Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit Malware infection, cant remove 2 files

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Rootkit Malware infection, cant remove 2 files

Unread postby jjb218 » August 21st, 2010, 12:01 am

Hello, my netbook is infected , browser stops working and not able to remove it.
I usedCCleaner, then I used Malwarebytes and had the following:

Files Infected:
C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.

Files are always back and not able to remove them.

Here is hijack this logfile:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:51:44 PM, on 8/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://es.ask.com?o=15446&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100818015711.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: Audio Service (STacSV) - Unknown owner - c:\windows\softwaredistribution\download\install\STacSV.exe (file missing)
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

--
End of file - 7128 bytes

AND MYUNINSTALL file:

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
BitTornado 0.3.17
BitTorrent
BlackBerry Desktop Software 5.0.1
BlackBerry Desktop Software 5.0.1
BlackBerry Device Software Updater
Bluesoleil2.7.0.35 VoIP Release 080317
Broadcom 802.11 Wireless LAN Adapter
CCleaner
Compatibility Pack for the 2007 Office system
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Doc Viewer
HP Help and Support
HP Mobile Broadband Setup Utility
HP User Guides 0119
HP Wireless Assistant
IDT Audio
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 21
Malwarebytes' Anti-Malware
Marvell Miniport Driver
McAfee Internet Security
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Works
Mozilla Firefox (3.6.8)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
VLC media player 1.0.5
WIDCOMM Bluetooth Software
Windows Backup Utility
Windows Driver Package - SMSC LAN9500 USB 2.0 to Ethernet 10/100 Adapter x64 Driver (05/12/2008 1.52.0000.0000)
Windows Driver Package - SMSC LAN9500 USB 2.0 to Ethernet 10/100 Adapter x86 Driver (05/12/2008 1.52.0000.0000)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
WinRAR archiver


Thank you,
JJB218
jjb218
Active Member
 
Posts: 9
Joined: August 20th, 2010, 11:33 pm
Advertisement
Register to Remove

Re: Rootkit Malware infection, cant remove 2 files

Unread postby MWR 3 day Mod » August 24th, 2010, 3:09 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Rootkit Malware infection, cant remove 2 files

Unread postby deltalima » August 24th, 2010, 4:09 pm

Hi jjb218,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will be working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    BitTornado 0.3.17
    BitTorrent


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Rootkit Malware infection, cant remove 2 files

Unread postby jjb218 » August 25th, 2010, 3:34 pm

Hello, I am having a bad time running GMER, if I run in in normal mode, as soon as I press copy and try to paste into notepad the computer cpu usage goes to 100% and cant save file. Running GMER in safe mode works, but since I have a netbook HPmini, I cant go into the Copy button! What can I do now?

Here is OTL files:

OTL.EXE

OTL logfile created on: 8/24/2010 10:21:22 PM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\JJB\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 15.26 Gb Total Space | 1.25 Gb Free Space | 8.20% Space Free | Partition Type: NTFS
Drive D: | 1.87 Gb Total Space | 0.80 Gb Free Space | 42.82% Space Free | Partition Type: FAT32
Drive E: | 3.77 Gb Total Space | 2.24 Gb Free Space | 59.38% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JJBNET
Current User Name: JJB
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\JJB\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\JJB\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (STacSV) -- c:\windows\softwaredistribution\download\install\STacSV.exe File not found
SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (mfevtp) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (WPFFontCache_v0400) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (McProxy) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)


========== Driver Services (SafeList) ==========

DRV - (VcommMgr) -- C:\WINDOWS\System32\Drivers\VcommMgr.sys File not found
DRV - (VComm) -- C:\WINDOWS\System32\DRIVERS\VComm.sys File not found
DRV - (BTHidMgr) -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys File not found
DRV - (BTHidEnum) -- C:\WINDOWS\System32\Drivers\vbtenum.sys File not found
DRV - (Btcsrusb) -- C:\WINDOWS\System32\Drivers\btcusb.sys File not found
DRV - (BT) -- C:\WINDOWS\System32\DRIVERS\btnetdrv.sys File not found
DRV - (BlueletSCOAudio) -- C:\WINDOWS\System32\DRIVERS\BlueletSCOAudio.sys File not found
DRV - (BlueletAudio) -- C:\WINDOWS\System32\DRIVERS\blueletaudio.sys File not found
DRV - (NDIS) -- C:\WINDOWS\System32\drivers\ndis.sys ()
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\system32\drivers\cfwids.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (tap0901) -- C:\WINDOWS\system32\drivers\tap0901.sys (The OpenVPN Project)
DRV - (qrkis) -- C:\WINDOWS\system32\drivers\qrkis.sys (Tether)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (AESTAud) -- C:\WINDOWS\system32\drivers\AESTAud.sys (Andrea Electronics Corporation)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (UCORESYS) -- c:\SwSetup\SP48673\UCORESYS.SYS ()
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)
DRV - (BTWDNDIS) -- C:\WINDOWS\system32\drivers\btwdndis.sys ()
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (btwhid) -- C:\WINDOWS\system32\drivers\btwhid.sys (Broadcom Corporation.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (BTDriver) -- C:\WINDOWS\system32\drivers\btport.sys (Broadcom Corporation.)
DRV - (n558) -- C:\WINDOWS\system32\drivers\n558.sys ()
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1730884151-1940640535-2478076271-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.Yahoo.com
IE - HKU\S-1-5-21-1730884151-1940640535-2478076271-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://es.ask.com?o=15446&l=dis
IE - HKU\S-1-5-21-1730884151-1940640535-2478076271-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.msn.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: TechnicianConsole@logmeinrescue.com:6.2.0.743

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/21 09:26:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/23 11:25:50 | 000,000,000 | ---D | M]

[2010/01/11 03:31:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JJB\Application Data\Mozilla\Extensions
[2010/08/24 09:40:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JJB\Application Data\Mozilla\Firefox\Profiles\niqv2npk.default\extensions
[2010/08/13 22:21:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\JJB\Application Data\Mozilla\Firefox\Profiles\niqv2npk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/18 00:32:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JJB\Application Data\Mozilla\Firefox\Profiles\niqv2npk.default\extensions\TechnicianConsole@logmeinrescue.com
[2010/08/13 22:21:24 | 000,002,424 | ---- | M] () -- C:\Documents and Settings\JJB\Application Data\Mozilla\Firefox\Profiles\niqv2npk.default\searchplugins\askcom.xml
[2010/08/24 22:06:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/06 11:52:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/07 12:30:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/05/31 20:32:58 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

Hosts file not found
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20100818015711.dll (McAfee, Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKU\S-1-5-21-1730884151-1940640535-2478076271-1006\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O3 - HKU\S-1-5-21-1730884151-1940640535-2478076271-1006\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [IDTSysTrayApp] C:\WINDOWS\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1730884151-1940640535-2478076271-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\JJB\ctfmon.exe) - C:\Documents and Settings\JJB\ctfmon.exe File not found
O20 - HKU\S-1-5-21-1730884151-1940640535-2478076271-1006 Winlogon: Shell - (硅汰牯牥攮數18) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Tempest.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Tempest.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/21 21:01:32 | 000,000,053 | -H-- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/04/20 08:41:56 | 000,000,268 | -H-- | M] () - D:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{1f0004bd-aaee-11df-b2b7-001167d1a837}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1f0004bd-aaee-11df-b2b7-001167d1a837}\Shell\AutoRun\command - "" = pera\\komunalac.exe
O33 - MountPoints2\{1f0004bd-aaee-11df-b2b7-001167d1a837}\Shell\explore\command - "" = pera\\\komunalac.exe
O33 - MountPoints2\{1f0004bd-aaee-11df-b2b7-001167d1a837}\Shell\open\command - "" = pera\\\komunalac.exe
O33 - MountPoints2\{477d524a-2df9-11df-b277-00234d6f24b2}\Shell\AutoRun\command - "" = winlog.exe
O33 - MountPoints2\{508b6770-5fca-11df-b293-001167d1a837}\Shell\AutoRun\command - "" = E:\svchost.exe -- File not found
O33 - MountPoints2\{7834821d-4ea1-11df-b290-00030d000001}\Shell\AutoRun\command - "" = E:\svchost.exe -- File not found
O33 - MountPoints2\{7d2a4300-60ab-11df-b294-001167d1a837}\Shell\AutoRun\command - "" = E:\svchost.exe -- File not found
O33 - MountPoints2\{819bd7de-2549-11df-b272-00234d6f24b2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{819bd7de-2549-11df-b272-00234d6f24b2}\Shell\AutoRun\command - "" = E:\pera\komunalac.exe -- File not found
O33 - MountPoints2\{819bd7de-2549-11df-b272-00234d6f24b2}\Shell\explore\command - "" = E:\pera\\komunalac.exe -- File not found
O33 - MountPoints2\{819bd7de-2549-11df-b272-00234d6f24b2}\Shell\open\command - "" = E:\pera\\komunalac.exe -- File not found
O33 - MountPoints2\{961fcf0d-ce3d-11de-b233-00234d6f24b2}\Shell\AutoRun\command - "" = G:\svchost.exe -- File not found
O33 - MountPoints2\{b3839dae-fccc-11de-b24e-002264668654}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b3839dae-fccc-11de-b24e-002264668654}\Shell\AutoRun\command - "" = pera\\komunalac.exe
O33 - MountPoints2\{b3839dae-fccc-11de-b24e-002264668654}\Shell\explore\command - "" = pera\\\komunalac.exe
O33 - MountPoints2\{b3839dae-fccc-11de-b24e-002264668654}\Shell\open\command - "" = pera\\\komunalac.exe
O33 - MountPoints2\{df4e217e-ac31-11df-b2ba-001167d1a837}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{df4e217e-ac31-11df-b2ba-001167d1a837}\Shell\AutoRun\command - "" = pera\\komunalac.exe
O33 - MountPoints2\{df4e217e-ac31-11df-b2ba-001167d1a837}\Shell\explore\command - "" = pera\\\komunalac.exe
O33 - MountPoints2\{df4e217e-ac31-11df-b2ba-001167d1a837}\Shell\open\command - "" = pera\\\komunalac.exe
O33 - MountPoints2\{e11446ce-c748-11de-b225-00234d6f24b2}\Shell\AutoRun\command - "" = E:\winlog.exe -- [2010/05/04 17:26:00 | 000,233,472 | -H-- | M] (McAfee, Inc.)
O33 - MountPoints2\{e11446d2-c748-11de-b225-00234d6f24b2}\Shell\AutoRun\command - "" = G:\winlog.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: cmmohost - (C:\WINDOWS\system32\ckcnclip.dll) - C:\WINDOWS\System32\ckcnclip.dll File not found
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/24 22:17:54 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\JJB\Desktop\OTL.exe
[2010/08/24 01:01:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JJB\Application Data\skypePM
[2010/08/24 01:00:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JJB\Application Data\Skype
[2010/08/24 00:56:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/08/24 00:56:39 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/08/24 00:56:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/08/23 15:01:30 | 000,151,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irftp.exe
[2010/08/23 15:01:29 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wshirda.dll
[2010/08/22 12:21:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JJB\Desktop\778b_xp
[2010/08/21 17:26:07 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2010/08/21 17:13:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\WindowsPowerShell
[2010/08/21 17:13:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\winrm
[2010/08/21 17:13:09 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$968930Uinstall_KB968930$
[2010/08/20 23:42:28 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/08/18 15:21:18 | 002,550,640 | ---- | C] (BitTorrent, Inc.) -- C:\Documents and Settings\JJB\My Documents\BitTorrent-7.0.exe
[2010/08/18 07:11:12 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\JJB\Recent
[2010/08/18 06:37:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/08/18 06:37:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/18 01:57:07 | 000,009,344 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/08/18 01:56:45 | 000,082,952 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/08/18 01:56:44 | 000,312,616 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/08/18 01:56:44 | 000,152,320 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/08/18 01:56:44 | 000,088,480 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/08/18 01:56:44 | 000,083,496 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/08/18 01:56:44 | 000,055,456 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/08/18 01:56:44 | 000,051,688 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/08/18 01:56:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Mcafee
[2010/08/18 01:56:21 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/08/18 01:54:42 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/08/18 00:33:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JJB\Application Data\LogMeIn Rescue
[2010/08/18 00:32:41 | 000,000,000 | ---D | C] -- C:\Program Files\LogMeIn Rescue
[2010/08/17 12:01:52 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/08/17 11:57:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JJB\Application Data\Malwarebytes
[2010/08/17 11:35:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/17 11:35:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/17 11:35:32 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/17 11:35:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/17 10:40:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/08/14 15:22:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JJB\Local Settings\Application Data\OverPlay.net_LLP
[2010/08/14 15:21:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JJB\Local Settings\Application Data\Deployment
[2010/08/07 12:39:26 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/08/07 12:30:28 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/07 12:30:24 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/07 12:30:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/07 12:30:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/07 12:26:38 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/24 22:16:12 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Internet Security.lnk
[2010/08/24 22:15:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/24 22:15:41 | 2138,361,856 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/24 22:14:54 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\JJB\NTUSER.DAT
[2010/08/24 22:14:54 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\JJB\ntuser.ini
[2010/08/24 22:13:28 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\5id7snvi.exe
[2010/08/24 22:12:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JJB\Desktop\OTL.exe
[2010/08/24 01:01:49 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/08/24 00:57:17 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/08/23 15:03:00 | 000,600,638 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/23 15:03:00 | 000,502,612 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/23 15:03:00 | 000,086,530 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/23 11:53:54 | 026,669,333 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\c01549371.pdf
[2010/08/23 11:31:46 | 000,412,398 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\FAXMANUAL.pdf
[2010/08/23 11:23:58 | 001,923,823 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\MANUALFAXHP.pdf
[2010/08/23 10:51:16 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/08/22 11:57:17 | 000,000,411 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\Shortcut to JavaLoader.lnk
[2010/08/21 21:19:40 | 000,045,568 | ---- | M] () -- C:\Documents and Settings\JJB\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/21 18:54:48 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/21 17:12:49 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/20 23:44:03 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\HiJackThis.lnk
[2010/08/20 21:14:53 | 005,887,032 | -H-- | M] () -- C:\Documents and Settings\JJB\Local Settings\Application Data\IconCache.db
[2010/08/20 12:34:03 | 000,049,510 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\Luhn.pdf
[2010/08/19 17:39:22 | 000,174,219 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\IMG00222-20100819-1839.jpg
[2010/08/19 17:34:18 | 000,229,445 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\IMG00221-20100819-1834.jpg
[2010/08/19 17:34:06 | 000,179,607 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\IMG00220-20100819-1834.jpg
[2010/08/19 17:33:52 | 000,207,717 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\IMG00219-20100819-1833.jpg
[2010/08/19 15:06:48 | 000,729,319 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\IMG00218-20100819-1606.jpg
[2010/08/19 15:06:34 | 000,750,499 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\IMG00217-20100819-1606.jpg
[2010/08/19 15:06:20 | 000,400,986 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\StandbymeBrothers.jpg
[2010/08/19 15:05:32 | 000,600,088 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\IMG00215-20100819-1605.jpg
[2010/08/19 14:17:32 | 000,291,935 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\IMG00214-20100819-1517.jpg
[2010/08/19 14:17:24 | 000,356,367 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\IMG00213-20100819-1517.jpg
[2010/08/19 14:17:12 | 000,460,825 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\IMG00212-20100819-1517.jpg
[2010/08/18 19:24:53 | 000,084,907 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\Antivirus.JPG
[2010/08/18 15:21:18 | 002,550,640 | ---- | M] (BitTorrent, Inc.) -- C:\Documents and Settings\JJB\My Documents\BitTorrent-7.0.exe
[2010/08/18 01:17:24 | 000,225,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/17 23:37:45 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/08/17 23:37:44 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/17 23:37:44 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/17 12:16:36 | 000,210,816 | ---- | M] () -- C:\WINDOWS\System32\drivers\ndis.sys
[2010/08/17 12:16:36 | 000,210,816 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ndis.sys
[2010/08/17 12:06:19 | 000,058,576 | ---- | M] () -- C:\Documents and Settings\JJB\My Documents\REGISTRYBACKUPcc_20100817_120557.reg
[2010/08/17 12:01:55 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\JJB\Desktop\CCleaner.lnk
[2010/08/17 11:57:52 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/27 02:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/24 22:17:54 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\5id7snvi.exe
[2010/08/24 01:01:49 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/08/24 00:57:17 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/08/23 11:52:00 | 026,669,333 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\c01549371.pdf
[2010/08/23 11:31:46 | 000,412,398 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\FAXMANUAL.pdf
[2010/08/23 11:23:58 | 001,923,823 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\MANUALFAXHP.pdf
[2010/08/22 11:57:17 | 000,000,411 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\Shortcut to JavaLoader.lnk
[2010/08/22 11:57:00 | 000,094,208 | ---- | C] () -- C:\JavaLoader.exe
[2010/08/21 17:12:37 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/08/21 11:01:08 | 000,750,499 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\IMG00217-20100819-1606.jpg
[2010/08/21 11:01:08 | 000,729,319 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\IMG00218-20100819-1606.jpg
[2010/08/21 11:01:08 | 000,600,088 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\IMG00215-20100819-1605.jpg
[2010/08/21 11:01:08 | 000,460,825 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\IMG00212-20100819-1517.jpg
[2010/08/21 11:01:08 | 000,400,986 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\StandbymeBrothers.jpg
[2010/08/21 11:01:08 | 000,356,367 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\IMG00213-20100819-1517.jpg
[2010/08/21 11:01:08 | 000,291,935 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\IMG00214-20100819-1517.jpg
[2010/08/21 11:01:08 | 000,229,445 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\IMG00221-20100819-1834.jpg
[2010/08/21 11:01:08 | 000,207,717 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\IMG00219-20100819-1833.jpg
[2010/08/21 11:01:08 | 000,179,607 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\IMG00220-20100819-1834.jpg
[2010/08/21 11:01:08 | 000,174,219 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\IMG00222-20100819-1839.jpg
[2010/08/20 23:42:28 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\HiJackThis.lnk
[2010/08/20 12:34:03 | 000,049,510 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\Luhn.pdf
[2010/08/18 19:24:53 | 000,084,907 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\Antivirus.JPG
[2010/08/18 02:00:40 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Internet Security.lnk
[2010/08/17 12:16:36 | 000,210,816 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ndis.sys
[2010/08/17 12:13:06 | 2138,361,856 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/17 12:06:14 | 000,058,576 | ---- | C] () -- C:\Documents and Settings\JJB\My Documents\REGISTRYBACKUPcc_20100817_120557.reg
[2010/08/17 12:01:55 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\JJB\Desktop\CCleaner.lnk
[2010/08/17 11:35:45 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/30 14:09:07 | 000,000,164 | ---- | C] () -- C:\Documents and Settings\JJB\Application Data\wklnhst.dat
[2009/11/02 23:51:05 | 000,045,568 | ---- | C] () -- C:\Documents and Settings\JJB\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/06 00:54:55 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/10/06 00:42:50 | 000,156,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\btwdndis.sys
[2008/10/06 00:40:35 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/07/30 13:55:02 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/06/24 13:48:20 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/04/15 00:00:00 | 000,210,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\ndis.sys
[2007/09/27 14:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 14:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 14:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/15 07:27:18 | 000,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\n558.sys
[2005/02/17 15:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 15:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 16:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
< End of report >


HERE IS EXTRAS.TXT

OTL Extras logfile created on: 8/24/2010 10:21:22 PM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\JJB\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 15.26 Gb Total Space | 1.25 Gb Free Space | 8.20% Space Free | Partition Type: NTFS
Drive D: | 1.87 Gb Total Space | 0.80 Gb Free Space | 42.82% Space Free | Partition Type: FAT32
Drive E: | 3.77 Gb Total Space | 2.24 Gb Free Space | 59.38% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JJBNET
Current User Name: JJB
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1730884151-1940640535-2478076271-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\BitTornado\btdownloadgui.exe" = C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil -- File not found
"C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 21
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F2AF17E-94F0-4F22-943D-216CE46AC502}" = HP Mobile Broadband Setup Utility
"{588ADEB6-4967-4730-9F0B-50A1728F6019}" = BlackBerry Device Software v5.0.0 for the BlackBerry 8520 smartphone
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{66D0F2C8-0164-4BC8-BF92-AD9109838FB2}" = HP User Guides 0119
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{F574616C-4C15-49CE-9C98-E998CD80264A}" = BlackBerry Device Software Updater
"553D07C7937AEF19AECBF1E27F5709BCDA84B2C7" = Windows Driver Package - SMSC LAN9500 USB 2.0 to Ethernet 10/100 Adapter x86 Driver (05/12/2008 1.52.0000.0000)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"B7BEAA1057EE33043F87079C40B92DE3EAEBDEEF" = Windows Driver Package - SMSC LAN9500 USB 2.0 to Ethernet 10/100 Adapter x64 Driver (05/12/2008 1.52.0000.0000)
"BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"Broadcom 802.11 Wireless LAN Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSC" = McAfee Internet Security
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.0.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1730884151-1940640535-2478076271-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/4/2010 12:00:54 PM | Computer Name = JJBNET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: Not enough storage is available to process this command.

Error - 4/4/2010 12:00:54 PM | Computer Name = JJBNET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/4/2010 12:00:54 PM | Computer Name = JJBNET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/4/2010 12:00:54 PM | Computer Name = JJBNET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/4/2010 12:00:56 PM | Computer Name = JJBNET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/4/2010 12:00:56 PM | Computer Name = JJBNET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/4/2010 12:00:57 PM | Computer Name = JJBNET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: Not enough storage is available to process this command.

Error - 4/4/2010 12:00:57 PM | Computer Name = JJBNET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/4/2010 12:00:57 PM | Computer Name = JJBNET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: Not enough storage is available to process this command.

Error - 4/4/2010 12:00:57 PM | Computer Name = JJBNET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 8/24/2010 9:37:44 AM | Computer Name = JJBNET | Source = Service Control Manager | ID = 7000
Description = The Audio Service service failed to start due to the following error:
%%3

Error - 8/24/2010 9:37:44 AM | Computer Name = JJBNET | Source = Service Control Manager | ID = 7001
Description = The Windows Search service depends on the Terminal Services service
which failed to start because of the following error: %%1058

Error - 8/24/2010 9:37:51 AM | Computer Name = JJBNET | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 8/24/2010 9:40:37 AM | Computer Name = JJBNET | Source = DCOM | ID = 10010
Description = The server {E0EC0F2B-773D-4DD7-BE6C-7D85D6AA6269} did not register
with DCOM within the required timeout.

Error - 8/24/2010 10:04:02 PM | Computer Name = JJBNET | Source = Service Control Manager | ID = 7000
Description = The Audio Service service failed to start due to the following error:
%%3

Error - 8/24/2010 10:04:02 PM | Computer Name = JJBNET | Source = Service Control Manager | ID = 7001
Description = The Windows Search service depends on the Terminal Services service
which failed to start because of the following error: %%1058

Error - 8/24/2010 10:04:06 PM | Computer Name = JJBNET | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 8/24/2010 10:16:06 PM | Computer Name = JJBNET | Source = Service Control Manager | ID = 7000
Description = The Audio Service service failed to start due to the following error:
%%3

Error - 8/24/2010 10:16:06 PM | Computer Name = JJBNET | Source = Service Control Manager | ID = 7001
Description = The Windows Search service depends on the Terminal Services service
which failed to start because of the following error: %%1058

Error - 8/24/2010 10:16:10 PM | Computer Name = JJBNET | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep


< End of report >


What can I do now to run the gamer and save the file?

Thanks

JJB218
jjb218
Active Member
 
Posts: 9
Joined: August 20th, 2010, 11:33 pm

Re: Rootkit Malware infection, cant remove 2 files

Unread postby deltalima » August 25th, 2010, 3:44 pm

Hi jjb218,

having a bad time running GMER


Please run this alternative scan –

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Rootkit Malware infection, cant remove 2 files

Unread postby jjb218 » August 25th, 2010, 4:03 pm

Worked perfectly!!

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB97D1000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5857280 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xB9502000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 2699264 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xBF1E7000 C:\WINDOWS\System32\igxpdx32.DLL 2699264 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF04F000 C:\WINDOWS\System32\igxpdv32.DLL 1671168 bytes (Intel Corporation, Component GHAL Driver)
0xA8FB0000 C:\WINDOWS\system32\drivers\sthda.sys 1576960 bytes (IDT, Inc., IDT PC Audio)
0xB9345000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 987136 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xB9DFD000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA8CD6000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB91F1000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB9EB4000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0xA8E1C000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA8770000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xB929A000 C:\WINDOWS\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0xB94BB000 C:\WINDOWS\system32\DRIVERS\yk51x86.sys 290816 bytes (Marvell, Miniport Driver for Marvell Yukon Ethernet Controller.)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA7F46000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB945E000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 233472 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA88B7000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x8A52F000 NDIS.sys 182656 bytes
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 176128 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xA7B85000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA8D46000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9795000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA8D93000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA8DBB000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA890C000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB92E5000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xA8F64000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9497000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB924F000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA8D71000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9F11000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xA8CB8000 C:\WINDOWS\System32\Drivers\usbvideo.sys 122880 bytes (Microsoft Corporation, USB Video Class Driver)
0xA8EA8000 C:\WINDOWS\system32\drivers\AESTAud.sys 114688 bytes (Andrea Electronics Corporation, Andrea Audio Driver)
0xB9DAF000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA8CA0000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9E9D000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB931A000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA866B000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9331000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xB97BD000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA8E75000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xA8DE1000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xB9E8A000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9309000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA1E8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xA882F000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0C8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA158000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA168000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xA81AB000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0xBA188000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA258000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA178000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA1B8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA148000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA198000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA228000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA802F000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA218000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\btport.sys 32768 bytes (Broadcom Corporation., Bluetooth BTPORT Driver for Windows 2000)
0xBA3A0000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA468000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA498000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA370000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0xBA4A8000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA380000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA388000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA368000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA448000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA458000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA358000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA560000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB9D7B000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA8B3C000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB9452000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB9442000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xBA574000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB943A000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA568000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA5E6000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5CA000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5AC000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5CE000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5D2000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5B6000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xBA5C0000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5B2000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA749000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA6F8000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7A0000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
==============================================
>Stealth
==============================================
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\btwdndis.sys]
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\ndis.sys]
==============================================
>Hooks
==============================================
ndis.sys+0x0000040F, Type: Inline - RelativeJump 0x8A52F40F-->8A52F48A [NDIS.sys]
ndis.sys+0x0000055E, Type: Inline - RelativeJump 0x8A52F55E-->8A52F57B [NDIS.sys]
ndis.sys+0x0000056F, Type: Inline - PushRet 0x8A52F56F-->90900008 [unknown_code_page]
ndis.sys+0x0000073C, Type: Inline - RelativeJump 0x8A52F73C-->8A52F752 [NDIS.sys]
ndis.sys+0x00000866, Type: Inline - RelativeJump 0x8A52F866-->8A52FC89 [NDIS.sys]
ndis.sys+0x0000086F, Type: Inline - PushRet 0x8A52F86F-->90900004 [unknown_code_page]
ndis.sys+0x00000917, Type: Inline - RelativeJump 0x8A52F917-->8A52F925 [NDIS.sys]
ndis.sys+0x00000A15, Type: Inline - RelativeJump 0x8A52FA15-->8A52FA4D [NDIS.sys]
ndis.sys+0x00000A4C, Type: Inline - RelativeJump 0x8A52FA4C-->8A52FA66 [NDIS.sys]
ndis.sys+0x00000AB8, Type: Inline - DirectCall 0x8A52FAB8-->8A534CAC [NDIS.sys]
ndis.sys+0x00000AE2, Type: Inline - RelativeJump 0x8A52FAE2-->8A52FB82 [NDIS.sys]
ndis.sys+0x00000B9E, Type: Inline - RelativeJump 0x8A52FB9E-->8A52FBBC [NDIS.sys]
ndis.sys+0x00000DB5, Type: Inline - RelativeJump 0x8A52FDB5-->8A530186 [NDIS.sys]
ndis.sys+0x00000E14, Type: Inline - DirectCall 0x8A52FE14-->FFFFFFFF [unknown_code_page]
ndis.sys+0x00000E1A, Type: Inline - PushRet 0x8A52FE1A-->8BD7FF30 [unknown_code_page]
ndis.sys+0x00000E1B, Type: Inline - RelativeCall 0x8A52FE1B-->8A52FD3A [NDIS.sys]
ndis.sys+0x00000E20, Type: Inline - RelativeCall 0x8A52FE20-->8A548A09 [NDIS.sys]
ndis.sys+0x000014C1, Type: Inline - RelativeJump 0x8A5304C1-->8A531C9B [NDIS.sys]
ndis.sys+0x00001C6A, Type: Inline - RelativeJump 0x8A530C6A-->8A530CA2 [NDIS.sys]
ndis.sys+0x00002131, Type: Inline - RelativeCall 0x8A531131-->8A54955F [NDIS.sys]
ndis.sys+0x000025A3, Type: Inline - PushRet 0x8A5315A3-->F8A10008 [unknown_code_page]
ndis.sys+0x000032B9, Type: Inline - RelativeJump 0x8A5322B9-->8A5322E0 [NDIS.sys]
ndis.sys+0x00003D1E, Type: Inline - RelativeJump 0x8A532D1E-->8A532D70 [NDIS.sys]
ndis.sys+0x00005A35, Type: Inline - RelativeJump 0x8A534A35-->8A534A6B [NDIS.sys]
ndis.sys+0x000075F1, Type: Inline - RelativeJump 0x8A5365F1-->8A536602 [NDIS.sys]
ndis.sys+0x00008658, Type: Inline - RelativeJump 0x8A537658-->8A53769F [NDIS.sys]
ndis.sys+0x0000AE51, Type: Inline - RelativeJump 0x8A539E51-->8A53B610 [NDIS.sys]
ndis.sys+0x0000C27D, Type: Inline - RelativeJump 0x8A53B27D-->8A53B32C [NDIS.sys]
ndis.sys+0x0000C283, Type: Inline - RelativeJump 0x8A53B283-->8A53B32C [NDIS.sys]
ndis.sys+0x0000C28F, Type: Inline - RelativeJump 0x8A53B28F-->8A53B32C [NDIS.sys]
ndis.sys+0x0000C96D, Type: Inline - RelativeJump 0x8A53B96D-->8A53B981 [NDIS.sys]
ndis.sys+0x0000E7FC, Type: Inline - RelativeJump 0x8A53D7FC-->8A53D86E [NDIS.sys]
ndis.sys+0x000123A1, Type: Inline - RelativeCall 0x8A5413A1-->8A54081E [NDIS.sys]
ndis.sys+0x00013FBE, Type: Inline - RelativeJump 0x8A542FBE-->8A5431F6 [NDIS.sys]
ndis.sys+0x00014F54, Type: Inline - RelativeJump 0x8A543F54-->8A543F70 [NDIS.sys]
ndis.sys+0x000155F1, Type: Inline - RelativeJump 0x8A5445F1-->8A544687 [NDIS.sys]
ndis.sys+0x0001576D, Type: Inline - RelativeJump 0x8A54476D-->8A54477D [NDIS.sys]
ndis.sys+0x00016F63, Type: Inline - RelativeJump 0x8A545F63-->8A545F96 [NDIS.sys]
ndis.sys+0x00018A96, Type: Inline - PushRet 0x8A547A96-->9090000C [unknown_code_page]
ndis.sys+0x0001935B, Type: Inline - RelativeCall 0x8A54835B-->8A548089 [NDIS.sys]
ndis.sys+0x00019362, Type: Inline - RelativeJump 0x8A548362-->8A548307 [NDIS.sys]
ndis.sys+0x0001B215, Type: Inline - RelativeJump 0x8A54A215-->8A54A213 [NDIS.sys]
ndis.sys+0x0001E325, Type: Inline - RelativeJump 0x8A54D325-->8A54D340 [NDIS.sys]
ndis.sys+0x00022C25, Type: Inline - RelativeJump 0x8A551C25-->8A551C4A [NDIS.sys]
ndis.sys+0x000269C5, Type: Inline - RelativeJump 0x8A5559C5-->8A555A43 [NDIS.sys]
ndis.sys+0x00026F01, Type: Inline - RelativeJump 0x8A555F01-->8A555F4B [NDIS.sys]
ndis.sys+0x00026FE1, Type: Inline - RelativeJump 0x8A555FE1-->8A556050 [NDIS.sys]
ndis.sys+0x000270FD, Type: Inline - RelativeJump 0x8A5560FD-->8A556177 [NDIS.sys]
ndis.sys+0x00027111, Type: Inline - RelativeJump 0x8A556111-->8A55616F [NDIS.sys]
ndis.sys+0x0002714D, Type: Inline - RelativeJump 0x8A55614D-->8A5561B4 [NDIS.sys]
ndis.sys+0x0002715D, Type: Inline - RelativeJump 0x8A55615D-->8A5561D3 [NDIS.sys]
ndis.sys+0x0002716D, Type: Inline - RelativeJump 0x8A55616D-->8A556178 [NDIS.sys]
ndis.sys+0x0002717D, Type: Inline - RelativeJump 0x8A55617D-->8A5561EF [NDIS.sys]
ndis.sys+0x00027E99, Type: Inline - RelativeJump 0x8A556E99-->8A556F0E [NDIS.sys]
ndis.sys+0x0002F2CE, Type: Inline - RelativeCall 0x8A55E2CE-->8A5609E3 [unknown_code_page]
ndis.sys+0x0002F2D8, Type: Inline - PushRet 0x8A55E2D8-->CCCC0018 [unknown_code_page]
ndis.sys+0x0002F8CE, Type: Inline - RelativeCall 0x8A55E8CE-->8A55DD20 [unknown_code_page]
ndis.sys+0x0002FB83, Type: Inline - RelativeJump 0x8A55EB83-->8A55EB9C [unknown_code_page]
ndis.sys+0x0002FD5F, Type: Inline - RelativeCall 0x8A55ED5F-->8A55E8B0 [unknown_code_page]
ndis.sys+0x0002FDCF, Type: Inline - RelativeCall 0x8A55EDCF-->8A55EAB0 [unknown_code_page]
ndis.sys+0x0002FE5F, Type: Inline - RelativeJump 0x8A55EE5F-->8A55EEE1 [unknown_code_page]
ndis.sys+0x0002FE6E, Type: Inline - RelativeJump 0x8A55EE6E-->8A55EE7A [unknown_code_page]
ndis.sys+0x0002FF2F, Type: Inline - RelativeJump 0x8A55EF2F-->8A55EF6E [unknown_code_page]
ndis.sys+0x0002FF46, Type: Inline - RelativeJump 0x8A55EF46-->8A55EF6E [unknown_code_page]
ndis.sys+0x000300B7, Type: Inline - PushRet 0x8A55F0B7-->CCCC0004 [unknown_code_page]
ndis.sys+0x00030646, Type: Inline - RelativeJump 0x8A55F646-->8A55F650 [unknown_code_page]
ndis.sys+0x00030AC6, Type: Inline - RelativeJump 0x8A55FAC6-->8A55FB2D [unknown_code_page]
ndis.sys+0x00030ADA, Type: Inline - RelativeJump 0x8A55FADA-->8A55FAEA [unknown_code_page]
ndis.sys+0x00030B56, Type: Inline - RelativeJump 0x8A55FB56-->8A55FBCE [unknown_code_page]
ndis.sys+0x00030BA2, Type: Inline - RelativeCall 0x8A55FBA2-->8A55F6E0 [unknown_code_page]
ndis.sys+0x00030E52, Type: Inline - PushRet 0x8A55FE52-->CCCC0004 [unknown_code_page]
ndis.sys+0x00030F86, Type: Inline - RelativeCall 0x8A55FF86-->8A55EF00 [unknown_code_page]
ndis.sys+0x00030F8B, Type: Inline - RelativeJump 0x8A55FF8B-->8A55FF94 [unknown_code_page]
ndis.sys+0x000310A7, Type: Inline - RelativeCall 0x8A5600A7-->8A55F0C0 [unknown_code_page]
ndis.sys+0x000312B7, Type: Inline - RelativeJump 0x8A5602B7-->8A5602C2 [unknown_code_page]
ndis.sys+0x0003191B, Type: Inline - RelativeJump 0x8A56091B-->8A560958 [unknown_code_page]
ndis.sys+0x0003270F, Type: Inline - RelativeJump 0x8A56170F-->8A561777 [unknown_code_page]
ndis.sys+0x000327A2, Type: Inline - RelativeJump 0x8A5617A2-->8A561812 [unknown_code_page]
ndis.sys+0x000327DE, Type: Inline - RelativeJump 0x8A5617DE-->8A56182B [unknown_code_page]
ndis.sys+0x00032872, Type: Inline - RelativeJump 0x8A561872-->8A5618DA [unknown_code_page]
ndis.sys+0x00032882, Type: Inline - RelativeJump 0x8A561882-->8A5618FB [unknown_code_page]
ndis.sys+0x000328C3, Type: Inline - RelativeJump 0x8A5618C3-->8A56193C [unknown_code_page]
ndis.sys+0x000328D6, Type: Inline - RelativeJump 0x8A5618D6-->8A56195B [unknown_code_page]
ndis.sys+0x0003297E, Type: Inline - RelativeJump 0x8A56197E-->8A5619ED [unknown_code_page]
ndis.sys+0x0003298A, Type: Inline - RelativeJump 0x8A56198A-->8A5619E4 [unknown_code_page]
ndis.sys+0x00032992, Type: Inline - RelativeJump 0x8A561992-->8A561A0F [unknown_code_page]
ndis.sys+0x000329A2, Type: Inline - RelativeJump 0x8A5619A2-->8A561A18 [unknown_code_page]
ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE-->80545CC5 [ntkrnlpa.exe]
ntkrnlpa.exe-->IofCallDriver, Type: Address change 0x80555780-->8A55D0E0 [unknown_code_page]
ntkrnlpa.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x805CB3FA-->B9EE6D78 [mfehidk.sys]
ntkrnlpa.exe-->NtOpenThread, Type: Inline - RelativeJump 0x805CB686-->B9EE6D8C [mfehidk.sys]
[396]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[396]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[396]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[396]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[396]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[396]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[396]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[796]McSvHost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [McProxy.dll]
[796]McSvHost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [McProxy.dll]

POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
jjb218
Active Member
 
Posts: 9
Joined: August 20th, 2010, 11:33 pm

Re: Rootkit Malware infection, cant remove 2 files

Unread postby deltalima » August 25th, 2010, 4:14 pm

Hi jjb218,

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\Drivers\ntndis.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Please repeat this process with the file

C:\WINDOWS\system32\ipsecndis.sys


Post both results in your next reply.

MBRCheck

Please download MBRCheck.exe to your desktop.
  • Double-click on MBRCheck.exe to run it.
  • It will show a Black screen with some information.
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file in you're next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Rootkit Malware infection, cant remove 2 files

Unread postby jjb218 » August 25th, 2010, 4:54 pm

Can"t find those 2 files anymore, they either were deleted when i rebooted?


Here is the MBR text:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA5AC000 intelide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA4C4000 ACPIEC.sys
0xBA670000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9F11000 fltMgr.sys
0xB9EB4000 mfehidk.sys
0xB9E9D000 KSecDD.sys
0xB9E8A000 WudfPf.sys
0xB9DFD000 Ntfs.sys
0x8A563000 NDIS.sys
0xB9DAF000 Mup.sys
0xBA148000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB97D1000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB97BD000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9795000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9502000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB94BB000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xBA368000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9497000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA370000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA158000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA380000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB945E000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA5B2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA388000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA560000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA568000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB9345000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xBA729000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB9331000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xBA5B6000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA3A0000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA168000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA574000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB931A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA178000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA188000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9309000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA198000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB92E5000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB929A000 \SystemRoot\system32\drivers\mfefirek.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5C0000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB924F000 \SystemRoot\system32\DRIVERS\ks.sys
0xB91F1000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D7B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA408000 \SystemRoot\system32\DRIVERS\btport.sys
0xBA1B8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA1D8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA8FB0000 \SystemRoot\system32\drivers\sthda.sys
0xA8F8C000 \SystemRoot\system32\drivers\portcls.sys
0xBA1E8000 \SystemRoot\system32\drivers\drmk.sys
0xA8ED0000 \SystemRoot\system32\drivers\AESTAud.sys
0xB9446000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA5CA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA77B000 \SystemRoot\System32\Drivers\Null.SYS
0xBA448000 \SystemRoot\System32\drivers\vga.sys
0xBA5CE000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5D2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA458000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA468000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB943E000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8E75000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8E1C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA8DE1000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xA8DBB000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA208000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8D93000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8D71000 \SystemRoot\System32\drivers\afd.sys
0xBA218000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8D46000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8CD6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA248000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA4A0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA4B0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA8CB8000 \SystemRoot\System32\Drivers\usbvideo.sys
0xA8CA0000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5E2000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8EB4000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA360000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6C5000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA8B58000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA890C000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA88B7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA87DA000 \SystemRoot\system32\drivers\wdmaud.sys
0xA8EEC000 \SystemRoot\system32\drivers\sysaudio.sys
0xA8575000 \SystemRoot\system32\DRIVERS\srv.sys
0xA817D000 \SystemRoot\system32\drivers\cfwids.sys
0xA7F94000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 36):
0 System Idle Process
4 System
1204 C:\WINDOWS\system32\smss.exe
1288 csrss.exe
1312 C:\WINDOWS\system32\winlogon.exe
1356 C:\WINDOWS\system32\services.exe
1372 C:\WINDOWS\system32\lsass.exe
1532 C:\WINDOWS\system32\svchost.exe
1640 svchost.exe
1684 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
1740 C:\WINDOWS\system32\svchost.exe
1820 C:\WINDOWS\system32\svchost.exe
1928 svchost.exe
1960 svchost.exe
388 C:\WINDOWS\explorer.exe
496 C:\WINDOWS\system32\spoolsv.exe
588 svchost.exe
664 svchost.exe
780 C:\Program Files\Java\jre6\bin\jqs.exe
1712 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
1856 C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
1892 C:\WINDOWS\system32\svchost.exe
2000 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
456 C:\WINDOWS\system32\hkcmd.exe
2012 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
716 C:\WINDOWS\system32\igfxpers.exe
1548 C:\WINDOWS\sttray.exe
776 C:\WINDOWS\system32\igfxsrvc.exe
872 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
976 C:\Program Files\IDT\WDM\sttray.exe
1012 C:\Program Files\McAfee.com\Agent\mcagent.exe
1048 C:\WINDOWS\system32\rundll32.exe
1132 C:\WINDOWS\system32\wuauclt.exe
2508 alg.exe
3612 wmiprvse.exe
2348 C:\Documents and Settings\JJB\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SanDiskpSSD16GB, Rev: SSD 4.46

Size Device Name MBR Status
--------------------------------------------
15 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: BBF289AC40BA09F2CC1797655D4799D2AB148CB5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
jjb218
Active Member
 
Posts: 9
Joined: August 20th, 2010, 11:33 pm

Re: Rootkit Malware infection, cant remove 2 files

Unread postby deltalima » August 25th, 2010, 4:59 pm

Hi jjb218,

Can"t find those 2 files anymore, they either were deleted when i rebooted?


To confirm, please run a quick scan with Malwarebytes and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Rootkit Malware infection, cant remove 2 files

Unread postby jjb218 » August 25th, 2010, 5:53 pm

MALWAREBYTES has detected both files again.

I tried looking for them but couldnt find either of them!

Here is LOGFILE

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4465

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/25/2010 5:50:40 PM
mbam-log-2010-08-25 (17-50-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 176813
Time elapsed: 50 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> No action taken.
jjb218
Active Member
 
Posts: 9
Joined: August 20th, 2010, 11:33 pm

Re: Rootkit Malware infection, cant remove 2 files

Unread postby jjb218 » August 25th, 2010, 5:57 pm

Hello, what are these files doing to my computer?
Using my bandwidth and stealing my credit card and logins?
What precautions until this issue is fixed?
Thanks
JJB218
jjb218
Active Member
 
Posts: 9
Joined: August 20th, 2010, 11:33 pm

Re: Rootkit Malware infection, cant remove 2 files

Unread postby deltalima » August 25th, 2010, 6:00 pm

Hi jjb218,

Please let me know what options you have to reinstall the netbook, do you have the option to boot from a recovery partition or do you have a bootable CD or DVD?

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply and also let me know how your computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Rootkit Malware infection, cant remove 2 files

Unread postby jjb218 » August 25th, 2010, 6:09 pm

Hello Deltalima, I could do a reinstall but dont have a cd or dvd drive or the windows XP cdrom. Where could I download it for my HP mini 1030? I could use my USB drive if possible, But I still dont know where I could get the files to install in this USB drive.

I will get the kaspersky installed and running and let u know.

Apreciate it amigo.

TNX
JJB218
jjb218
Active Member
 
Posts: 9
Joined: August 20th, 2010, 11:33 pm

Re: Rootkit Malware infection, cant remove 2 files

Unread postby jjb218 » August 25th, 2010, 10:13 pm

Here is the Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 25, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 25, 2010 16:59:29
Records in database: 4142741
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 46312
Threats found: 3
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 02:19:47


File name / Threat / Threats count
C:\autorun.inf Infected: Worm.MSIL.Autorun.bm 1
C:\Documents and Settings\JJB\Application Data\Microsoft\Run.exe Infected: Worm.MSIL.Autorun.bn 1
C:\ntldr.exe Infected: Worm.MSIL.Autorun.bn 1
D:\autorun.inf Infected: Worm.Win32.Carrier.fk 1
D:\ntldr.exe Infected: Worm.MSIL.Autorun.bn 1

Selected area has been scanned.
jjb218
Active Member
 
Posts: 9
Joined: August 20th, 2010, 11:33 pm

Re: Rootkit Malware infection, cant remove 2 files

Unread postby deltalima » August 26th, 2010, 4:16 am

Hi jjb218,

dont have a cd or dvd drive or the windows XP cdrom. Where could I download it for my HP mini 1030


You would need to contact HP or the supplier of the netbook. I have checked and it would seem that the only way to restore this model is from an external disk.

The infection that you have is stored in the boot section of your hard disk. Failure of this "MBR" to do its job properly would result in a machine that could not boot up at all, so any changes to the MBR have to be done very carefully.

As you currently have no way of restoring the operating system if things go wrong I could not recommend proceeding unless you fully understand that if things go wrong the computer would become unbootable and therefore unusable.

Please let me know what you would like to do.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware