Welcome to Tech Support Forum home to more then 440,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics
Reload this Page Cannot run either DDS or GMER
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 03-04-2010, 10:09 PM   #1 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 15
OS: XP


Cannot run either DDS or GMER
I get an txt file immediately after I open DDS.scr saying "This program cannot be run in DOS mode". Also when I try and open GMER it automatically runs and then the error report window pops up saying that "gmer.exe has encountered a problem and needs to close. We are sorry for the inconvenience".

However, I was able to run OTL and it gave me the following data log:

OTL logfile created on: 2010-03-03 18:40:41 - Run 2
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\johnd\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

1,023.00 Mb Total Physical Memory | 511.00 Mb Available Physical Memory | 50.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 200 300 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 46.12 Gb Total Space | 17.72 Gb Free Space | 38.42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 480.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EISO-LT-OS99994
Current User Name: johnd
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 90 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010-03-03 18:38:02 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\johnd\Desktop\OTL.exe
PRC - [2010-03-03 0950 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008-11-02 08:19:52 | 000,172,032 | ---- | M] (WelltonWay) -- C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
PRC - [2008-10-23 17:39:21 | 000,068,865 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
PRC - [2008-10-23 17:39:01 | 000,151,297 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
PRC - [2008-09-02 04:33:22 | 000,716,800 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieCtrl.exe
PRC - [2008-09-02 04:33:22 | 000,048,640 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieSvc.exe
PRC - [2008-06-12 13:28:45 | 000,266,497 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
PRC - [2008-01-15 22:52:09 | 000,090,112 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2008-01-15 22:52:04 | 000,217,088 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\point32.exe
PRC - [2007-06-13 02:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005-09-30 01:32:00 | 000,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2005-09-06 03:08:00 | 000,081,920 | ---- | M] (Lenovo) -- C:\WINDOWS\system32\QCONSVC.EXE
PRC - [2005-07-22 16:21:38 | 012,061,896 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2005-07-12 09:40:08 | 000,040,551 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Virtual Token\vtserver.exe
PRC - [2005-06-06 21:26:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe
PRC - [2005-06-06 15:03:00 | 000,077,824 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\TPHDEXLG.exe
PRC - [2005-01-31 09:45:20 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2002-09-20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010-03-03 18:38:02 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\johnd\Desktop\OTL.exe
MOD - [2006-08-25 07:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2008-11-02 08:19:52 | 000,172,032 | ---- | M] (WelltonWay) [Auto | Running] -- C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe -- (GB-PVR Recording Service)
SRV - [2008-10-23 17:39:21 | 000,068,865 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe -- (AntiVirScheduler)
SRV - [2008-10-23 17:39:01 | 000,151,297 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe -- (AntiVirService)
SRV - [2008-09-25 20:47:19 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008-09-02 04:33:22 | 000,048,640 | ---- | M] (tzuk) [Auto | Running] -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV - [2007-05-08 20:59:23 | 000,069,632 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2006-10-15 23:40:46 | 000,077,944 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2005-11-14 0004 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005-09-30 01:32:00 | 000,057,344 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2005-09-06 03:08:00 | 000,081,920 | ---- | M] (Lenovo) [Auto | Running] -- C:\WINDOWS\system32\QCONSVC.EXE -- (QCONSVC)
SRV - [2005-07-28 11:30:14 | 000,075,328 | ---- | M] (PatchLink Corporation) [Disabled | Stopped] -- C:\Program Files\PatchLink\Update Agent\GravitixService.exe -- (PatchLink Update)
SRV - [2005-07-12 09:40:08 | 000,040,551 | ---- | M] (UPEK Inc.) [Auto | Running] -- C:\Program Files\Common Files\Virtual Token\vtserver.exe -- (vtserver)
SRV - [2005-07-07 20:54:10 | 000,036,864 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2005-06-06 21:26:22 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2005-06-06 15:03:00 | 000,077,824 | ---- | M] (Lenovo.) [Auto | Running] -- C:\WINDOWS\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2005-01-31 09:45:20 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2004-01-26 15:01:56 | 001,425,424 | ---- | M] (Cisco Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2003-07-16 12:37:58 | 000,143,360 | ---- | M] (Intel(R) Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2002-09-20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2009-08-20 08:19:18 | 000,033,920 | ---- | M] (F5 Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)
DRV - [2009-08-20 08:19:15 | 000,010,752 | ---- | M] (F5 Networks) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)
DRV - [2009-07-14 19:41:51 | 000,075,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009-07-14 19:39:24 | 000,052,056 | ---- | M] (Avira GmbH) [File_System | On_Demand | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -- (avgntflt)
DRV - [2009-07-14 19:39:22 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys -- (avgio)
DRV - [2009-06-05 10:42:38 | 000,039,424 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009-03-19 15:32:48 | 000,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008-09-02 04:33:22 | 000,100,352 | ---- | M] (tzuk) [Kernel | On_Demand | Running] -- C:\Program Files\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV - [2008-08-12 21:39:38 | 000,021,672 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc)
DRV - [2008-08-12 21:39:38 | 000,013,352 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt)
DRV - [2007-11-14 03:00:00 | 000,043,840 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007-04-09 04:27:07 | 000,031,548 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2007-03-01 09:34:22 | 000,028,352 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2007-01-21 23:11:48 | 000,017,480 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2006-09-18 13:59:08 | 000,090,800 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se27unic.sys -- (se27unic) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)
DRV - [2006-09-18 13:59:02 | 000,086,560 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27obex.sys -- (SE27obex)
DRV - [2006-09-18 13:59:00 | 000,018,704 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se27nd5.sys -- (se27nd5) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)
DRV - [2006-09-18 13:58:58 | 000,088,688 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27mgmt.sys -- (SE27mgmt) Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM)
DRV - [2006-09-18 13:58:54 | 000,097,184 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27mdm.sys -- (SE27mdm)
DRV - [2006-09-18 13:58:52 | 000,009,360 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27mdfl.sys -- (SE27mdfl)
DRV - [2006-09-18 13:58:48 | 000,061,600 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27bus.sys -- (SE27bus) Sony Ericsson Device 039 Driver driver (WDM)
DRV - [2006-01-25 09:41:47 | 000,017,801 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2005-12-13 15:18:50 | 000,050,048 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ikhlayer.sys -- (ikhlayer)
DRV - [2005-11-04 12:22:00 | 000,069,632 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\shockprf.sys -- (Shockprf)
DRV - [2005-10-18 16:53:24 | 000,998,656 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005-10-18 16:52:38 | 000,242,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005-10-18 16:52:30 | 000,721,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005-10-05 16:57:08 | 000,012,544 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2005-09-30 01:32:00 | 000,013,456 | ---- | M] (Lenovo.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2005-09-15 13:53:10 | 000,177,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005-09-06 03:08:00 | 000,012,288 | ---- | M] (IBM Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcndisif.sys -- (QCNDISIF)
DRV - [2005-09-06 03:08:00 | 000,011,520 | ---- | M] (IBM Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ANC.sys -- (ANC)
DRV - [2005-09-06 03:08:00 | 000,002,432 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS -- (IBMTPCHK)
DRV - [2005-08-31 02:40:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2005-08-31 01:50:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2005-08-31 01:50:00 | 000,009,340 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2005-08-25 15:09:42 | 000,467,104 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005-07-12 09:47:12 | 000,026,240 | ---- | M] (UPEK Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2005-07-12 09:37:08 | 000,003,328 | ---- | M] (UPEK Inc.) [Kernel | Auto | Running] -- C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys -- (SmiHlp)
DRV - [2005-07-05 14:57:06 | 000,017,699 | ---- | M] (IBM Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPHKDRV.sys -- (TPHKDRV)
DRV - [2005-06-06 11:59:00 | 000,004,736 | ---- | M] (Lenovo.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ShockMgr.sys -- (ShockMgr)
DRV - [2005-05-25 21:59:12 | 001,133,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005-04-20 01:38:00 | 000,016,384 | ---- | M] (IBM Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWR.SYS -- (TPPWR)
DRV - [2005-03-28 09:19:38 | 000,220,992 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2005-03-21 04:05:46 | 000,333,620 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2005-03-15 01:45:20 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\point32.sys -- (Point32)
DRV - [2005-03-04 19:53:00 | 000,127,872 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2005-02-23 20:13:38 | 000,015,872 | ---- | M] (Atmel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atmeltpm.sys -- (atmeltpm)
DRV - [2004-11-05 10:08:06 | 000,670,208 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2004-10-26 11:26:08 | 000,125,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1000325.sys -- (E1000) Intel(R)
DRV - [2004-08-03 22:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004-08-03 22:00:50 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2004-08-03 21:59:42 | 000,095,360 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\atapi.sys -- (atapi)
DRV - [2004-08-03 21:08:42 | 000,025,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser.sys -- (usbser)
DRV - [2004-03-12 22:41:42 | 000,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\d346prt.sys -- (d346prt)
DRV - [2004-03-12 22:41:28 | 000,156,800 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\d346bus.sys -- (d346bus)
DRV - [2004-01-26 15:01:06 | 000,268,872 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2003-12-03 17:44:58 | 000,013,566 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrbsvsd.sys -- (cdrbsvsd)
DRV - [2003-08-28 21:40:26 | 000,189,792 | ---- | M] (Zone Labs Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2003-07-24 19:55:50 | 000,139,604 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2003-05-01 13:26:34 | 000,005,220 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2002-10-15 22:41:06 | 000,102,220 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sonypvs1.sys -- (sonypvs1)
DRV - [2002-09-16 17:14:32 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PQNTDRV.sys -- (PQNTDrv)
DRV - [2001-08-23 03:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001-08-23 03:00:00 | 000,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1844237615-854245398-1838501155-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1844237615-854245398-1838501155-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1844237615-854245398-1838501155-1005\S-1-5-21-1844237615-854245398-1838501155-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "megaup"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "megaup"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {DBBB3167-6E81-400f-BBFD-BD8921726F52}:6030.2009.0622.1843
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07076007
FF - prefs.js..extensions.enabledItems: nosquint@urandom.ca:1.93.2.1
FF - prefs.js..extensions.enabledItems: {EC4F59B4-DF68-11DA-9B41-B622A1EF5492}:1.0.7
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?ei=utf-8&fr=megaup&p="
FF - prefs.js..network.proxy.backup.ftp: ""
FF - prefs.js..network.proxy.backup.ftp_port: 0
FF - prefs.js..network.proxy.backup.gopher: ""
FF - prefs.js..network.proxy.backup.gopher_port: 0
FF - prefs.js..network.proxy.backup.socks: ""
FF - prefs.js..network.proxy.backup.socks_port: 0
FF - prefs.js..network.proxy.backup.ssl: ""
FF - prefs.js..network.proxy.backup.ssl_port: 0
FF - prefs.js..network.proxy.ftp: "10.1.1.1"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "10.1.1.1"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 7171
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "10.1.1.1"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "10.1.1.1"
FF - prefs.js..network.proxy.ssl_port: 8080

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-03-03 0955 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-03-03 0955 | 000,000,000 | ---D | M]

[2008-06-28 15:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnd\Application Data\Mozilla\Extensions
[2010-03-03 09:16:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions
[2009-07-20 17:07:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-03-03 09:16:23 | 000,000,000 | ---D | M] (F5 Networks Host Plugin) -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}
[2008-06-22 02:17:31 | 000,000,000 | ---D | M] (QuickZoom) -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\{EC4F59B4-DF68-11DA-9B41-B622A1EF5492}
[2008-04-04 00:35:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\moveplayer@movenetworks.com
[2008-08-12 20:48:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\nosquint@urandom.ca
[2008-11-30 22:08:32 | 000,000,891 | ---- | M] () -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\searchplugins\dictionarycom.xml
[2010-03-02 20:50:41 | 000,001,483 | ---- | M] () -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\searchplugins\english---vietnamese-dictionary.xml
[2007-11-23 11:27:02 | 000,000,888 | ---- | M] () -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\searchplugins\thesauruscom.xml
[2008-06-05 19:27:01 | 000,001,074 | ---- | M] () -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\searchplugins\wikipedia-en.xml
[2008-02-24 21:00:14 | 000,002,105 | ---- | M] () -- C:\Documents and Settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\searchplugins\youtube-video-search.xml
[2010-03-03 09:16:26 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010-03-03 17:47:25 | 000,000,025 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1844237615-854245398-1838501155-1005\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
O3 - HKU\S-1-5-21-1844237615-854245398-1838501155-1005\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe ()
O4 - HKU\S-1-5-21-1844237615-854245398-1838501155-1005..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-1844237615-854245398-1838501155-1005..\Run: [SandboxieControl] C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1844237615-854245398-1838501155-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1844237615-854245398-1838501155-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-854245398-1838501155-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1844237615-854245398-1838501155-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1844237615-854245398-1838501155-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: ([]msn in Computer)
O15 - HKLM\..Trusted Domains: wpcuds.usace.army.mil ([]* in Trusted sites)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} https://ssl-central.virtela.net/vdes...,2009,820,1617 (F5 Networks VPN Manager)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...8f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://ssl-central.virtela.net/vdes...,2009,811,2213 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsu...?1231995917123 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl.sun.com/webapps/downlo...BundleId=23100 (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} https://ssl-central.virtela.net/vdes...,2009,828,1610 (F5 Networks SuperHost Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/s...sh/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://ssl-central.virtela.net/vdes...,2009,828,1606 (F5 Networks Host Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.69.150 68.87.85.102 0.0.0.0
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eis.ds.usace.army.mil
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\WINDOWS\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\psfus: DllName - C:\Program Files\ThinkVantage Fingerprint Software\psfus.dll - C:\Program Files\ThinkVantage Fingerprint Software\psfus.dll (UPEK Inc.)
O20 - Winlogon\Notify\QConGina: DllName - QConGina.dll - C:\WINDOWS\System32\QConGina.dll (Lenovo)
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINDOWS\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\johnd\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\johnd\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (digiwet.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006-01-25 07:16:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003-05-18 10:54:20 | 000,061,440 | R--- | M] () - E:\autoplay.exe -- [ CDFS ]
O32 - AutoRun File - [2003-02-11 23:01:48 | 000,000,050 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010-03-03 18:38:03 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\johnd\Desktop\OTL.exe
[2010-03-03 18:30:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnd\Desktop\Music
[2010-03-03 17:48:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnd\Desktop\4433 (WM-548 Nissan RHD LHD Environmental PV)
[2010-03-03 09:15:27 | 000,010,752 | ---- | C] (F5 Networks) -- C:\WINDOWS\System32\drivers\urfltw2k.sys
[2010-03-03 09:15:18 | 000,640,488 | ---- | C] (F5 Networks) -- C:\Documents and Settings\johnd\Desktop\urvpn.exe
[2010-03-03 00:00:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
[2010-03-02 20:36:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnd\Local Settings\Application Data\Temp
[2010-02-10 23:31:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\johnd\My Documents\My Received Files
[2010-02-10 21:05:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\johnd\Recent
[2010-02-10 21:02:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010-02-10 21:00:37 | 000,000,000 | ---D | C] -- C:\Program Files\Registry Mechanic
[2010-02-10 20:37:13 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009-12-16 04:58:04 | 000,343,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mspaint.exe
[2009-12-13 23:35:35 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\csrsrv.dll
[2009-04-28 12:24:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2006-11-25 19:44:11 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006-11-17 00:32:10 | 000,156,800 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d346bus.sys
[2006-11-17 00:32:10 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d346prt.sys
[2006-02-02 11:49:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006-01-25 07:20:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006-01-25 07:16:23 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

========== Files - Modified Within 90 Days ==========

[2010-03-03 18:38:02 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\johnd\Desktop\OTL.exe
[2010-03-03 18:33:52 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\johnd\Desktop\dds.scr
[2010-03-03 18:28:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-03-03 18:28:30 | 000,514,406 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010-03-03 18:28:30 | 000,436,704 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010-03-03 18:28:30 | 000,069,076 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010-03-03 18:24:12 | 001,599,080 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010-03-03 18:23:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-03-03 18:23:52 | 1072,680,960 | -HS- | M] () -- C:\hiberfil.sys
[2010-03-03 18:23:40 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\Sweeper.cfg
[2010-03-03 18:22:27 | 000,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2010-03-03 18:22:23 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\johnd\ntuser.ini
[2010-03-03 18:22:22 | 007,864,320 | ---- | M] () -- C:\Documents and Settings\johnd\NTUSER.DAT
[2010-03-03 17:47:25 | 000,000,025 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010-03-03 10:43:55 | 000,000,025 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2010-03-03 09:34:31 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010-03-03 09:15:17 | 000,640,488 | ---- | M] (F5 Networks) -- C:\Documents and Settings\johnd\Desktop\urvpn.exe
[2010-03-03 00:47:04 | 000,138,752 | ---- | M] () -- C:\Documents and Settings\johnd\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-03-03 00:43:35 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\johnd\Desktop\gmer.zip
[2010-02-11 20:19:08 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\johnd\My Documents\jo's lucky farm paper.doc
[2010-02-10 21:27:55 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010-02-10 21:20:04 | 007,532,544 | ---- | M] () -- C:\Documents and Settings\johnd\s-1-5-21-1844237615-854245398-1838501155-1005.rrr
[2010-02-07 20:41:06 | 003,162,678 | ---- | M] () -- C:\Documents and Settings\johnd\Desktop\whattodo.bmp
[2010-02-07 20:40:37 | 001,208,202 | ---- | M] () -- C:\Documents and Settings\johnd\Desktop\whattodo1.bmp
[2010-01-05 02:00:29 | 000,832,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2010-01-05 02:00:28 | 001,168,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2010-01-05 02:00:28 | 000,671,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mstime.dll
[2010-01-05 02:00:28 | 000,671,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstime.dll
[2010-01-05 02:00:28 | 000,233,472 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\webcheck.dll
[2010-01-05 02:00:28 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2010-01-05 02:00:28 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2010-01-05 02:00:28 | 000,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\occache.dll
[2010-01-05 02:00:28 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\pngfilt.dll
[2010-01-05 02:00:28 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pngfilt.dll
[2010-01-05 02:00:27 | 000,477,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtmled.dll
[2010-01-05 02:00:27 | 000,193,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msrating.dll
[2010-01-05 02:00:27 | 000,193,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msrating.dll
[2010-01-05 02:00:26 | 003,599,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2010-01-05 02:00:25 | 000,052,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2010-01-05 02:00:25 | 000,052,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2010-01-05 02:00:24 | 001,830,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcpl.cpl
[2010-01-05 02:00:24 | 001,830,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcpl.cpl
[2010-01-05 02:00:24 | 000,459,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2010-01-05 02:00:24 | 000,459,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2010-01-05 02:00:24 | 000,268,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2010-01-05 02:00:24 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2010-01-05 02:00:24 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2010-01-05 02:00:24 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iernonce.dll
[2010-01-05 02:00:24 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iernonce.dll
[2010-01-05 02:00:24 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll
[2010-01-05 02:00:24 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsproxy.dll
[2010-01-05 02:00:23 | 006,067,200 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2010-01-05 02:00:21 | 000,385,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iedkcs32.dll
[2010-01-05 02:00:21 | 000,385,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedkcs32.dll
[2010-01-05 02:00:21 | 000,380,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieapfltr.dll
[2010-01-05 02:00:21 | 000,380,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dll
[2010-01-05 02:00:21 | 000,230,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieaksie.dll
[2010-01-05 02:00:21 | 000,230,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieaksie.dll
[2010-01-05 02:00:21 | 000,214,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dxtrans.dll
[2010-01-05 02:00:21 | 000,214,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dxtrans.dll
[2010-01-05 02:00:21 | 000,153,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieakeng.dll
[2010-01-05 02:00:21 | 000,153,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieakeng.dll
[2010-01-05 02:00:21 | 000,133,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\extmgr.dll
[2010-01-05 02:00:21 | 000,078,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2010-01-05 02:00:21 | 000,078,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieencode.dll
[2010-01-05 02:00:21 | 000,063,488 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icardie.dll
[2010-01-05 02:00:20 | 000,347,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dxtmsft.dll
[2010-01-05 02:00:20 | 000,347,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dxtmsft.dll
[2010-01-05 02:00:20 | 000,124,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advpack.dll
[2010-01-05 02:00:20 | 000,124,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\advpack.dll
[2010-01-05 02:00:20 | 000,017,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\corpol.dll
[2010-01-05 02:00:20 | 000,017,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\corpol.dll
[2009-12-31 08:14:12 | 000,352,640 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2009-12-31 07:33:27 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\html.iec
[2009-12-31 07:33:06 | 000,070,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2009-12-31 07:33:06 | 000,070,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ie4uinit.exe
[2009-12-31 07:33:06 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieudinit.exe
[2009-12-31 07:33:06 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieudinit.exe
[2009-12-18 05:05:43 | 000,634,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iexplore.exe
[2009-12-18 05:04:09 | 000,161,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieakui.dll
[2009-12-18 05:04:09 | 000,161,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieakui.dll
[2009-12-16 04:58:04 | 000,343,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mspaint.exe
[2009-12-16 04:58:04 | 000,343,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mspaint.exe
[2009-12-13 23:35:35 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\csrsrv.dll
[2009-12-13 23:35:35 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\csrsrv.dll
[2009-12-08 10:55:25 | 002,180,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntoskrnl.exe
[2009-12-08 10:55:25 | 002,180,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2009-12-08 10:53:08 | 002,136,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2009-12-08 10:19:32 | 002,057,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntkrnlpa.exe
[2009-12-08 10:19:32 | 002,057,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2009-12-08 10:19:32 | 002,015,744 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2009-12-08 00:59:48 | 000,474,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shlwapi.dll
[2009-12-04 06:41:55 | 000,453,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys

========== Files Created - No Company Name ==========

[2010-03-03 18:33:50 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\johnd\Desktop\dds.scr
[2010-03-03 09:21:42 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010-03-03 00:43:33 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\johnd\Desktop\gmer.zip
[2010-02-11 20:19:08 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\johnd\My Documents\jo's lucky farm paper.doc
[2010-02-10 21:19:56 | 007,532,544 | ---- | C] () -- C:\Documents and Settings\johnd\s-1-5-21-1844237615-854245398-1838501155-1005.rrr
[2010-02-07 20:40:53 | 003,162,678 | ---- | C] () -- C:\Documents and Settings\johnd\Desktop\whattodo.bmp
[2010-02-07 20:40:32 | 001,208,202 | ---- | C] () -- C:\Documents and Settings\johnd\Desktop\whattodo1.bmp
[2009-01-17 17:53:38 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009-01-17 17:53:38 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008-11-24 19:53:56 | 000,001,377 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\QTSBandwidthCache
[2008-08-10 15:46:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mngui.INI
[2008-05-01 21:49:40 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008-04-23 22:50:55 | 000,008,096 | ---- | C] () -- C:\Documents and Settings\johnd\Local Settings\Application Data\.ipc_copyrecord
[2008-04-23 22:49:01 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\johnd\Local Settings\Application Data\84756-11986-27475-00TC1-94865
[2008-04-03 22:55:18 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008-04-03 22:55:18 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007-07-20 00:15:37 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\cdga.dll
[2007-01-22 01:49:19 | 000,003,474 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2006-12-05 23:35:02 | 000,685,549 | ---- | C] () -- C:\Program Files\Hamachi.zip
[2006-11-21 15:53:56 | 000,001,733 | ---- | C] () -- C:\WINDOWS\TSearch.INI
[2006-03-11 11:45:14 | 000,138,752 | ---- | C] () -- C:\Documents and Settings\johnd\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006-02-11 08:46:06 | 000,000,067 | ---- | C] () -- C:\WINDOWS\DVDRegionFree.INI
[2006-02-07 21:23:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006-02-07 21:23:27 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006-02-07 19:30:21 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2006-02-05 21:49:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006-01-27 15:16:12 | 000,139,280 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006-01-27 15:00:43 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006-01-25 09:43:33 | 000,095,360 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2006-01-25 09:42:30 | 000,002,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.SYS
[2006-01-25 09:42:12 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2006-01-25 09:42:12 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2006-01-25 09:40:35 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSMAPIP.SYS
[2006-01-25 09:40:23 | 000,009,340 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2006-01-25 09:39:43 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2006-01-25 09:39:24 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2006-01-24 10:08:29 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2005-09-30 01:32:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[2005-08-12 13:57:09 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005-07-05 23:45:08 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\notifyf2.dll
[2005-06-16 22:23:08 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[2004-03-15 19:28:50 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2003-12-08 23:08:20 | 002,539,520 | ---- | C] () -- C:\WINDOWS\System32\Bbgspdf.dll
[2003-12-02 12:39:08 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\InstallPrinter.dll
[2003-11-16 01:48:02 | 000,909,312 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003-11-16 01:48:00 | 001,060,864 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003-11-15 08:54:18 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2003-08-06 15:23:08 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2003-01-30 05:04:00 | 000,618,496 | ---- | C] () -- C:\WINDOWS\System32\stlpmt45.dll
[2003-01-07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002-10-06 14:42:58 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002-03-13 15:46:46 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 172 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0CE7F3C9
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D1B5B4F1
< End of report >
jstyle711 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 03-06-2010, 01:45 PM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 14,892
OS: XP SP3; Win 7 32/64-bit


Re: Cannot run either DDS or GMER
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Download TDSSKiller.zip and extract TDSSKiller.exe to your Desktop.

Double-click TDSSKiller.exe and follow the prompts to run it.

When finished, it will prompt you to 'Close all programs and choose Y to restart or N to continue'.

Please type Y to restart your computer.

It will produce a log here > C:\TDSSKiller.2.2.7.1_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

------------------------------------------------------

Please restart your computer once more.

------------------------------------------------------

Rename dds.scr to dds.com or dds.pif and see if it wil run now. Please post/attach the logs.

------------------------------------------------------

I need to see a gmer log in order to help you. Please try running gmer again, this time also unchecking 'Files'. Make sure no antivirus scans are scheduled during the run.

If you still have trouble, run gmer again and click 'Save...' after the short initial scan and post that log in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2010, 12:23 AM   #3 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 15
OS: XP


Re: Cannot run either DDS or GMER
I ran TDDSKiller.exe and it did not prompt me to close all windows and restart my computer.

The log that it produced was located in my C:\ drive and is pasted below.

DDS currently runs and attached are the two data logs.

23:44:04:025 3576 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
23:44:04:025 3576 ================================================================================
23:44:04:025 3576 SystemInfo:

23:44:04:025 3576 OS Version: 5.1.2600 ServicePack: 2.0
23:44:04:025 3576 Product type: Workstation
23:44:04:025 3576 ComputerName: EISO-LT-OS99994
23:44:04:025 3576 UserName: johnd
23:44:04:025 3576 Windows directory: C:\WINDOWS
23:44:04:025 3576 Processor architecture: Intel x86
23:44:04:025 3576 Number of processors: 1
23:44:04:025 3576 Page size: 0x1000
23:44:04:025 3576 Boot type: Normal boot
23:44:04:025 3576 ================================================================================
23:44:04:035 3576 UnloadDriverW: NtUnloadDriver error 2
23:44:04:035 3576 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:44:04:065 3576 Initialize success
23:44:04:065 3576
23:44:04:065 3576 Scanning Services ...
23:44:04:075 3576 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:44:04:075 3576 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:44:04:075 3576 wfopen_ex: Trying to KLMD file open
23:44:04:075 3576 wfopen_ex: File opened ok (Flags 2)
23:44:04:075 3576 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:44:04:075 3576 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:44:04:075 3576 wfopen_ex: Trying to KLMD file open
23:44:04:075 3576 wfopen_ex: File opened ok (Flags 2)
23:44:04:556 3576 GetAdvancedServicesInfo: Raw services enum returned 411 services
23:44:04:556 3576 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:44:04:556 3576 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:44:04:556 3576
23:44:04:556 3576 Scanning Kernel memory ...
23:44:04:556 3576 Devices to scan: 3
23:44:04:556 3576
23:44:04:556 3576 Driver Name: Disk
23:44:04:556 3576 IRP_MJ_CREATE : F7627C30
23:44:04:556 3576 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
23:44:04:556 3576 IRP_MJ_CLOSE : F7627C30
23:44:04:556 3576 IRP_MJ_READ : F7621D9B
23:44:04:556 3576 IRP_MJ_WRITE : F7621D9B
23:44:04:556 3576 IRP_MJ_QUERY_INFORMATION : 804FB8EE
23:44:04:556 3576 IRP_MJ_SET_INFORMATION : 804FB8EE
23:44:04:556 3576 IRP_MJ_QUERY_EA : 804FB8EE
23:44:04:556 3576 IRP_MJ_SET_EA : 804FB8EE
23:44:04:556 3576 IRP_MJ_FLUSH_BUFFERS : F7622366
23:44:04:556 3576 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
23:44:04:556 3576 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
23:44:04:556 3576 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
23:44:04:556 3576 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
23:44:04:556 3576 IRP_MJ_DEVICE_CONTROL : F762244D
23:44:04:556 3576 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7625FC3
23:44:04:556 3576 IRP_MJ_SHUTDOWN : F7622366
23:44:04:556 3576 IRP_MJ_LOCK_CONTROL : 804FB8EE
23:44:04:556 3576 IRP_MJ_CLEANUP : 804FB8EE
23:44:04:556 3576 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
23:44:04:556 3576 IRP_MJ_QUERY_SECURITY : 804FB8EE
23:44:04:556 3576 IRP_MJ_SET_SECURITY : 804FB8EE
23:44:04:556 3576 IRP_MJ_POWER : F7623EF3
23:44:04:556 3576 IRP_MJ_SYSTEM_CONTROL : F7628A24
23:44:04:556 3576 IRP_MJ_DEVICE_CHANGE : 804FB8EE
23:44:04:556 3576 IRP_MJ_QUERY_QUOTA : 804FB8EE
23:44:04:556 3576 IRP_MJ_SET_QUOTA : 804FB8EE
23:44:04:556 3576 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
23:44:04:556 3576 sion
23:44:04:556 3576 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:44:04:556 3576
23:44:04:556 3576 Driver Name: Disk
23:44:04:556 3576 IRP_MJ_CREATE : F7627C30
23:44:04:556 3576 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
23:44:04:556 3576 IRP_MJ_CLOSE : F7627C30
23:44:04:556 3576 IRP_MJ_READ : F7621D9B
23:44:04:556 3576 IRP_MJ_WRITE : F7621D9B
23:44:04:556 3576 IRP_MJ_QUERY_INFORMATION : 804FB8EE
23:44:04:556 3576 IRP_MJ_SET_INFORMATION : 804FB8EE
23:44:04:556 3576 IRP_MJ_QUERY_EA : 804FB8EE
23:44:04:556 3576 IRP_MJ_SET_EA : 804FB8EE
23:44:04:556 3576 IRP_MJ_FLUSH_BUFFERS : F7622366
23:44:04:556 3576 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
23:44:04:556 3576 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
23:44:04:556 3576 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
23:44:04:556 3576 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
23:44:04:556 3576 IRP_MJ_DEVICE_CONTROL : F762244D
23:44:04:556 3576 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7625FC3
23:44:04:556 3576 IRP_MJ_SHUTDOWN : F7622366
23:44:04:556 3576 IRP_MJ_LOCK_CONTROL : 804FB8EE
23:44:04:556 3576 IRP_MJ_CLEANUP : 804FB8EE
23:44:04:556 3576 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
23:44:04:556 3576 IRP_MJ_QUERY_SECURITY : 804FB8EE
23:44:04:556 3576 IRP_MJ_SET_SECURITY : 804FB8EE
23:44:04:556 3576 IRP_MJ_POWER : F7623EF3
23:44:04:556 3576 IRP_MJ_SYSTEM_CONTROL : F7628A24
23:44:04:556 3576 IRP_MJ_DEVICE_CHANGE : 804FB8EE
23:44:04:556 3576 IRP_MJ_QUERY_QUOTA : 804FB8EE
23:44:04:556 3576 IRP_MJ_SET_QUOTA : 804FB8EE
23:44:04:556 3576 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
23:44:04:556 3576 sion
23:44:04:566 3576 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:44:04:566 3576
23:44:04:566 3576 Driver Name: atapi
23:44:04:566 3576 IRP_MJ_CREATE : 86C8CC08
23:44:04:566 3576 IRP_MJ_CREATE_NAMED_PIPE : 86C8CC08
23:44:04:566 3576 IRP_MJ_CLOSE : 86C8CC08
23:44:04:566 3576 IRP_MJ_READ : 86C8CC08
23:44:04:566 3576 IRP_MJ_WRITE : 86C8CC08
23:44:04:566 3576 IRP_MJ_QUERY_INFORMATION : 86C8CC08
23:44:04:566 3576 IRP_MJ_SET_INFORMATION : 86C8CC08
23:44:04:566 3576 IRP_MJ_QUERY_EA : 86C8CC08
23:44:04:566 3576 IRP_MJ_SET_EA : 86C8CC08
23:44:04:566 3576 IRP_MJ_FLUSH_BUFFERS : 86C8CC08
23:44:04:566 3576 IRP_MJ_QUERY_VOLUME_INFORMATION : 86C8CC08
23:44:04:566 3576 IRP_MJ_SET_VOLUME_INFORMATION : 86C8CC08
23:44:04:566 3576 IRP_MJ_DIRECTORY_CONTROL : 86C8CC08
23:44:04:566 3576 IRP_MJ_FILE_SYSTEM_CONTROL : 86C8CC08
23:44:04:566 3576 IRP_MJ_DEVICE_CONTROL : 86C8CC08
23:44:04:566 3576 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86C8CC08
23:44:04:566 3576 IRP_MJ_SHUTDOWN : 86C8CC08
23:44:04:566 3576 IRP_MJ_LOCK_CONTROL : 86C8CC08
23:44:04:566 3576 IRP_MJ_CLEANUP : 86C8CC08
23:44:04:566 3576 IRP_MJ_CREATE_MAILSLOT : 86C8CC08
23:44:04:566 3576 IRP_MJ_QUERY_SECURITY : 86C8CC08
23:44:04:566 3576 IRP_MJ_SET_SECURITY : 86C8CC08
23:44:04:566 3576 IRP_MJ_POWER : 86C8CC08
23:44:04:566 3576 IRP_MJ_SYSTEM_CONTROL : 86C8CC08
23:44:04:566 3576 IRP_MJ_DEVICE_CHANGE : 86C8CC08
23:44:04:566 3576 IRP_MJ_QUERY_QUOTA : 86C8CC08
23:44:04:566 3576 IRP_MJ_SET_QUOTA : 86C8CC08
23:44:04:566 3576 ihd: 0, 0, 0, 0, 0, 0, 0
23:44:04:566 3576 siohd: 0
23:44:04:586 3576 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
23:44:04:586 3576
23:44:04:586 3576 Completed
23:44:04:586 3576
23:44:04:586 3576 Results:
23:44:04:586 3576 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:44:04:586 3576 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:44:04:586 3576 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:44:04:586 3576
23:44:04:586 3576 KLMD(ARK) unloaded successfully
Attached Files
File Type: txt Attach.txt (13.4 KB, 2 views)
File Type: txt DDS.txt (9.5 KB, 1 views)
jstyle711 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2010, 04:31 AM   #4 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 14,892
OS: XP SP3; Win 7 32/64-bit


Re: Cannot run either DDS or GMER
Hello jstyle711. What problems are you experiencing with your computer?

------------------------------------------------------

I still need to see a gmer log. Please try running gmer again, this time also unchecking 'Files'. Make sure no antivirus scans are scheduled during the run.

If you still have trouble, run gmer again and click 'Save...' after the short initial scan and post that log in your next reply.

------------------------------------------------------

If gmer won't run, delete your existing copy. Please run this special version of gmer:

Download GMER Rootkit Scanner from here and Save it to your Desktop.
  • Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2010, 08:17 AM   #5 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 15
OS: XP


Re: Cannot run either DDS or GMER
Very slow start up. Computer will randomly shut down. Cannot run GMER.

I forgot in the earlier post to say that GMER still does not run. I am able to open the file however once I open it up it does a scan on my system\currentcontrolset\services\etc.... and then crashes. A prompt will then pop up saying gmer.exe has encouted a problem and needs to close.

This also occured for the new GMER file that I dled from you post. I tried to change the ext. name however the end result is still the same.
jstyle711 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2010, 08:20 AM   #6 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 14,892
OS: XP SP3; Win 7 32/64-bit


Re: Cannot run either DDS or GMER
Try this one:

Download RootRepeal.exe and Save it to your Desktop.
  • Double-click on RootRepeal.exe to run it.
  • Click on the 'Report' tab, and then click on 'Scan'.
  • A window opens asking what to include in the scan.
  • Check the following boxes then click 'OK':
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
  • You will then be asked which drive to scan.
  • Check C: (or the drive your operating system is installed on, if not C:)
  • Click 'OK' once again.
  • The tool will begin scanning and may take a while to complete, so please be patient.
  • When the scan finishes, click on 'Save Report'.
  • Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
  • Post the log in your next reply.
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2010, 09:59 AM   #7 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 15
OS: XP


Re: Cannot run either DDS or GMER
When I open up RootRepeal.exe I get prompted with an error message saying "Error - Invaild PE image found!"

I closed the prompt and the program was still be open. I clicked on Scan but a window does not open in order for me to check the boxes you asked, nor does it ask which drive I would like to scan. It just scans and creates the following report:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/08 09:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF74F4000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF756B000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2180352 File Visible: - Signed: -
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xF79FD000 Size: 11648 File Visible: - Signed: -
Status: -

Name: aeaudio.sys
Image Path: C:\WINDOWS\system32\drivers\aeaudio.sys
Address: 0xF6EBA000 Size: 127872 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\System32\DRIVERS\AegisP.sys
Address: 0xB86DD000 Size: 15968 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xBADD5000 Size: 138368 File Visible: - Signed: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xF7641000 Size: 42368 File Visible: - Signed: -
Status: -

Name: ANC.SYS
Image Path: C:\WINDOWS\System32\drivers\ANC.SYS
Address: 0xF6AFA000 Size: 11520 File Visible: - Signed: -
Status: -

Name: ar5211.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ar5211.sys
Address: 0xF6F97000 Size: 467104 File Visible: - Signed: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA12000 Size: 204800 File Visible: - Signed: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D6000 Size: 245760 File Visible: - Signed: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ati2mtag.sys
Address: 0xF7061000 Size: 1200128 File Visible: - Signed: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFA76000 Size: 2310144 File Visible: - Signed: -
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA44000 Size: 204800 File Visible: - Signed: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFCAA000 Size: 606208 File Visible: - Signed: -
Status: -

Name: atmeltpm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\atmeltpm.sys
Address: 0xF7365000 Size: 15872 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7D2C000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgio.sys
Image Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
Address: 0xF7B43000 Size: 6144 File Visible: - Signed: -
Status: -

Name: avgntflt.sys
Image Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
Address: 0xB8400000 Size: 81920 File Visible: - Signed: -
Status: -

Name: avipbb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xBAC72000 Size: 69632 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\BATTC.SYS
Address: 0xF79F9000 Size: 16384 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7B2F000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF79F1000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7811000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrbsvsd.SYS
Image Path: C:\WINDOWS\System32\Drivers\cdrbsvsd.SYS
Address: 0xF71A6000 Size: 12736 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF76B1000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF7621000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\CmBatt.sys
Address: 0xF71AA000 Size: 14080 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF79F5000 Size: 9344 File Visible: - Signed: -
Status: -

Name: covpndrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\covpndrv.sys
Address: 0xF7981000 Size: 29184 File Visible: - Signed: -
Status: -

Name: CVPNDRVA.sys
Image Path: C:\WINDOWS\System32\Drivers\CVPNDRVA.sys
Address: 0xB8414000 Size: 503808 File Visible: - Signed: -
Status: -

Name: d346bus.sys
Image Path: d346bus.sys
Address: 0xF7599000 Size: 156800 File Visible: - Signed: -
Status: -

Name: d346prt.sys
Image Path: d346prt.sys
Address: 0xF7AE7000 Size: 5248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7611000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dne2000.sys
Image Path: C:\WINDOWS\System32\DRIVERS\dne2000.sys
Address: 0xF6CBE000 Size: 106848 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF76E1000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xBA96E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B6D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xBAD32000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C4000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7D08000 Size: 4096 File Visible: - Signed: -
Status: -

Name: e1000325.sys
Image Path: C:\WINDOWS\System32\DRIVERS\e1000325.sys
Address: 0xF700A000 Size: 125952 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB8311000 Size: 143360 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF7941000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF7851000 Size: 34944 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF74BC000 Size: 128896 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7B2D000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF751D000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF76D1000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000 Size: 81280 File Visible: - Signed: -
Status: -

Name: hardlock.sys
Image Path: C:\WINDOWS\system32\drivers\hardlock.sys
Address: 0xB8334000 Size: 670208 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF77F1000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF79D1000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF71A2000 Size: 9600 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys
Address: 0xF6CD9000 Size: 721280 File Visible: - Signed: -
Status: -

Name: HSF_DPV.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys
Address: 0xF6D8A000 Size: 998656 File Visible: - Signed: -
Status: -

Name: HSFHWICH.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys
Address: 0xF6E7E000 Size: 242304 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB82D0000 Size: 262784 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF7681000 Size: 52736 File Visible: - Signed: -
Status: -

Name: IBMBLDID.SYS
Image Path: C:\WINDOWS\System32\drivers\IBMBLDID.SYS
Address: 0xF7CE5000 Size: 2432 File Visible: - Signed: -
Status: -

Name: ibmpmdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ibmpmdrv.sys
Address: 0xF7951000 Size: 28672 File Visible: - Signed: -
Status: -

Name: ikhlayer.sys
Image Path: C:\WINDOWS\system32\drivers\ikhlayer.sys
Address: 0xF7821000 Size: 50048 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF76A1000 Size: 41856 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF7AE5000 Size: 5504 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xF7671000 Size: 36096 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xBADF7000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xBAED1000 Size: 74752 File Visible: - Signed: -
Status: -

Name: irda.sys
Image Path: C:\WINDOWS\System32\DRIVERS\irda.sys
Address: 0xB866F000 Size: 87424 File Visible: - Signed: -
Status: -

Name: irenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\irenum.sys
Address: 0xF736D000 Size: 11264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75E1000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF7931000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7AE1000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xF6F34000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7493000 Size: 92032 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
Address: 0xB84CB000 Size: 12544 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7B31000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF7959000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF7939000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xF6B12000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF75F1000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xBACA3000 Size: 453760 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF79C1000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF7721000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF7A91000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF73BE000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF73D9000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF7192000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xB86D9000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF6C79000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7741000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF7801000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xBAE51000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF79C9000 Size: 30848 File Visible: - Signed: -
Status: -

Name: nscirda.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nscirda.sys
Address: 0xF7949000 Size: 28672 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7406000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2180352 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7C5D000 Size: 2944 File Visible: - Signed: -
Status: -

Name: OPRGHDLR.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
Address: 0xF7BAA000 Size: 4096 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF6F57000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF7869000 Size: 18688 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7B75000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF755A000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7BA9000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF7861000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF753C000 Size: 119936 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2180352 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6EDA000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PQNTDrv.SYS
Image Path: C:\WINDOWS\System32\Drivers\PQNTDrv.SYS
Address: 0xF7C87000 Size: 2688 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF6C68000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF7971000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7631000 Size: 36288 File Visible: - Signed: -
Status: -

Name: pxniqfow.sys
Image Path: C:\DOCUME~1\johnd\LOCALS~1\Temp\pxniqfow.sys
Address: 0xB7662000 Size: 93056 File Visible: No Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF7389000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasirda.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasirda.sys
Address: 0xF7961000 Size: 19584 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF76F1000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF7701000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF7711000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF7979000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2180352 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xBAD3A000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7B33000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Address: 0xF6B6F000 Size: 196864 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF76C1000 Size: 57472 File Visible: - Signed: -
Status: -

Name: RootMdm.sys
Image Path: C:\WINDOWS\System32\Drivers\RootMdm.sys
Address: 0xF7B15000 Size: 5888 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7919000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SbieDrv.sys
Image Path: C:\Program Files\Sandboxie\SbieDrv.sys
Address: 0xB8083000 Size: 118784 File Visible: - Signed: -
Status: -

Name: SCDEmu.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCDEmu.SYS
Address: 0xF78B1000 Size: 29280 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF74DC000 Size: 98304 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF7371000 Size: 15488 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF7691000 Size: 64896 File Visible: - Signed: -
Status: -

Name: ShockMgr.SYS
Image Path: C:\WINDOWS\System32\Drivers\ShockMgr.SYS
Address: 0xF7B35000 Size: 4736 File Visible: - Signed: -
Status: -

Name: Shockprf.sys
Image Path: Shockprf.sys
Address: 0xF750C000 Size: 69632 File Visible: - Signed: -
Status: -

Name: Smapint.sys
Image Path: C:\WINDOWS\System32\drivers\Smapint.sys
Address: 0xF78A9000 Size: 32768 File Visible: - Signed: -
Status: -

Name: smihlp.sys
Image Path: C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys
Address: 0xF7BE9000 Size: 3328 File Visible: - Signed: -
Status: -

Name: smwdm.sys
Image Path: C:\WINDOWS\system32\drivers\smwdm.sys
Address: 0xF6EFE000 Size: 220992 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF74AA000 Size: 73472 File Visible: - Signed: -
Status: -

Name: ssmdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xF7899000 Size: 22656 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF7B17000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\System32\DRIVERS\SynTP.sys
Address: 0xF6F6B000 Size: 177664 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB8527000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xBAE79000 Size: 360320 File Visible: - Signed: -
Status: -

Name: tcusb.sys
Image Path: C:\WINDOWS\System32\Drivers\tcusb.sys
Address: 0xF78A1000 Size: 26240 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7969000 Size: 20480 File Visible: - Signed: -
Status: -

Name: TDSMAPI.SYS
Image Path: C:\WINDOWS\System32\drivers\TDSMAPI.SYS
Address: 0xF7889000 Size: 24576 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF7731000 Size: 40704 File Visible: - Signed: -
Status: -

Name: TPHKDRV.SYS
Image Path: C:\WINDOWS\System32\Drivers\TPHKDRV.SYS
Address: 0xF79E9000 Size: 16416 File Visible: - Signed: -
Status: -

Name: Tppwr.sys
Image Path: C:\WINDOWS\System32\drivers\Tppwr.sys
Address: 0xF79E1000 Size: 32768 File Visible: - Signed: -
Status: -

Name: TSMAPIP.SYS
Image Path: C:\WINDOWS\System32\drivers\TSMAPIP.SYS
Address: 0xF79D9000 Size: 24576 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF6B16000 Size: 364160 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF7B0F000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF7929000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF7771000 Size: 59264 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF7029000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF7921000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF79B9000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF704D000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7601000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF77E1000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBADAD000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB7CAE000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: windrvr6.sys
Image Path: C:\WINDOWS\system32\drivers\windrvr6.sys
Address: 0xF6C90000 Size: 186720 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7AE3000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2180352 File Visible: - Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF7375000 Size: 12032 File Visible: - Signed: -
Status: -
jstyle711 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2010, 11:32 AM   #8 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 14,892
OS: XP SP3; Win 7 32/64-bit


Re: Cannot run either DDS or GMER
Hello again, jstyle711.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2010, 12:41 PM   #9 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 15
OS: XP


Re: Cannot run either DDS or GMER
Here is my combofix log.

ComboFix 10-03-08.01 - johnd 2010-03-08 12:15:35.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.620 [GMT -8:00]
Running from: c:\documents and settings\johnd\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
c:\recycler\S-1-5-21-1979520706-1255675578-619646970-5081
C:\Thumbs.db
c:\windows\934fdfg34fgjf23
c:\windows\bf23567.dat
c:\windows\jmmark2.dat
c:\windows\system32\1755765356.dat
c:\windows\system32\twain_32.dll

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-08 07:47 . 2010-03-08 07:47 -------- d-----w- c:\documents and settings\cuongt\Local Settings\Application Data\Apple Computer
2010-03-08 07:46 . 2010-03-08 07:46 -------- d-----w- c:\documents and settings\cuongt\Application Data\Sony Ericsson
2010-03-08 07:45 . 2010-02-27 21:29 177928 ----a-w- C:\TDSSKiller.exe
2010-03-03 17:16 . 2009-06-22 19:43 174208 ----a-w- c:\documents and settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\Plugins\NPuroamHost.dll
2010-03-03 17:15 . 2009-08-20 16:19 10752 ----a-w- c:\windows\system32\drivers\urfltw2k.sys
2010-03-03 04:36 . 2010-03-03 04:39 -------- d-----w- c:\documents and settings\johnd\Local Settings\Application Data\Temp
2010-02-11 05:02 . 2010-02-11 05:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-11 04:37 . 2010-02-11 04:37 -------- d-----w- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 20:23 . 2006-11-19 06:26 12 ----a-w- c:\windows\bthservsdp.dat
2010-03-08 18:02 . 2006-11-15 07:48 98744 -c--a-w- c:\documents and settings\johnd\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 08:36 . 2008-09-23 05:29 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-03 08:02 . 2007-10-22 21:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-03-03 08:02 . 2006-11-14 06:14 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-03-03 08:01 . 2009-05-11 07:10 -------- d-----w- c:\program files\Panda Security
2010-03-03 08:00 . 2006-11-20 17:08 -------- d-----w- c:\program files\Google
2010-01-05 10:00 . 2005-10-21 20:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2001-08-23 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2001-08-23 11:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2006-01-25 15:12 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2002-08-29 09:40 33280 ----a-w- c:\windows\system32\csrsrv.dll
2006-12-06 07:35 . 2006-12-06 07:35 685549 -c--a-w- c:\program files\Hamachi.zip
.

------- Sigcheck -------

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-04 13:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2008-01-16 90112]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2008-01-16 217088]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-16 155648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-07-12 17:45 109664 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-09-06 11:08 262144 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 06:23 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll digiwet.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Java\\jre1.6.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV Link\\BTVD3DShell.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Devnz\\GBPVR\\PVRX2.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\mplayerc.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Common Files\\Teleca Shared\\CapabilityManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2006-11-17 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2006-11-17 5248]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-01-25 16384]
R2 SmiHlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2005-07-12 3328]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2009-08-20 33920]
S1 59940ec;59940ec;c:\windows\system32\drivers\59940ec.sys --> c:\windows\system32\drivers\59940ec.sys [?]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2010-03-03 10752]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-08-12 13352]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2006-01-25 12288]
.
Contents of the 'Scheduled Tasks' folder

2006-01-25 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-01-25 09:38]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: wpcuds.usace.army.mil
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\plugins\NPuroamHost.dll
FF - plugin: c:\documents and settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - f:\hijackthis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 12:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x869C0C08]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7625fc3
\Driver\ACPI -> ACPI.sys @ 0xf7571cb8
\Driver\atapi -> 0x869c0c08
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
SecurityProcedure -> ntoskrnl.exe @ 0x8059baf0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
SecurityProcedure -> ntoskrnl.exe @ 0x8059baf0
NDIS: Intel(R) PRO/1000 MT Mobile Connection -> SendCompleteHandler -> NDIS.sys @ 0xf73eeba0
PacketIndicateHandler -> NDIS.sys @ 0xf73dda0b
SendHandler -> NDIS.sys @ 0xf73f1b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkVantage Fingerprint Software\ExtVapi.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\program files\Common Files\Virtual Token\resmgr.dll
c:\program files\Common Files\Virtual Token\Remote.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psfus.dll
c:\windows\system32\tphklock.dll
c:\program files\Common Files\Virtual Token\passport.dll
c:\program files\Common Files\Virtual Token\config.dll
c:\program files\Common Files\Virtual Token\LocPass.dll
c:\program files\Common Files\Virtual Token\SBioPass.dll
c:\program files\Common Files\Virtual Token\psdlg.dll

- - - - - - - > 'Explorer.exe'(2824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Devnz\GBPVR\GBPVRRecordingService.exe
c:\windows\System32\QCONSVC.EXE
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-08 12:34:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 20:34

Pre-Run: 18,840,436,736 bytes free
Post-Run: 20,077,113,344 bytes free

- - End Of File - - 61A0F4670A7FE27532ACD404EC9E8914
jstyle711 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2010, 01:45 PM   #10 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 14,892
OS: XP SP3; Win 7 32/64-bit


Re: Cannot run either DDS or GMER
Hello again, jstyle711.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

I see you have P2P software ( LimeWire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here and here.

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

To open Notepad, go Start > Run and type Notepad then click 'OK'.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
Rootkit::
c:\windows\system32\drivers\59940ec.sys

FCopy::
c:\windows\system32\dllcache\atapi.sys | c:\windows\system32\drivers\atapi.sys

SRPeek::
c:\windows\system32\proquota.exe

RegLock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Driver::
59940ec
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2010, 07:59 PM   #11 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 15
OS: XP


Re: Cannot run either DDS or GMER
I uninstalled Limewire and below is my combofix log.

ComboFix 10-03-08.01 - johnd 2010-03-08 14:57:21.11.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.611 [GMT -8:00]
Running from: c:\documents and settings\johnd\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\johnd\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_59940ec


((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-08 07:47 . 2010-03-08 07:47 -------- d-----w- c:\documents and settings\cuongt\Local Settings\Application Data\Apple Computer
2010-03-08 07:46 . 2010-03-08 07:46 -------- d-----w- c:\documents and settings\cuongt\Application Data\Sony Ericsson
2010-03-08 07:45 . 2010-02-27 21:29 177928 ----a-w- C:\TDSSKiller.exe
2010-03-03 17:16 . 2009-06-22 19:43 174208 ----a-w- c:\documents and settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\Plugins\NPuroamHost.dll
2010-03-03 17:15 . 2009-08-20 16:19 10752 ----a-w- c:\windows\system32\drivers\urfltw2k.sys
2010-03-03 04:36 . 2010-03-03 04:39 -------- d-----w- c:\documents and settings\johnd\Local Settings\Application Data\Temp
2010-02-11 05:02 . 2010-02-11 05:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-11 04:37 . 2010-02-11 04:37 -------- d-----w- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 23:05 . 2006-11-19 06:26 12 ----a-w- c:\windows\bthservsdp.dat
2010-03-08 22:48 . 2008-04-10 01:36 -------- d-----w- c:\program files\LimeWire
2010-03-08 18:02 . 2006-11-15 07:48 98744 -c--a-w- c:\documents and settings\johnd\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 08:36 . 2008-09-23 05:29 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-03 08:02 . 2007-10-22 21:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-03-03 08:02 . 2006-11-14 06:14 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-03-03 08:01 . 2009-05-11 07:10 -------- d-----w- c:\program files\Panda Security
2010-03-03 08:00 . 2006-11-20 17:08 -------- d-----w- c:\program files\Google
2010-01-05 10:00 . 2005-10-21 20:51 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2001-08-23 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2001-08-23 11:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2006-01-25 15:12 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2002-08-29 09:40 33280 ----a-w- c:\windows\system32\csrsrv.dll
2006-12-06 07:35 . 2006-12-06 07:35 685549 -c--a-w- c:\program files\Hamachi.zip
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-04 21:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2008-01-16 90112]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2008-01-16 217088]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-16 155648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-07-12 17:45 109664 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-09-06 11:08 262144 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 06:23 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Java\\jre1.6.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV Link\\BTVD3DShell.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Devnz\\GBPVR\\PVRX2.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\mplayerc.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Common Files\\Teleca Shared\\CapabilityManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2006-11-17 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2006-11-17 5248]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-01-25 16384]
R2 SmiHlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2005-07-12 3328]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2009-08-20 33920]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2010-03-03 10752]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-08-12 13352]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2006-01-25 12288]
.
Contents of the 'Scheduled Tasks' folder

2006-01-25 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2006-01-25 09:38]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: wpcuds.usace.army.mil
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\plugins\NPuroamHost.dll
FF - plugin: c:\documents and settings\johnd\Application Data\Mozilla\Firefox\Profiles\rbbyifo1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 15:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86C9AAE8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7661fc3
\Driver\ACPI -> ACPI.sys @ 0xf75adcb8
\Driver\atapi -> 0x86c9aae8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
SecurityProcedure -> ntoskrnl.exe @ 0x8059baf0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
SecurityProcedure -> ntoskrnl.exe @ 0x8059baf0
NDIS: Intel(R) PRO/1000 MT Mobile Connection -> SendCompleteHandler -> NDIS.sys @ 0xf742aba0
PacketIndicateHandler -> NDIS.sys @ 0xf7419a0b
SendHandler -> NDIS.sys @ 0xf742db31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkVantage Fingerprint Software\ExtVapi.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\program files\Common Files\Virtual Token\resmgr.dll
c:\program files\Common Files\Virtual Token\Remote.dll
c:\program files\Common Files\Virtual Token\passport.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psfus.dll
c:\windows\system32\tphklock.dll
c:\program files\Common Files\Virtual Token\config.dll
c:\program files\Common Files\Virtual Token\LocPass.dll
c:\program files\Common Files\Virtual Token\SBioPass.dll
c:\program files\Common Files\Virtual Token\psdlg.dll

- - - - - - - > 'Explorer.exe'(3436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Devnz\GBPVR\GBPVRRecordingService.exe
c:\windows\System32\QCONSVC.EXE
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-08 15:14:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 23:14
ComboFix2.txt 2010-03-08 20:34

Pre-Run: 20,107,247,616 bytes free
Post-Run: 20,078,055,424 bytes free

- - End Of File - - FE3E5BC674CFF433369A5A9D2A490A89
jstyle711 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2010, 04:48 AM   #12 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 14,892
OS: XP SP3; Win 7 32/64-bit


Re: Cannot run either DDS or GMER
Hello again, jstyle711. Do you have access to another XP machine? If so, please get a copy of this file:

c:\windows\system32\proquota.exe

Save it to a USB drive and copy it to this folder c:\windows\system32 on your machine.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c peV -ltf "%systemdrive%\proquota.exe" >log.txt&log.txt&del log.txt

A Notepad file will open. Post the contents of log.txt in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-10-2010, 02:05 PM   #13 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 15
OS: XP


Re: Cannot run either DDS or GMER
I grabbed the proquota.exe file from my work computer and did what you told me to.

In doing so, I was prompted with a window saying I need to insert a Windows XP cd in order to restore the original file.

CMD stays open and the log.txt file contains no data. =|
jstyle711 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-10-2010, 03:08 PM   #14 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 14,892
OS: XP SP3; Win 7 32/64-bit


Re: Cannot run either DDS or GMER
Hello again, jstyle711. Sorry, I should have mentioned you needed a copy from an XP machine with SP2. Your work machine is likely SP3.

Do you have a folder named I386 on your recovery partition(usually your D: drive)? Or, do you have an XP SP2 CD, or can you borrow one? If so, let me know. If not, you will have to upgrade to SP3 when we are done.

------------------------------------------------------

Print out these instructions to use while in the Recovery Console or read off another computer:

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. If prompted for Administrator password, enter it and press 'Enter', or if no password, just press 'Enter'.
6. At the C:\Windows prompt, type the following bolded entries, one at a time and press 'Enter'(note the spaces):

cd system32\drivers

ren atapi.sys atapi.sys.vir

copy ..\dllcache\atapi.sys

7. You should get the message '1 file<s> copied'. If you did, go to step 10.

8. If you did not get the message '1 file<s> copied', try all 3 commands again, making sure there are no typos.

9. If you still don't get the message '1 file<s> copied', stop now and let me know from another computer.

10. Type exit and press 'Enter'. Your computer should reboot.

------------------------------------------------------

If the previous steps were successful, do the following:

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
peV -c##5#b#f# %systemdrive%\atapi.sys > log.txt
notepad log.txt
exit
Save this as peek.bat Choose to Save type as - All Files then close the Notepad file.
It should look like this:

Double-click on peek.bat and allow it to run.

A Notepad file will open. Copy/paste that information into your next reply, please.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-10-2010, 09:17 PM   #15 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 15
OS: XP


Re: Cannot run either DDS or GMER
Currently @ the stage of typing in "ren atapi.sys atapi.sys.vir"

it responds that I currently have the file atapi.sys

I go about to type in "copy ..\dllcache\atapi.sys" and instead of the message "1 file<s> copied" it asks me if i would like to overwrite the file atapi.sys

Do I go about overwriting the file and continue with your steps? I feel that dealing with anything in the system32 folder is serious business and I don't want to mess anything up because I "thought" it might have been right.

Thanks
jstyle711 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-11-2010, 04:52 AM   #16 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 14,892
OS: XP SP3; Win 7 32/64-bit


Re: Cannot run either DDS or GMER
Answer Yes to overwriting the file and continue.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-12-2010, 06:13 PM   #17 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 15
OS: XP


Re: Cannot run either DDS or GMER
Followed your instructions and it created a log.txt file which contained the following:

CDFE4411A69C224BD1D11B2DA92DAC51 C:\WINDOWS\system32\dllcache\atapi.sys
!HASH: COULD NOT OPEN FILE !!!!! C:\WINDOWS\system32\drivers\ATAPI.SYS
95B858761A00E1D4F81F79A0DA019ACA C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
jstyle711 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-12-2010, 06:57 PM   #18 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 14,892
OS: XP SP3; Win 7 32/64-bit


Re: Cannot run either DDS or GMER
Hello again, jstyle711. Sorry, but that didn't work. I just did the same on my test box and I don't get the messages you got. And it worked fine.

Does gmer still close? Please try again.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-12-2010, 08:29 PM   #19 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 15
OS: XP


Re: Cannot run either DDS or GMER
GMER still closes :(
jstyle711 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-12-2010, 09:36 PM   #20 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 14,892
OS: XP SP3; Win 7 32/64-bit


Re: Cannot run either DDS or GMER
Hello again, jstyle711.

Download The Avenger2 by Swandog46 from here
  • Unzip/extract it to a folder on your desktop.
  • Double-click on avenger.exe to run The Avenger
  • Click OK
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy/paste the following text in the codebox below into the 'Input script here:' box.

    Code:
    files to move:
c:\windows\system32\dllcache\atapi.sys|c:\windows\system32\drivers\atapi.sys
  • Click Execute
  • Click Yes
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
  • Click Yes
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
------------------------------------------------------

No matter how many times Avenger rebooted your computer, please reboot your machine once more. This is important.

------------------------------------------------------

Double-click on peek.bat and allow it to run.

A Notepad file will open. Copy/paste that information into your next reply, please.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
Last edited by chemist; 03-13-2010 at 04:40 AM.
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:00 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2010, Tech Support Forum
Auto Support Forum | Brew Plus | Freemason Hall | Outdoor BaseCamp
Home Tips Plus | Herbalist Hut | Father Adviser | Budget Clowns

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84