type: Address change 0x805710BF-->867302F0 [Unknown module filename]
ntoskrnl.exe-->NtImpersonateAnonymousToken, Type: Address change 0x8059EA22-->867F4050 [Unknown module filename]
ntoskrnl.exe-->NtImpersonateThread, Type: Address change 0x8058D42E-->867D0050 [Unknown module filename]
ntoskrnl.exe-->NtLoadDriver, Type: Address change 0x805AEDE2-->86C4CE88 [Unknown module filename]
ntoskrnl.exe-->NtMapViewOfSection, Type: Address change 0x8057A879-->86800650 [Unknown module filename]
ntoskrnl.exe-->NtOpenEvent, Type: Address change 0x8058E7F1-->867CF050 [Unknown module filename]
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x8057F592-->86811308 [Unknown module filename]
ntoskrnl.exe-->NtOpenProcessToken, Type: Address change 0x80578148-->868097F0 [Unknown module filename]
ntoskrnl.exe-->NtOpenSection, Type: Address change 0x80578DEE-->867F2050 [Unknown module filename]
ntoskrnl.exe-->NtOpenThread, Type: Address change 0x80584849-->86811238 [Unknown module filename]
ntoskrnl.exe-->NtProtectVirtualMemory, Type: Address change 0x8057F1C3-->866A89E8 [Unknown module filename]
ntoskrnl.exe-->NtResumeThread, Type: Address change 0x80596056-->867D1050 [Unknown module filename]
ntoskrnl.exe-->NtSetContextThread, Type: Address change 0x80635C83-->868210B8 [Unknown module filename]
ntoskrnl.exe-->NtSetInformationProcess, Type: Address change 0x80574B1F-->866F52F8 [Unknown module filename]
ntoskrnl.exe-->NtSetSystemInformation, Type: Address change 0x805B0A14-->8681B050 [Unknown module filename]
ntoskrnl.exe-->NtSetValueKey, Type: Address change 0x8057FCE0-->F2AFBC40 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntoskrnl.exe-->NtSuspendProcess, Type: Address change 0x80637A1B-->8681D050 [Unknown module filename]
ntoskrnl.exe-->NtSuspendThread, Type: Address change 0x80637937-->86820050 [Unknown module filename]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x80593435-->867DB650 [Unknown module filename]
ntoskrnl.exe-->NtTerminateThread, Type: Address change 0x8059560C-->867F6050 [Unknown module filename]
ntoskrnl.exe-->NtUnmapViewOfSection, Type: Address change 0x8057A401-->867FD240 [Unknown module filename]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address change 0x8058D363-->86730380 [Unknown module filename]
==============================================
>Shadow
==============================================
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0xBF8F559C-->86EA38B0 [Unknown module filename]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0xBF8A3E9C-->85FBF760 [Unknown module filename]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0xBF8AD34B-->85F0CFD0 [Unknown module filename]
win32k.sys-->NtUserGetKeyState, Type: Address change 0xBF823E97-->86879300 [Unknown module filename]
win32k.sys-->NtUserGetRawInputData, Type: Address change 0xBF9164F0-->866CA730 [Unknown module filename]
win32k.sys-->NtUserMessageCall, Type: Address change 0xBF80EEAE-->85FD3678 [Unknown module filename]
win32k.sys-->NtUserPostMessage, Type: Address change 0xBF808327-->85F0DEF0 [Unknown module filename]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0xBF85FD24-->86692F38 [Unknown module filename]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0xBF8AD40B-->86DC5288 [Unknown module filename]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0xBF8F9928-->8669D1D0 [Unknown module filename]
==============================================
>Processes
==============================================
0x86FC4830 [4] System
0x85D22DA0 [168] C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc., SoundMAX service agent component)
0x85D0B378 [320] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85D07990 [444] C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation, Windows User Mode Driver Manager)
0x85D089A8 [484] C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation, ViewMgr)
0x85556648 [496] C:\Program Files\Mozilla Firefox\plugin-container.exe (Mozilla Corporation, Plugin Container for Firefox)
0x85F67DA0 [656] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x85FEE5C8 [724] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x85696DA0 [728] C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE (Microsoft Corporation, Microsoft Office Access)
0x86675DA0 [756] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x8667AA80 [800] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x857C9020 [804] C:\Program Files\AIM7\aim.exe (AOL Inc., AOL Instant Messenger)
0x85ECAB98 [816] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x857E6BA0 [948] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x85E20718 [992] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85EBEA30 [1104] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85841908 [1140] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (SlySoft, Inc., AnyDVD Application)
0x862A0980 [1180] C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe (TechSmith Corporation, TechSmith HTML Help Helper)
0x85E58788 [1200] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x855BADA0 [1292] C:\Documents and Settings\lcdig\Desktop\RkU3.8.388.590\MustBeRandomlyNamed\fvFeQM3PkC5ggsl4.exe (UG North, RKULE, SR2 Normandy)
0x85E54020 [1324] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85DFE788 [1448] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85DF7B98 [1580] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x85DE2DA0 [1672] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85DCA990 [1704] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc., Apple Mobile Device Service)
0x85E32378 [1716] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service)
0x85DC2B98 [1764] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java(TM) Quick Starter Service)
0x85D009F0 [1924] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x85E4EDA0 [1928] C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe (Symantec Corporation, Symantec Service Framework)
0x85D30020 [2044] C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 93.71)
0x8567FDA0 [2116] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit))
0x85C17DA0 [2320] C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe (TechSmith Corporation, SnagIt 8)
0x86091020 [2416] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x85025170 [2552] C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation, Microsoft Office Excel)
0x85C6C878 [2604] C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe (Symantec Corporation, Symantec Service Framework)
0x8571F450 [3116] C:\Program Files\Outlook Express\msimn.exe (Microsoft Corporation, Outlook Express)
0x85017020 [3180] C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation, Firefox)
0x851DC528 [3400] C:\Program Files\Womble MPEG Editor\mpeg-vcr.exe (Womble Multmedia, Inc., MPEG-VCR)
0x85B483B0 [3620] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc., SMax4PNP MFC Application)
0x85B49B98 [3632] C:\Program Files\Analog Devices\SoundMAX\SMax4.exe (Analog Devices, Inc., SoundMAX Control Center)
0x857AE620 [3952] C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe (ScanSoft, Inc., OCR Aware (32-bit))
0x85867580 [3960] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java(TM) Update Scheduler)
0x857C7020 [3976] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper)
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 4530176 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 93.71 )
0xF69AA000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3997696 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 93.71 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAE8CF000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20101001.002\NAVEX15.SYS 1368064 bytes (Symantec Corporation, AV Engine)
0xF26E8000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100901.003\BHDrvx86.sys 704512 bytes (Symantec Corporation, BASH Driver)
0xF7481000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF2794000 C:\WINDOWS\system32\drivers\NIS\1108000.005\ccHPx86.sys 520192 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0xF288E000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF2830000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF67E5000 C:\WINDOWS\system32\drivers\senfilt.sys 385024 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
0xF5B75000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF2A45000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF2C75000 C:\WINDOWS\System32\Drivers\NIS\1108000.005\SRTSP.SYS 356352 bytes (Symantec Corporation, Symantec AutoProtect)
0xB988C000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xF29EE000 C:\WINDOWS\System32\Drivers\NIS\1108000.005\SYMTDI.SYS 356352 bytes (Symantec Corporation, Network Dispatch Driver)
0xF7564000 SYMDS.SYS 352256 bytes
0xAEA1D000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100930.005\IDSxpx86.sys 348160 bytes (Symantec Corporation, IDS Core Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB8D32000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF6887000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xF5C7B000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7648000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB99D3000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7454000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF7525000 SYMEFA.SYS 184320 bytes
0xADF23000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF28FE000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF696E000 C:\WINDOWS\system32\DRIVERS\e1000325.sys 163840 bytes (Intel Corporation, Intel(R) PRO/1000 Adapter NDIS 5.1 deserialized driver)
0xF294B000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF75F2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF29C8000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF2AE5000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0xB67D3000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF6863000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF694A000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF68C7000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF2929000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF6843000 C:\WINDOWS\system32\drivers\aeaudio.sys 131072 bytes (Andrea Electronics Corporation, Andrea Audio Noise Cancellation Driver)
0xF75BA000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7618000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF2C56000 C:\WINDOWS\system32\drivers\NIS\1108000.005\Ironx86.SYS 126976 bytes (Symantec Corporation, Iron Driver)
0xF2813000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xF743A000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF68EA000 C:\WINDOWS\System32\Drivers\AnyDVD.sys 98304 bytes (SlySoft, Inc., AnyDVD Filter Driver)
0xF75DA000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF26D0000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF750E000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF5CBC000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB92B7000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xAE8BB000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20101001.002\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xF6902000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6996000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF2A9E000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7552000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7637000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF5CAB000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF2D0C000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF6D7A000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7747000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF76A7000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF6D8A000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7757000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7777000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7767000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB9BF8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF77A7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF76B7000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF76F7000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF6D9A000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7847000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF76D7000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7897000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7717000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF7867000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF76C7000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7877000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7697000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF78C7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF77C7000 C:\WINDOWS\system32\drivers\NIS\1108000.005\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xF78B7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF76E7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF6DAA000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF78A7000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF77E7000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB6B80000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7707000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7907000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF5697000 C:\DOCUME~1\lcdig\LOCALS~1\Temp\catchme.sys 32768 bytes
0xF56B7000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7A0F000 C:\WINDOWS\system32\drivers\sf.sys 32768 bytes (Sonic Focus, Inc, DSP service driver 08-28-2004 build for SF 1.X)
0xF79E7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF79FF000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7917000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7A07000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF79EF000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF79BF000 C:\DOCUME~1\lcdig\LOCALS~1\Temp\mbr.sys 24576 bytes
0xF79F7000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF79DF000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF56BF000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7967000 C:\WINDOWS\System32\Drivers\ElbyCDIO.sys 20480 bytes (Elaborate Bytes AG, ElbyCD Windows NT/2000/XP I/O driver)
0xF56A7000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF56C7000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF791F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7A7F000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7A87000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF7A77000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7A57000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB8C44000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF7B4B000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB9C24000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7B8F000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7AA7000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF740E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7B27000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF6068000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7BB3000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7B9D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7C33000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7BB1000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B9B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7B97000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7BB5000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7C37000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7C0B000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xF7BB7000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7BC3000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7BF5000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B99000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7D43000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7CB6000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7DD3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7C5F000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7CE4000 C:\WINDOWS\System32\Drivers\PQNTDrv.SYS 4096 bytes (PowerQuest Corporation, PowerQuest Boot Mode Driver.)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00005B22, Type: Inline - RelativeJump 0x804DCB22-->804DCB29 [ntoskrnl.exe]
ntoskrnl.exe+0x0000D94C, Type: Inline - RelativeJump 0x804E494C-->804E4935 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DA34, Type: Inline - RelativeJump 0x804E4A34-->804E49C2 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DA98, Type: Inline - RelativeJump 0x804E4A98-->804E4A25 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DCD4, Type: Inline - RelativeJump 0x804E4CD4-->804E4C66 [ntoskrnl.exe]
ntoskrnl.exe-->IofCallDriver, Type: Address change 0x8055B780-->F5699F84 [catchme.sys]
[2416]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[2416]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[2416]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[2416]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[2416]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[2416]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[2416]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[2416]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[3116]msimn.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x01001028-->00000000 [asoehook.dll]
[3116]msimn.exe-->kernel32.dll-->GetSystemTimeAsFileTime, Type: IAT modification 0x01001064-->00000000 [asoehook.dll]
[3116]msimn.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x01001030-->00000000 [asoehook.dll]
[3180]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C9163C3-->00000000 [unknown_code_page]
[496]plugin-container.exe-->user32.dll-->TrackPopupMenu, Type: Inline - RelativeJump 0x7E46531E-->00000000 [xul.dll]
[804]aim.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [tbdiag.dll]
[804]aim.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [tbdiag.dll]
[804]aim.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [tbdiag.dll]
[804]aim.exe-->advapi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77DD115C-->00000000 [tbdiag.dll]
[804]aim.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [tbdiag.dll]
[804]aim.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [tbdiag.dll]
[804]aim.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [tbdiag.dll]
[804]aim.exe-->gdi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77F1102C-->00000000 [tbdiag.dll]
[804]aim.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->00000000 [tbdiag.dll]
[804]aim.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->00000000 [tbdiag.dll]
[804]aim.exe-->mswsock.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x71A510BC-->00000000 [tbdiag.dll]
[804]aim.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [tbdiag.dll]
[804]aim.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [tbdiag.dll]
[804]aim.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [tbdiag.dll]
[804]aim.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [tbdiag.dll]
[804]aim.exe-->shell32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x7C9C13DC-->00000000 [tbdiag.dll]
[804]aim.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->00000000 [tbdiag.dll]
[804]aim.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [tbdiag.dll]
[804]aim.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [tbdiag.dll]
[804]aim.exe-->user32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x7E411304-->00000000 [tbdiag.dll]
[804]aim.exe-->wininet.dll-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x3D93124C-->00000000 [aim.exe]
[804]aim.exe-->wininet.dll-->advapi32.dll-->RegQueryValueExA, Type: IAT modification 0x3D931284-->00000000 [aim.exe]
[804]aim.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D9314B4-->00000000 [tbdiag.dll]
[804]aim.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931450-->00000000 [tbdiag.dll]
[804]aim.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D931350-->00000000 [tbdiag.dll]
[804]aim.exe-->wininet.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x3D931444-->00000000 [tbdiag.dll]
[804]aim.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->00000000 [tbdiag.dll]
[804]aim.exe-->ws2_32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x71AB10DC-->00000000 [tbdiag.dll]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

I'm wondering if I should keep this Unhooker open.... when I hit 'close' it says 'really?"

Close it. :p

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

• Double-click on MBRCheck.exe to run it.
  
• It will open a black window...please do not fix anything (if it gives you an option).
  
• When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  
• A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
  
• Please copy and paste the contents of that log in your next reply.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0200003d

Kernel Drivers (total 136):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7B97000 \WINDOWS\system32\KDCOM.DLL
0xF7AA7000 \WINDOWS\system32\BOOTVID.dll
0xF7648000 ACPI.sys
0xF7B99000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7637000 pci.sys
0xF7697000 isapnp.sys
0xF76A7000 ohci1394.sys
0xF76B7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7C5F000 PCIIde.sys
0xF7917000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7B9B000 intelide.sys
0xF76C7000 MountMgr.sys
0xF7618000 ftdisk.sys
0xF7B9D000 dmload.sys
0xF75F2000 dmio.sys
0xF791F000 PartMgr.sys
0xF76D7000 VolSnap.sys
0xF75DA000 atapi.sys
0xF76E7000 disk.sys
0xF76F7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF75BA000 fltmgr.sys
0xF7564000 SYMDS.SYS
0xF7552000 sr.sys
0xF7525000 SYMEFA.SYS
0xF7707000 PxHelp20.sys
0xF750E000 KSecDD.sys
0xF7481000 Ntfs.sys
0xF7454000 NDIS.sys
0xF743A000 Mup.sys
0xF7717000 agp440.sys
0xF7747000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6DAA000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF69AA000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6996000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF696E000 \SystemRoot\system32\DRIVERS\e1000325.sys
0xF79DF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF694A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF79E7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6D9A000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF79EF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF79F7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79FF000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF6D8A000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7B8F000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF6902000 \SystemRoot\system32\DRIVERS\parport.sys
0xF68EA000 \SystemRoot\System32\Drivers\AnyDVD.sys
0xF6D7A000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7767000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF68C7000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7A07000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF6887000 \SystemRoot\system32\drivers\smwdm.sys
0xF6863000 \SystemRoot\system32\drivers\portcls.sys
0xF7777000 \SystemRoot\system32\drivers\drmk.sys
0xF6843000 \SystemRoot\system32\drivers\aeaudio.sys
0xF67E5000 \SystemRoot\system32\drivers\senfilt.sys
0xF7A0F000 \SystemRoot\system32\drivers\sf.sys
0xF7D43000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7847000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B27000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5CBC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7877000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7897000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7A77000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5CAB000 \SystemRoot\system32\DRIVERS\psched.sys
0xF78A7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7A7F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7A87000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5C7B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF78B7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BC3000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5B75000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B4B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF78C7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF77A7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7BF5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF56A7000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF2C75000 \SystemRoot\System32\Drivers\NIS\1108000.005\SRTSP.SYS
0xF2C56000 \SystemRoot\system32\drivers\NIS\1108000.005\Ironx86.SYS
0xF77C7000 \SystemRoot\system32\drivers\NIS\1108000.005\SRTSPX.SYS
0xF2AE5000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xF7BB1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DD3000 \SystemRoot\System32\Drivers\Null.SYS
0xF7BB3000 \SystemRoot\System32\Drivers\Beep.SYS
0xF56BF000 \SystemRoot\System32\drivers\vga.sys
0xF7BB5000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7BB7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF56C7000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF56B7000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6068000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF2A9E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF2A45000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF29EE000 \SystemRoot\System32\Drivers\NIS\1108000.005\SYMTDI.SYS
0xF29C8000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7907000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7757000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF294B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF2929000 \SystemRoot\System32\drivers\afd.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF28FE000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF7CE4000 \SystemRoot\System32\Drivers\PQNTDrv.SYS
0xF288E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7867000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7967000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xF2830000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xF2813000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xF2794000 \SystemRoot\system32\drivers\NIS\1108000.005\ccHPx86.sys
0xF26E8000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100901.003\BHDrvx86.sys
0xF2D0C000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF26D0000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7C33000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF740E000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7A57000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7CB6000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB9C24000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB99D3000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7C37000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB988C000 \SystemRoot\system32\DRIVERS\srv.sys
0xB92B7000 \SystemRoot\system32\drivers\wdmaud.sys
0xB9BF8000 \SystemRoot\system32\drivers\sysaudio.sys
0xB8D32000 \SystemRoot\System32\Drivers\HTTP.sys
0xB8C44000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xB67D3000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF5697000 \??\C:\DOCUME~1\lcdig\LOCALS~1\Temp\catchme.sys
0xF7C0B000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF79BF000 \??\C:\DOCUME~1\lcdig\LOCALS~1\Temp\mbr.sys
0xAEA1D000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100930.005\IDSxpx86.sys
0xAE8CF000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20101001.002\NAVEX15.SYS
0xAE8BB000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20101001.002\NAVENG.SYS
0xADF23000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 44):
0 System Idle Process
4 System
656 C:\WINDOWS\system32\smss.exe
724 csrss.exe
756 C:\WINDOWS\system32\winlogon.exe
800 C:\WINDOWS\system32\services.exe
816 C:\WINDOWS\system32\lsass.exe
992 C:\WINDOWS\system32\svchost.exe
1104 svchost.exe
1200 C:\WINDOWS\system32\svchost.exe
1324 svchost.exe
1448 svchost.exe
1580 C:\WINDOWS\system32\spoolsv.exe
1672 svchost.exe
1704 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1716 C:\Program Files\Bonjour\mDNSResponder.exe
1764 C:\Program Files\Java\jre6\bin\jqs.exe
1928 C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe
2044 C:\WINDOWS\system32\nvsvc32.exe
168 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
320 C:\WINDOWS\system32\svchost.exe
444 wdfmgr.exe
484 C:\Program Files\Viewpoint\Common\ViewpointService.exe
1924 alg.exe
2604 C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe
3620 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
3632 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
3952 C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
3960 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3976 C:\Program Files\iTunes\iTunesHelper.exe
948 C:\WINDOWS\system32\ctfmon.exe
1140 C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
804 C:\Program Files\AIM7\aim.exe
2116 C:\Program Files\iPod\bin\iPodService.exe
2320 C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
1180 C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
2416 C:\WINDOWS\explorer.exe
728 C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE
2552 C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
3180 C:\Program Files\Mozilla Firefox\firefox.exe
3116 C:\Program Files\Outlook Express\msimn.exe
2944 C:\Program Files\Mozilla Firefox\plugin-container.exe
2688 C:\Program Files\Mozilla Firefox\plugin-container.exe
3816 C:\Documents and Settings\lcdig\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000002`71167600 (NTFS)

PhysicalDrive1 Model Number: WDCWD2000JB-00EVA0, Rev: 15.05R15
PhysicalDrive2 Model Number: WDCWD3200SB-01KMA0, Rev: 08.05J08
PhysicalDrive0 Model Number: WDCWD2500JB-00EVA0, Rev: 15.05R15

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
298 GB \\.\PhysicalDrive2 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Excellent.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

drat. an hour into the scan, my computer shut itself off.
must start again...... argh!

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetesets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cf967ff653b59e44a5812ac923b9228a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-02 01:17:41
# local_time=2010-10-01 06:17:41 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777174 85 88 0 24632513 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=69847
# found=0
# cleaned=0
# scan_time=8177

And the fake icon is still there?

nope! it's gone. thanks so much.
do i have to uninstall or undo any of the programs used in this exercise?

Let's clean up.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
  
• Ran OTC
  
• Ran TFC
  
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

OK!
I've got the Clean System Restore. All previous restores are removed.
I ran OTC and TFC. There were still many things on my desktop, so i moved them to the recycle bin and cleaned it out.
The Root Kit/Uninstaller was still on my Start>Programs list, but i couldn't find the actual exectuables, so i guess i must have deleted them.
Here's the detales from Security ChecK:
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
Norton Internet Security
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Rootkit Unhooker LE 3.8 SR 2
CCleaner
Java(TM) 6 Update 21
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.1.85.3
Adobe Reader 9.3.4
Mozilla Firefox (3.6.10) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


So, Am i good?
thanks again... really appreciate it.
b

Just update these, and keep yourself safe on the Internet.

Update Firefox

Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates.


Update Java

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

I uninstalled/reinstalled the updated JAVA, but the Firefox tells me that i'm using the most up-to-date version. Both when I check for updates and when I visit the Mozilla site to verify what is current.

but the oddest thing has happened since all this cleaning etc. Now, when I click on a link inside my email client (Outlook Express) it opens in IE instead of Firefox. I've checked in both mail and browser options and i don't find a place where that has become instruction. Does this sound peculiar?

thanks as always
b

You probably set IE as Default.

Go in to Firefox, click Tools > Options.

Choose the Advanced Tab.

Under System Defaults, click the Check Now button and confirm prompts.

gEniuS!!!
thanks so much
i'll kick down another donation soon.