Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Infection reoccuring files C:\WINDOWS\system32\lsprst7.dll,nsprs.dll,tmpPrst.dll,serauth*.dll


  • This topic is locked This topic is locked
28 replies to this topic

#1 tnoftsger

tnoftsger

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 27 March 2009 - 02:30 PM

Between MalwareBytes and others these file regenerate:

C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\nsprs.dll
C:\WINDOWS\system32\tmpPrst.dll
C:\WINDOWS\system32\serauth1.dll
C:\WINDOWS\system32\serauth2.dll
C:\WINDOWS\system32\lsprst7.tgz
C:\WINDOWS\system32\CF26752.exe

Google searches refer to numerous names of trojans


DDS (Ver_09-03-16.01) - NTFSx86
Run by tnoftsger at 15:19:37.48 on 2009-03-27
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1506 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\Rainbow Technologies\SentinelLM 7.1.0 Server\English\lservnt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\tnoftsger\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WinampAgent] "d:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NWTRAY] NWTRAY.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
StartupFolder: c:\docume~1\tnofts~1\startm~1\programs\startup\MICROS~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207232951508
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207082870068
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} - hxxp://www.programchecker.com/dll/nixon.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {A180D1CB-0884-45CF-ADF5-A26997FAACD5} = 204.152.114.181,204.152.114.182
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: Icovacon - {D9666B03-BD81-4C2D-8584-2DF38A11132B} - c:\windows\system32\ceribbas.dll
LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tnofts~1\applic~1\mozilla\firefox\profiles\qdxi2v8a.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-4 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-4 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-4 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090318.001\IDSXpx86.sys [2009-3-23 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-4 115560]
R2 SentinelLM;SentinelLM;d:\program files\rainbow technologies\sentinellm 7.1.0 server\english\lservnt.exe [2009-1-20 555520]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090327.005\NAVENG.SYS [2009-3-27 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090327.005\NAVEX15.SYS [2009-3-27 876144]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-10-23 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-10-23 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-10-23 42112]
S3 NGPSSER;NGPSSER;c:\windows\system32\drivers\ngpsser.sys [2008-11-24 91520]
S3 NGPSUSB;NGPSUSB;c:\windows\system32\drivers\ngpsusb.sys [2008-11-24 76928]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-3-31 1245064]

=============== Created Last 30 ================

2009-03-27 15:04 1,025 a------- c:\windows\system32\serauth2.dll
2009-03-27 15:04 1,025 a------- c:\windows\system32\serauth1.dll
2009-03-27 15:04 87 a------- c:\windows\system32\nsprs.tgz
2009-03-27 15:04 73 a------- c:\windows\system32\nsprs.dll
2009-03-27 15:04 0 a------- c:\windows\system32\tmpPrst.dll
2009-03-27 15:04 0 a------- c:\windows\system32\lsprst7.dll
2009-03-27 14:20 389,120 a------- c:\windows\system32\CF26752.exe
2009-03-27 14:20 <DIR> --d----- C:\ComboFix
2009-03-27 13:47 161,792 a------- c:\windows\SWREG.exe
2009-03-27 13:47 98,816 a------- c:\windows\sed.exe
2009-03-27 09:57 <DIR> --d----- c:\documents and settings\tnoftsger\DoctorWeb
2009-03-26 16:46 229,376 a------- c:\windows\system32\deluwwin.dll
2009-03-25 09:17 <DIR> --d----- c:\program files\Coupons
2009-03-23 14:13 5,632 a------- c:\windows\system32\udcpm.dll
2009-03-23 14:13 <DIR> --d--r-- C:\UDC Output Files
2009-03-23 14:13 <DIR> --d----- c:\program files\Universal Document Converter
2009-03-23 13:49 <DIR> --d----- c:\program files\LizardTech
2009-03-20 13:40 <DIR> --d----- c:\windows\system32\Adobe
2009-03-13 12:59 <DIR> --d----- c:\program files\AvantGo Connect
2009-03-13 12:58 2,464 a------- c:\windows\$_hpcst$.hpc
2009-03-13 12:58 114,688 a------- c:\windows\system32\malslib.dll
2009-03-13 12:58 77,899 a------- c:\windows\system32\rapi.dll
2009-03-13 12:58 69,632 a------- c:\windows\system32\mbllnk.cpl
2009-03-13 12:58 65,615 a------- c:\windows\system32\pmailext.dll
2009-03-13 12:58 65,613 a------- c:\windows\system32\ppvexp.dll
2009-03-13 12:58 57,423 a------- c:\windows\system32\MsgStRPC.dll
2009-03-13 12:58 36,942 a------- c:\windows\system32\ppcload.dll
2009-03-13 12:58 24,653 a------- c:\windows\system32\ceutil.dll
2009-03-13 12:58 24,652 a------- c:\windows\system32\uicom.dll
2009-03-13 12:40 57,422 a------- c:\windows\system32\mobileV.acm
2009-03-13 12:37 2,510 a------- c:\windows\Microsoft.MIF
2009-03-11 14:11 <DIR> --d----- C:\adobe fix
2009-03-11 10:19 <DIR> --d----- C:\UBCD4Win
2009-03-11 07:08 <DIR> --d--r-- c:\program files\Norton Support
2009-03-05 08:50 <DIR> --d----- c:\docume~1\tnofts~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-04 13:49 11 a------- c:\windows\NetWare.INI
2009-02-26 12:04 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-02-26 12:04 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-26 12:04 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-26 12:04 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-26 12:04 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-26 12:04 <DIR> --d----- c:\program files\Symantec
2009-02-26 12:04 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-02-26 12:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-02-26 12:04 <DIR> --d----- c:\program files\NortonInstaller
2009-02-26 12:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-02-26 11:25 <DIR> --d----- c:\windows\system32\novell
2009-02-26 11:25 823,296 -------- c:\windows\system32\ccsw32.dll
2009-02-26 11:25 <DIR> --d----- c:\windows\system\nls
2009-02-26 11:25 <DIR> --d----- c:\windows\system32\NetWare
2009-02-26 11:19 <DIR> --d----- c:\program files\CUAgent
2009-02-26 11:19 <DIR> --d----- c:\windows\system32\nls
2009-02-26 11:18 <DIR> --d----- C:\Novell

==================== Find3M ====================

2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-02 16:53 57,448 a------- c:\docume~1\tnofts~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-05 15:44 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-01-14 16:38 2,048 a------- c:\windows\system32\sysprs7.dll
2009-01-13 11:30 49,152 a------- c:\windows\system32\ArmAccess.dll
2009-01-07 13:45 104,474 a------- c:\windows\HPFins09.dat
2008-09-11 13:50 92,064 a------- c:\documents and settings\tnoftsger\mqdmmdm.sys
2008-09-11 13:50 79,328 a------- c:\documents and settings\tnoftsger\mqdmserd.sys
2008-09-11 13:50 66,656 a------- c:\documents and settings\tnoftsger\mqdmbus.sys
2008-09-11 13:50 25,600 a------- c:\documents and settings\tnoftsger\usbsermptxp.sys
2008-09-11 13:50 22,768 a------- c:\documents and settings\tnoftsger\usbsermpt.sys
2008-09-11 13:50 9,232 a------- c:\documents and settings\tnoftsger\mqdmmdfl.sys
2008-09-11 13:50 6,208 a------- c:\documents and settings\tnoftsger\mqdmcmnt.sys
2008-09-11 13:50 5,936 a------- c:\documents and settings\tnoftsger\mqdmwhnt.sys
2008-09-11 13:50 4,048 a------- c:\documents and settings\tnoftsger\mqdmcr.sys
2008-09-18 16:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091820080919\index.dat

============= FINISH: 15:19:55.53 ===============

I think i need help!!!

i use mozilla foxfire and it crashed will little provocation or new tabs are redirected to websites that spyware doctor is currently blocking.

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:10 AM

Posted 27 March 2009 - 07:18 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 tnoftsger

tnoftsger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 30 March 2009 - 07:20 AM

Thanks Sam,

Here is the OTListIt2 Report:

OTListIt logfile created on: 2009-03-30 06:56:41 - Run 1
OTListIt2 by OldTimer - Version 2.0.7.2 Folder = C:\Documents and Settings\tnoftsger\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

2.00 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 68.94% Memory free
3.85 Gb Paging File | 3.42 Gb Available in Paging File | 88.92% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.18 Gb Total Space | 16.00 Gb Free Space | 46.82% Space Free | Partition Type: NTFS
Drive D: | 34.76 Gb Total Space | 12.94 Gb Free Space | 37.23% Space Free | Partition Type: NTFS
Drive E: | 0.88 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 221.61 Gb Total Space | 167.79 Gb Free Space | 75.71% Space Free | Partition Type: NTFS
Drive P: | 124.41 Gb Total Space | 75.32 Gb Free Space | 60.54% Space Free | Partition Type: NTFS
Drive Q: | 116.84 Gb Total Space | 17.72 Gb Free Space | 15.16% Space Free | Partition Type: NWFS
Drive U: | 124.41 Gb Total Space | 75.32 Gb Free Space | 60.54% Space Free | Partition Type: NTFS
Drive Z: | 116.84 Gb Total Space | 17.72 Gb Free Space | 15.16% Space Free | Partition Type: NWFS

Computer Name: TNOFTSGER
Current User Name: tnoftsger
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2007-10-24 02:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
PRC - [2008-12-15 07:27:32 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2001-02-23 11:07:30 | 00,270,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PRC - [2009-02-27 07:02:14 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
PRC - [2007-12-05 02:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007-08-09 03:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2000-07-17 08:10:00 | 00,555,520 | ---- | M] () -- d:\Program Files\Rainbow Technologies\SentinelLM 7.1.0 Server\English\lservnt.exe
PRC - [2009-02-27 07:02:14 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
PRC - [2009-03-09 11:49:18 | 00,037,888 | ---- | M] () -- D:\Program Files\Winamp\winampa.exe
PRC - [2002-03-12 12:37:28 | 00,028,672 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NWTRAY.EXE
PRC - [2008-06-10 13:56:32 | 01,406,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2008-04-23 02:08:13 | 00,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
PRC - [2008-04-13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2005-09-24 01:28:44 | 00,282,624 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2005-09-24 01:42:32 | 00,475,136 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2008-04-13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.exe
PRC - [2004-08-04 00:56:52 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009-02-27 07:02:15 | 00,442,224 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\mcui32.exe
PRC - [2009-03-30 06:56:22 | 00,498,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\tnoftsger\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2009-03-11 14:12:24 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2007-10-24 02:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008-02-22 16:13:48 | 00,085,096 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])
SRV - [2007-03-23 11:24:04 | 00,902,760 | ---- | M] (Autodesk, Inc.) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe -- (Autodesk Network Licensing Service [On_Demand | Stopped])
SRV - [2007-10-24 02:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [Auto | Running])
SRV - [2006-08-11 16:51:04 | 00,028,672 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\cusrvc.exe -- (cusrvc [On_Demand | Stopped])
SRV - [2007-10-09 13:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009-03-23 20:02:30 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008-04-13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005-05-20 11:37:12 | 00,081,920 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE -- (HP Port Resolver [On_Demand | Stopped])
SRV - [2004-10-16 06:31:06 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE -- (HP Status Server [On_Demand | Stopped])
SRV - [2007-10-11 10:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008-12-15 07:27:32 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2001-02-23 11:07:30 | 00,270,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe -- (MDM [Auto | Running])
SRV - [2007-10-11 10:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2009-02-27 07:02:14 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe -- (Norton AntiVirus [Auto | Running])
SRV - [2007-12-05 02:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2007-08-09 03:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2000-07-17 08:10:00 | 00,555,520 | ---- | M] () -- d:\Program Files\Rainbow Technologies\SentinelLM 7.1.0 Server\English\lservnt.exe -- (SentinelLM [Auto | Running])
SRV - [2008-07-25 08:12:12 | 01,245,064 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC [On_Demand | Stopped])
SRV - [2006-10-18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009-02-27 07:02:23 | 00,258,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NAV\1005000.086\BHDrvx86.sys -- (BHDrvx86 [System | Running])
DRV - [2005-05-31 15:11:08 | 00,030,189 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\DRIVERS\btwmodem.sys -- (btwmodem [On_Demand | Stopped])
DRV - [2009-03-04 11:49:24 | 00,482,352 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NAV\1005000.086\ccHPx86.sys -- (ccHP [System | Running])
DRV - [1997-08-07 05:03:02 | 00,007,328 | ---- | M] () -- C:\WINDOWS\SYSTEM32\drivers\DS1410D.SYS -- (DS1410D [Auto | Running])
DRV - [2007-12-11 14:34:40 | 00,242,320 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e1e5132.sys -- (e1express [On_Demand | Running])
DRV - [2009-02-26 05:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2001-08-17 13:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\system32\DRIVERS\el90xbc5.sys -- (EL90XBC [On_Demand | Running])
DRV - [2009-02-26 05:00:00 | 00,101,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2008-04-13 12:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005-10-27 05:52:18 | 00,049,664 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2005-10-21 20:58:58 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2005-10-22 08:22:48 | 00,021,568 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2005-10-12 08:07:12 | 00,874,240 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2009-01-29 17:50:18 | 00,276,344 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090318.001\IDSxpx86.sys -- (IDSxpx86 [System | Running])
DRV - [2008-08-21 19:49:22 | 00,018,688 | ---- | M] (Motorola) -- C:\WINDOWS\system32\DRIVERS\motccgp.sys -- (motccgp [On_Demand | Stopped])
DRV - [2008-08-21 19:49:56 | 00,008,320 | ---- | M] (Motorola) -- C:\WINDOWS\system32\DRIVERS\motccgpfl.sys -- (motccgpfl [On_Demand | Stopped])
DRV - [2007-10-10 18:41:50 | 00,042,112 | ---- | M] (Motorola Inc) -- C:\WINDOWS\system32\DRIVERS\motodrv.sys -- (MotDev [On_Demand | Stopped])
DRV - [2007-06-18 15:18:26 | 00,023,680 | ---- | M] (Motorola) -- C:\WINDOWS\system32\DRIVERS\motmodem.sys -- (motmodem [On_Demand | Stopped])
DRV - [2007-08-15 08:27:18 | 00,009,600 | ---- | M] () -- C:\WINDOWS\System32\Drivers\n558.sys -- (n558 [On_Demand | Stopped])
DRV - [2009-02-26 05:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090329.021\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009-02-26 05:00:00 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090329.021\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2007-06-21 15:03:08 | 00,513,664 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwfs.sys -- (NetwareWorkstation [Auto | Running])
DRV - [2006-03-02 16:13:08 | 00,091,520 | ---- | M] (NovAtel Inc.) -- C:\WINDOWS\system32\drivers\ngpsser.sys -- (NGPSSER [On_Demand | Stopped])
DRV - [2006-03-02 16:13:08 | 00,076,928 | ---- | M] (NovAtel Inc.) -- C:\WINDOWS\system32\drivers\ngpsusb.sys -- (NGPSUSB [On_Demand | Stopped])
DRV - [2006-03-03 18:50:48 | 00,038,416 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\drivers\nicm.sys -- (NICM [Boot | Running])
DRV - [2008-06-09 14:12:06 | 00,018,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\NuidFltr.sys -- (NuidFltr [On_Demand | Stopped])
DRV - [2007-12-05 02:41:00 | 07,435,392 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2005-11-22 11:51:22 | 00,018,353 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwdhcp.sys -- (NWDHCP [On_Demand | Running])
DRV - [2006-10-27 17:53:48 | 00,043,568 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwdns.sys -- (NWDNS [On_Demand | Running])
DRV - [2005-05-26 19:14:00 | 00,015,891 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwfilter.sys -- (NWFILTER [Boot | Running])
DRV - [2005-10-12 14:12:18 | 00,009,297 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\NWHOST.sys -- (NWHOST [On_Demand | Running])
DRV - [2003-02-26 15:51:18 | 00,023,232 | ---- | M] () -- C:\WINDOWS\system32\NetWare\NWSAP.sys -- (NWSAP [On_Demand | Stopped])
DRV - [2005-10-27 17:15:14 | 00,039,731 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwsipx32.sys -- (NWSIPX32 [Auto | Stopped])
DRV - [2005-01-03 15:51:38 | 00,020,332 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwslp.sys -- (NWSLP [On_Demand | Running])
DRV - [2005-10-12 14:11:32 | 00,006,128 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\NWSNS.sys -- (NWSNS [On_Demand | Running])
DRV - [2008-12-04 12:34:32 | 00,027,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\point32.sys -- (Point32 [On_Demand | Running])
DRV - [2001-08-23 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007-03-07 19:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004-06-01 19:19:34 | 00,027,249 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\resmgr.sys -- (RESMGR [Auto | Running])
DRV - [2007-11-13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007-03-16 15:59:40 | 00,054,272 | ---- | M] (Sonic Focus, Inc) -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32 [On_Demand | Running])
DRV - [2009-02-27 07:02:23 | 00,307,760 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NAV\1005000.086\SRTSP.SYS -- (SRTSP [System | Running])
DRV - [2009-02-27 07:02:23 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1005000.086\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2006-09-25 10:54:54 | 00,160,209 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\srvloc.sys -- (SRVLOC [Auto | Running])
DRV - [2006-07-24 17:05:00 | 00,005,632 | ---- | M] () -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen [System | Running])
DRV - [2008-05-06 17:17:22 | 01,271,032 | ---- | M] (IDT, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
DRV - [2009-02-27 07:02:23 | 00,310,320 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMEFA.SYS -- (SymEFA [Boot | Running])
DRV - [2009-03-04 11:49:37 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2009-02-27 07:02:23 | 00,089,776 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NAV\1005000.086\SYMFW.SYS -- (SYMFW [On_Demand | Running])
DRV - [2009-02-27 07:02:23 | 00,034,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NAV\1005000.086\SYMIDS.SYS -- (SYMIDS [On_Demand | Running])
DRV - [2009-02-27 07:02:15 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\DRIVERS\SymIM.sys -- (SymIM [On_Demand | Stopped])
DRV - [2009-02-27 07:02:15 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\DRIVERS\SymIM.sys -- (SymIMMP [On_Demand | Running])
DRV - [2009-02-27 07:02:23 | 00,037,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NAV\1005000.086\SYMNDIS.SYS -- (SYMNDIS [On_Demand | Running])
DRV - [2009-02-27 07:02:23 | 00,217,392 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NAV\1005000.086\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2008-03-18 06:42:13 | 00,023,600 | ---- | M] (EnTech Taiwan) -- C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS -- (TVICHW32 [On_Demand | Stopped])
DRV - [2008-03-13 16:08:54 | 00,022,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usbsermpt.sys -- (usbsermpt [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-816959666-2918063317-318358597-1610\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-816959666-2918063317-318358597-1610\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-816959666-2918063317-318358597-1610\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-816959666-2918063317-318358597-1610\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-816959666-2918063317-318358597-1610\S-1-5-21-816959666-2918063317-318358597-1610\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {08D5008D-5AD0-4E2F-B2BE-A00EFBD6F6CD}:1.0
FF - prefs.js..extensions.enabledItems: {8545daff-ad1e-493f-a37e-eed1ac79682b}:1.0
FF - prefs.js..extensions.enabledItems: {9B4BEBCE-0CC2-4B05-9F43-BED9F0A317DF}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009-03-27 08:40:49 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.7\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009-03-27 08:40:41 | 00,000,000 | ---D | M]

[2009-03-27 08:40:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\tnoftsger\Application Data\mozilla\Extensions
[2009-03-27 08:40:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\tnoftsger\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009-03-10 10:41:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\tnoftsger\Application Data\mozilla\Extensions\[email protected]
[2009-03-27 08:40:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\tnoftsger\Application Data\mozilla\Firefox\Profiles\qdxi2v8a.default\extensions
[2009-03-27 15:55:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009-03-11 07:17:05 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{08D5008D-5AD0-4E2F-B2BE-A00EFBD6F6CD}
[2009-03-27 08:40:41 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009-03-10 10:56:46 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{9B4BEBCE-0CC2-4B05-9F43-BED9F0A317DF}
[2009-02-19 21:43:33 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009-02-19 21:43:34 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009-02-19 15:33:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009-02-19 15:33:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009-02-19 15:33:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009-02-19 15:33:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009-02-19 15:33:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009-02-19 15:33:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009-02-19 15:33:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-816959666-2918063317-318358597-1610\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-816959666-2918063317-318358597-1610\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-816959666-2918063317-318358597-1610\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NWTRAY] NWTRAY.EXE (Novell, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe" ()
O4 - HKU\S-1-5-21-816959666-2918063317-318358597-1610..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKLM..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce (Symantec Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe (Autodesk, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\tnoftsger\Start Menu\Programs\Startup\Microsoft Outlook.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: CompatibleRUPSecurity = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-816959666-2918063317-318358597-1610\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-816959666-2918063317-318358597-1610\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-816959666-2918063317-318358597-1610\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-816959666-2918063317-318358597-1610\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-816959666-2918063317-318358597-1610_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [Bluetooth Namespace] - C:\WINDOWS\system32\wshbth.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [Novell Directory Services Name Provider] - C:\WINDOWS\system32\netware\NWWS2NDS.DLL (Novell, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [Novell IPX/SPX SAP Name Provider] - C:\WINDOWS\system32\netware\NWWS2SAP.DLL (Novell, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [Novell SLP Provider] - C:\WINDOWS\system32\netware\NWWS2SLP.DLL (Novell, Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1207232951508 (WUWebControl Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1207082870068 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} http://www.programchecker.com/dll/nixon.cab (Zenturi Active Programs Control)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CMWRICHMOND.COM
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{A180D1CB-0884-45CF-ADF5-A26997FAACD5}\\NameServer = 204.152.114.181,204.152.114.182
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\jpip {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll (Lizardtech Software)
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sidlet {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll (Lizardtech Software)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (NWGINA.DLL) - C:\WINDOWS\system32\NWGINA.DLL (Novell, Inc.)
O21 - SSODL: Icovacon - {D9666B03-BD81-4C2D-8584-2DF38A11132B} - C:\WINDOWS\system32\ceribbas.dll File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O30 - LSA: Authentication Packages - (nwv1_0) - C:\WINDOWS\System32\nwv1_0.dll (Novell, Inc.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008-02-21 09:58:15 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008-07-22 08:48:39 | 00,001,429 | ---- | M] () - C:\autosave.fil -- [ NTFS ]
O32 - AutoRun File - File not found - -- [ NTFS ]
O32 - AutoRun File - [2007-12-18 13:40:34 | 17,161,728 | ---- | M] () - Z:\autocad_architecture_2008sp1.msp -- [ NWFS ]
O32 - AutoRun File - File not found - -- [ NWFS ]
O32 - AutoRun File - File not found - -- [ NWFS ]
O32 - AutoRun File - [1999-06-02 18:13:26 | 00,000,000 | ---D | M] - Z:\AutoCAD2000 -- [ NWFS ]
O32 - AutoRun File - [2007-08-13 13:15:44 | 00,000,000 | ---D | M] - Z:\AutoCAD2008 -- [ NWFS ]
O33 - MountPoints2\{7aa7bdba-75c3-11dd-b768-000a5e40fe71}\Shell\AutoRun\command - "" = G:\Autorun.exe -- File not found
O33 - MountPoints2\{7aa7bdba-75c3-11dd-b768-000a5e40fe71}\Shell\Shell00\Command - "" = G:\Autorun.exe -- File not found
O33 - MountPoints2\{7aa7bdba-75c3-11dd-b768-000a5e40fe71}\Shell\Shell01\Command - "" = G:\Autorun.exe -- File not found
O33 - MountPoints2\{7aa7bdba-75c3-11dd-b768-000a5e40fe71}\Shell\Shell02\Command - "" = G:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
File not found -- C:\WINDOWS\System32\uixiai.dll
File not found -- C:\WINDOWS\System32\sapovdoc.dll
File not found -- C:\WINDOWS\System32\maxocreg.exe
File not found -- C:\WINDOWS\System32\favipvox32.dll
File not found -- C:\WINDOWS\System32\exemodll.dll
File not found -- C:\WINDOWS\System32\ceribbas.dll
[2009-03-30 06:56:15 | 00,498,688 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\tnoftsger\Desktop\OTListIt2.exe
[2009-03-27 16:10:50 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\tmpPrst.dll
[2009-03-27 16:10:50 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2009-03-27 15:57:44 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009-03-27 15:50:42 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009-03-27 15:44:47 | 00,090,660 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090327_154445.reg
[2009-03-27 15:36:47 | 01,137,360 | ---- | C] (F-Secure Corporation) -- C:\Documents and Settings\tnoftsger\Desktop\fsbl.exe
[2009-03-27 15:16:44 | 00,360,002 | ---- | C] () -- C:\Documents and Settings\tnoftsger\Desktop\dds.scr
[2009-03-27 15:04:41 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\serauth2.dll
[2009-03-27 15:04:41 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\serauth1.dll
[2009-03-27 15:04:41 | 00,000,087 | ---- | C] () -- C:\WINDOWS\System32\nsprs.tgz
[2009-03-27 15:03:36 | 00,002,335 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2009-03-27 15:03:36 | 00,001,947 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
[2009-03-27 15:03:36 | 00,001,808 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2009-03-27 15:03:36 | 00,001,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2009-03-27 15:03:36 | 00,000,798 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
[2009-03-27 15:03:36 | 00,000,104 | ---- | C] () -- C:\Documents and Settings\tnoftsger\Start Menu\Programs\Startup\Microsoft Outlook.lnk
[2009-03-27 13:47:24 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009-03-27 13:47:24 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009-03-27 13:47:24 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009-03-27 13:47:24 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009-03-27 13:47:24 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009-03-27 13:47:24 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009-03-27 13:47:24 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009-03-27 13:47:24 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009-03-27 13:47:24 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009-03-27 13:47:11 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009-03-27 13:46:46 | 02,936,485 | R--- | C] () -- C:\Documents and Settings\tnoftsger\Desktop\ComboFix.exe
[2009-03-27 13:07:37 | 00,000,000 | ---D | C] -- C:\rsit
[2009-03-27 13:07:21 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\tnoftsger\Desktop\RSIT.exe
[2009-03-27 12:38:32 | 00,000,196 | ---- | C] () -- C:\Documents and Settings\tnoftsger\Desktop\DrWeb.csv
[2009-03-27 09:58:00 | 00,446,464 | ---- | C] ( ) -- C:\Documents and Settings\tnoftsger\Desktop\RootRepeal.exe
[2009-03-27 09:56:05 | 13,369,216 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\tnoftsger\Desktop\launch.exe
[2009-03-27 08:40:42 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009-03-27 08:34:24 | 00,004,566 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009-03-26 16:46:48 | 00,229,376 | ---- | C] () -- C:\WINDOWS\System32\deluwwin.dll
[2009-03-25 09:17:56 | 00,000,000 | ---D | C] -- C:\Program Files\Coupons
[2009-03-25 08:53:05 | 00,004,436 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090325_085302.reg
[2009-03-23 20:02:30 | 00,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009-03-23 14:13:19 | 00,000,423 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\UDC Output Files.lnk
[2009-03-23 14:13:15 | 00,005,632 | ---- | C] (fCoder Group, Inc.) -- C:\WINDOWS\System32\udcpm.dll
[2009-03-23 14:13:09 | 00,000,000 | R--D | C] -- C:\UDC Output Files
[2009-03-23 14:13:09 | 00,000,000 | ---D | C] -- C:\Program Files\Universal Document Converter
[2009-03-23 13:49:14 | 00,000,000 | ---D | C] -- C:\Program Files\LizardTech
[2009-03-20 13:40:46 | 00,000,392 | ---- | C] () -- C:\WINDOWS\tasks\NSSstub.job
[2009-03-20 13:40:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009-03-20 11:15:49 | 00,000,802 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090320_111548.reg
[2009-03-20 11:15:26 | 00,005,370 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090320_111525.reg
[2009-03-19 14:14:59 | 00,080,290 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090319_141458.reg
[2009-03-19 13:54:29 | 00,326,492 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090319_135426.reg
[2009-03-16 11:32:05 | 00,013,824 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\Madison County Park.xls
[2009-03-13 12:59:00 | 00,000,000 | ---D | C] -- C:\Program Files\AvantGo Connect
[2009-03-13 12:58:59 | 00,002,464 | ---- | C] () -- C:\WINDOWS\$_hpcst$.hpc
[2009-03-13 12:58:16 | 00,114,688 | ---- | C] (AvantGo, Inc.) -- C:\WINDOWS\System32\malslib.dll
[2009-03-13 12:58:16 | 00,077,899 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rapi.dll
[2009-03-13 12:58:16 | 00,069,632 | ---- | C] (AvantGo, Inc.) -- C:\WINDOWS\System32\mbllnk.cpl
[2009-03-13 12:58:16 | 00,065,615 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\pmailext.dll
[2009-03-13 12:58:16 | 00,065,613 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ppvexp.dll
[2009-03-13 12:58:16 | 00,057,423 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MsgStRPC.dll
[2009-03-13 12:58:16 | 00,036,942 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ppcload.dll
[2009-03-13 12:58:16 | 00,024,653 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ceutil.dll
[2009-03-13 12:58:16 | 00,024,652 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\uicom.dll
[2009-03-13 12:40:00 | 00,057,422 | ---- | C] () -- C:\WINDOWS\System32\mobileV.acm
[2009-03-13 12:37:16 | 00,002,510 | ---- | C] () -- C:\WINDOWS\Microsoft.MIF
[2009-03-12 08:37:30 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2009-03-11 14:11:12 | 00,000,000 | ---D | C] -- C:\adobe fix
[2009-03-11 13:13:37 | 00,000,328 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\3-11-09.reg
[2009-03-11 12:59:53 | 00,009,675 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\infection.htm
[2009-03-11 10:19:03 | 00,000,000 | ---D | C] -- C:\UBCD4Win
[2009-03-11 07:08:57 | 00,000,000 | R--D | C] -- C:\Program Files\Norton Support
[2009-03-11 07:08:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\tnoftsger\Local Settings\Application Data\Symantec
[2009-03-09 10:59:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\tnoftsger\Application Data\Apple Computer
[2009-03-09 08:57:50 | 00,050,245 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\KENTUCKY811.jpg
[2009-03-06 16:06:17 | 00,913,385 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\Revised Stockyards.pdf
[2009-03-05 08:50:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\tnoftsger\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009-03-04 14:33:39 | 01,243,370 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\ESMT PLAT - SHEET 3.pdf
[2009-03-04 14:31:27 | 01,188,917 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\ESMT PLAT - SHEET 2.pdf
[2009-03-04 14:27:11 | 03,184,942 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\ESMT PLAT - SHEET 1.pdf
[2009-03-04 13:49:46 | 00,000,011 | ---- | C] () -- C:\WINDOWS\NetWare.INI
[2009-03-03 11:56:51 | 00,021,051 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\Richmond Centre Outparcel 9 Staking.pdf
[2009-03-03 07:54:12 | 00,067,072 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\Richmond Centre Outparcel 9 Staking.doc
[2009-03-02 14:30:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\tnoftsger\My Documents\AdobeStockPhotos
[2009-03-02 11:54:09 | 00,023,081 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\Foundation Contractors EKU Science Building.pdf
[2009-03-02 11:46:11 | 00,068,608 | ---- | C] () -- C:\Documents and Settings\tnoftsger\My Documents\Foundation Contractors EKU Science Building.doc

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\drivers\*.tmp files]
[2 C:\WINDOWS\System32\*.tmp files]
[13 C:\WINDOWS\*.tmp files]
File not found -- C:\WINDOWS\System32\uixiai.dll
File not found -- C:\WINDOWS\System32\sapovdoc.dll
File not found -- C:\WINDOWS\System32\maxocreg.exe
File not found -- C:\WINDOWS\System32\favipvox32.dll
File not found -- C:\WINDOWS\System32\exemodll.dll
File not found -- C:\WINDOWS\System32\ceribbas.dll
[2009-03-30 06:56:22 | 00,498,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\tnoftsger\Desktop\OTListIt2.exe
[2009-03-30 03:09:20 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009-03-27 16:10:50 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\tmpPrst.dll
[2009-03-27 16:10:50 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.dll
[2009-03-27 16:01:07 | 00,000,392 | ---- | M] () -- C:\WINDOWS\tasks\NSSstub.job
[2009-03-27 15:56:28 | 00,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2009-03-27 15:56:22 | 00,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2009-03-27 15:56:18 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009-03-27 15:56:15 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009-03-27 15:55:39 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009-03-27 15:55:38 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009-03-27 15:51:28 | 00,642,508 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\Cat.DB
[2009-03-27 15:44:50 | 00,090,660 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090327_154445.reg
[2009-03-27 15:36:53 | 01,137,360 | ---- | M] (F-Secure Corporation) -- C:\Documents and Settings\tnoftsger\Desktop\fsbl.exe
[2009-03-27 15:16:50 | 00,360,002 | ---- | M] () -- C:\Documents and Settings\tnoftsger\Desktop\dds.scr
[2009-03-27 15:04:41 | 00,001,025 | ---- | M] () -- C:\WINDOWS\System32\serauth2.dll
[2009-03-27 15:04:41 | 00,001,025 | ---- | M] () -- C:\WINDOWS\System32\serauth1.dll
[2009-03-27 15:04:41 | 00,000,087 | ---- | M] () -- C:\WINDOWS\System32\nsprs.tgz
[2009-03-27 15:03:36 | 00,001,169 | ---- | M] () -- C:\WINDOWS\win.ini
[2009-03-27 15:03:36 | 00,000,282 | -HS- | M] () -- C:\boot.ini
[2009-03-27 13:47:00 | 02,936,485 | R--- | M] () -- C:\Documents and Settings\tnoftsger\Desktop\ComboFix.exe
[2009-03-27 13:07:33 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\tnoftsger\Desktop\RSIT.exe
[2009-03-27 12:38:32 | 00,000,196 | ---- | M] () -- C:\Documents and Settings\tnoftsger\Desktop\DrWeb.csv
[2009-03-27 09:56:36 | 13,369,216 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\tnoftsger\Desktop\launch.exe
[2009-03-27 09:07:54 | 00,521,724 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009-03-27 09:07:54 | 00,441,514 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009-03-27 09:07:54 | 00,071,454 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009-03-27 08:40:42 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009-03-27 08:35:13 | 00,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009-03-26 16:49:56 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009-03-26 16:49:50 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009-03-26 16:46:48 | 00,229,376 | ---- | M] () -- C:\WINDOWS\System32\deluwwin.dll
[2009-03-25 11:58:00 | 00,057,384 | ---- | M] () -- C:\Documents and Settings\tnoftsger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009-03-25 11:51:35 | 00,212,880 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009-03-25 08:53:08 | 00,004,436 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090325_085302.reg
[2009-03-24 15:13:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009-03-23 14:13:19 | 00,000,423 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\UDC Output Files.lnk
[2009-03-20 12:17:31 | 07,430,876 | -H-- | M] () -- C:\Documents and Settings\tnoftsger\Local Settings\Application Data\IconCache.db
[2009-03-20 11:15:50 | 00,000,802 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090320_111548.reg
[2009-03-20 11:15:29 | 00,005,370 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090320_111525.reg
[2009-03-19 14:15:06 | 00,080,290 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090319_141458.reg
[2009-03-19 13:55:39 | 00,000,654 | ---- | M] () -- C:\Documents and Settings\tnoftsger\Desktop\CCleaner.lnk
[2009-03-19 13:54:42 | 00,326,492 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\cc_20090319_135426.reg
[2009-03-19 13:11:59 | 00,000,011 | ---- | M] () -- C:\WINDOWS\NetWare.INI
[2009-03-16 11:48:42 | 00,013,824 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\Madison County Park.xls
[2009-03-13 12:59:03 | 00,002,510 | ---- | M] () -- C:\WINDOWS\Microsoft.MIF
[2009-03-13 12:58:59 | 00,002,464 | ---- | M] () -- C:\WINDOWS\$_hpcst$.hpc
[2009-03-12 07:53:23 | 00,000,235 | ---- | M] () -- C:\WINDOWS\retainpro.ini
[2009-03-11 13:13:37 | 00,000,328 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\3-11-09.reg
[2009-03-11 12:59:53 | 00,009,675 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\infection.htm
[2009-03-10 22:18:20 | 01,482,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\LegitCheckControl.dll
[2009-03-10 22:18:14 | 00,934,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\WgaTray.exe
[2009-03-10 22:18:14 | 00,934,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\WgaTray.exe
[2009-03-10 22:18:00 | 00,239,496 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\WgaLogon.dll
[2009-03-10 22:18:00 | 00,239,496 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wgaLogon.dll
[2009-03-09 12:05:35 | 00,007,168 | ---- | M] () -- C:\Documents and Settings\tnoftsger\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009-03-09 11:17:29 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009-03-06 16:06:17 | 00,913,385 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\Revised Stockyards.pdf
[2009-03-04 14:33:39 | 01,243,370 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\ESMT PLAT - SHEET 3.pdf
[2009-03-04 14:31:27 | 01,188,917 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\ESMT PLAT - SHEET 2.pdf
[2009-03-04 14:27:11 | 03,184,942 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\ESMT PLAT - SHEET 1.pdf
[2009-03-04 11:49:37 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009-03-04 11:49:37 | 00,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009-03-04 11:49:37 | 00,007,386 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009-03-04 11:49:37 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009-03-04 11:49:24 | 00,482,352 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1005000.086\cchpx86.sys
[2009-03-04 11:49:23 | 00,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1005000.086\isolate.ini
[2009-03-03 11:57:02 | 00,021,051 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\Richmond Centre Outparcel 9 Staking.pdf
[2009-03-03 11:56:49 | 00,067,072 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\Richmond Centre Outparcel 9 Staking.doc
[2009-03-02 16:53:04 | 00,057,448 | ---- | M] () -- C:\Documents and Settings\tnoftsger\Application Data\GDIPFONTCACHEV1.DAT
[2009-03-02 11:54:21 | 00,023,081 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\Foundation Contractors EKU Science Building.pdf
[2009-03-02 11:54:01 | 00,068,608 | ---- | M] () -- C:\Documents and Settings\tnoftsger\My Documents\Foundation Contractors EKU Science Building.doc

========== Alternate Data Streams ==========

@Alternate Data Stream - 183 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
< End of report >


and the Gmer is taking awhile, i will post when complete...

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:10 AM

Posted 30 March 2009 - 12:24 PM

I see some issues, but I want to wait to see the Gmer log before we proceed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 tnoftsger

tnoftsger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 31 March 2009 - 04:58 AM

Gmer Log:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-31 05:56:29
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 89A2C2A0 ZwAlertResumeThread
SSDT 89A50A70 ZwAlertThread
SSDT 88A30008 ZwAllocateVirtualMemory
SSDT 88A89070 ZwAssignProcessToJobObject
SSDT 89474A70 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAC8C7040]
SSDT 88A34948 ZwCreateMutant
SSDT 88A38888 ZwCreateSymbolicLinkObject
SSDT 88A86D00 ZwCreateThread
SSDT 893A50B8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAC8C72C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAC8C7820]
SSDT 8937AA98 ZwDuplicateObject
SSDT 8937A0E8 ZwFreeVirtualMemory
SSDT 89A56ED0 ZwImpersonateAnonymousToken
SSDT 899F4D40 ZwImpersonateThread
SSDT 89CB8108 ZwLoadDriver
SSDT 88A30E68 ZwMapViewOfSection
SSDT 89477980 ZwOpenEvent
SSDT 8937ADB8 ZwOpenProcess
SSDT 899DE108 ZwOpenProcessToken
SSDT 89390D68 ZwOpenSection
SSDT 8937AC28 ZwOpenThread
SSDT 893818D0 ZwProtectVirtualMemory
SSDT 893A1D20 ZwResumeThread
SSDT 89A53908 ZwSetContextThread
SSDT 88A30B90 ZwSetInformationProcess
SSDT 894770B8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAC8C7A70]
SSDT 89465788 ZwSuspendProcess
SSDT 89A54A48 ZwSuspendThread
SSDT 89A57F70 ZwTerminateProcess
SSDT 899F31E8 ZwTerminateThread
SSDT 8946A390 ZwUnmapViewOfSection
SSDT 8937A4B8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D10 805045AC 4 Bytes CALL FED97D51
? SYMEFA.SYS The system cannot find the file specified. !
? nwfilter.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 1004233C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 1004180C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 10041A7C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 10041CEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] kernel32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 100600AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10040F0C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 10040D1C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [12, 98]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10040DDC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 10040FAC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 1006408C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 1006025C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10037E3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10037D3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 1006495C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 100606DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100642DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 1006653C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100646AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100651BC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 1006447C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10064BFC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10064F3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 1006089C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 1006439C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10060BEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10060AEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[220] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10060A3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 021E233C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 021E180C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 021E1A7C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 021E1CEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] kernel32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 022000AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 0220408C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 0220025C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 021E0F0C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 021E0D1C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [2C, 8A] {SUB AL, 0x8a}
.text C:\WINDOWS\Explorer.exe[272] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 021E0DDC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 021E0FAC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 021D7E3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 021D7D3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0220495C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 022006DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 022042DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0220653C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!send 71AB4C27 5 Bytes JMP 022046AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 022051BC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0220447C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02204BFC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02204F3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 0220089C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 0220439C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 02200BEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 02200AEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\Explorer.exe[272] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 02200A3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 1004233C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 1004180C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 10041A7C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 10041CEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] KERNEL32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 100600AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 1006408C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 1006025C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10040F0C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 10040D1C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [12, 98]
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10040DDC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 10040FAC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10037E3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10037D3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 1006495C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 100606DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100642DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 1006653C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100646AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100651BC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 1006447C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10064BFC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10064F3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 1006089C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 1006439C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10060BEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10060AEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2220] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10060A3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 1004233C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 1004180C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 10041A7C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 10041CEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] kernel32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 100600AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 1006408C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 1006025C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10040F0C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 10040D1C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [12, 98]
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10040DDC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 10040FAC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 1006495C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 100606DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100642DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 1006653C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100646AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100651BC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 1006447C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10064BFC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10064F3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 1006089C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 1006439C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10060BEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10060AEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10060A3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10037E3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Documents and Settings\tnoftsger\Desktop\gmer.exe[2296] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10037D3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 1004233C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 1004180C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 10041A7C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 10041CEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] kernel32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 100600AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10040F0C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 10040D1C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [12, 98]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10040DDC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 10040FAC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10037E3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10037D3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 1006408C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 1006025C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 1006495C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!sendto 71AB2F51 5 Bytes JMP 100606DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100642DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 1006653C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!send 71AB4C27 5 Bytes JMP 100646AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100651BC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 1006447C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10064BFC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10064F3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!listen 71AB8CD3 5 Bytes JMP 1006089C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 1006439C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10060BEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10060AEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[2424] ws2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10060A3C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 1004233C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 1004180C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 10041A7C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 10041CEC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] kernel32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 100600AC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 1006408C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 1006025C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10040F0C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 10040D1C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [12, 98]
.text D:\Program Files\Winamp\winampa.exe[3724] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10040DDC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 10040FAC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10037E3C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10037D3C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 1006495C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 100606DC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100642DC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 1006653C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100646AC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100651BC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 1006447C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10064BFC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10064F3C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 1006089C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 1006439C C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10060BEC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10060AEC C:\WINDOWS\system32\sapovdoc.dll
.text D:\Program Files\Winamp\winampa.exe[3724] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10060A3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 1004233C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 1004180C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 10041A7C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 10041CEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] kernel32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 100600AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 1006408C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 1006025C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10040F0C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 10040D1C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [12, 98]
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10040DDC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 10040FAC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10037E3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10037D3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 1006495C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 100606DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100642DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 1006653C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100646AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100651BC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 1006447C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10064BFC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10064F3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 1006089C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 1006439C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10060BEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10060AEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\NWTRAY.EXE[3776] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10060A3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 00D2233C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00D2180C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 00D21A7C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 00D21CEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] kernel32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 00D400AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00D20F0C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 00D20D1C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [E0, 88] {LOOPNZ 0xffffffffffffff8a}
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00D20DDC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 00D20FAC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 00D4408C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 00D4025C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00D17E3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D17D3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D4495C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 00D406DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D442DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00D4653C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D446AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D451BC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D4447C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D44BFC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D44F3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 00D4089C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 00D4439C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 00D40BEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 00D40AEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3804] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 00D40A3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 1004233C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 1004180C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 10041A7C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 10041CEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] kernel32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 100600AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10040F0C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 10040D1C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [12, 98]
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10040DDC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 10040FAC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 1006408C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 1006025C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10037E3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10037D3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 1006495C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 100606DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100642DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 1006653C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100646AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100651BC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 1006447C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10064BFC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10064F3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 1006089C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 1006439C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10060BEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10060AEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[3884] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10060A3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 0152233C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 0152180C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 01521A7C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 01521CEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] kernel32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 015400AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 0154408C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 0154025C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 01520F0C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 01520D1C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [60, 89]
.text C:\Program Files\Messenger\msmsgs.exe[3900] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 01520DDC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 01520FAC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0154495C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 015406DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 015442DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0154653C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015446AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 015451BC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0154447C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01544BFC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01544F3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 0154089C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 0154439C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 01540BEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 01540AEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 01540A3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 01517E3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\Program Files\Messenger\msmsgs.exe[3900] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 01517D3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 1004233C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 1004180C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] ntdll.dll!NtOpenFile 7C90D580 5 Bytes JMP 10041A7C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] ntdll.dll!NtSetInformationFile 7C90DC40 5 Bytes JMP 10041CEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] kernel32.dll!GetQueuedCompletionStatus 7C80A7AD 5 Bytes JMP 100600AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] Secur32.dll!EncryptMessage 77FEA5FB 5 Bytes JMP 1006408C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] Secur32.dll!DecryptMessage 77FEA64A 5 Bytes JMP 1006025C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10040F0C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] GDI32.dll!CreateDCA 77F1B7D2 2 Bytes JMP 10040D1C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] GDI32.dll!CreateDCA + 3 77F1B7D5 2 Bytes [12, 98]
.text C:\WINDOWS\system32\ctfmon.exe[3936] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10040DDC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 10040FAC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10037E3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10037D3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 1006495C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 100606DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100642DC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 1006653C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100646AC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100651BC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 1006447C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10064BFC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10064F3C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 1006089C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 1006439C C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10060BEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10060AEC C:\WINDOWS\system32\sapovdoc.dll
.text C:\WINDOWS\system32\ctfmon.exe[3936] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10060A3C C:\WINDOWS\system32\sapovdoc.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [220] 0x10000000
Library C:\WINDOWS\system32\ceribbas.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [272] 0x10000000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [272] 0x021A0000
Library C:\WINDOWS\system32\uixiai.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [272] 0x05870000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe [2220] 0x10000000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\Documents and Settings\tnoftsger\Desktop\gmer.exe [2296] 0x10000000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2424] 0x10000000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3532] 0x10000000
Library C:\WINDOWS\system32\uixiai.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3532] 0x01F90000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ D:\Program Files\Winamp\winampa.exe [3724] 0x10000000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\WINDOWS\system32\NWTRAY.EXE [3776] 0x10000000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\ipoint.exe [3804] 0x00CE0000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [3884] 0x10000000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [3900] 0x014E0000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [3936] 0x10000000
Library C:\WINDOWS\system32\sapovdoc.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3944] 0x10000000
Library C:\WINDOWS\system32\uixiai.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3944] 0x01F80000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027203c8a3
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00027203c8a3

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\favipvox32.dll (size mismatch) 152448/152446 bytes

---- EOF - GMER 1.0.15 ----

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:10 AM

Posted 31 March 2009 - 01:59 PM

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O21 - SSODL: Icovacon - {D9666B03-BD81-4C2D-8584-2DF38A11132B} - C:\WINDOWS\system32\ceribbas.dll File not found
    
    :Files
    C:\WINDOWS\System32\uixiai.dll
    C:\WINDOWS\System32\sapovdoc.dll
    C:\WINDOWS\System32\maxocreg.exe
    C:\WINDOWS\System32\favipvox32.dll
    C:\WINDOWS\System32\exemodll.dll
    C:\WINDOWS\System32\ceribbas.dll
    C:\WINDOWS\System32\serauth2.dll
    C:\WINDOWS\System32\serauth1.dll
    C:\WINDOWS\System32\nsprs.tgz
    C:\WINDOWS\System32\deluwwin.dll
    C:\WINDOWS\system32\sapovdoc.dll
    
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

================




Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 tnoftsger

tnoftsger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 31 March 2009 - 02:38 PM

========== OTLISTIT ==========
Process explorer.exe killed successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\Icovacon deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9666B03-BD81-4C2D-8584-2DF38A11132B}\ deleted successfully.
========== FILES ==========
File/Folder C:\WINDOWS\System32\uixiai.dll not found.
File/Folder C:\WINDOWS\System32\sapovdoc.dll not found.
File/Folder C:\WINDOWS\System32\maxocreg.exe not found.
File/Folder C:\WINDOWS\System32\favipvox32.dll not found.
File/Folder C:\WINDOWS\System32\exemodll.dll not found.
File/Folder C:\WINDOWS\System32\ceribbas.dll not found.
LoadLibrary failed for C:\WINDOWS\System32\serauth2.dll
C:\WINDOWS\System32\serauth2.dll NOT unregistered.
C:\WINDOWS\System32\serauth2.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\serauth1.dll
C:\WINDOWS\System32\serauth1.dll NOT unregistered.
C:\WINDOWS\System32\serauth1.dll moved successfully.
C:\WINDOWS\System32\nsprs.tgz moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\deluwwin.dll
C:\WINDOWS\System32\deluwwin.dll NOT unregistered.
C:\WINDOWS\System32\deluwwin.dll moved successfully.
File/Folder C:\WINDOWS\system32\sapovdoc.dll not found.
========== COMMANDS ==========
File delete failed. C:\WINDOWS\Temp\JET7290.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\Perflib_Perfdata_2d0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\Perflib_Perfdata_320.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JET7290.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2d0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_320.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.7.2 log created on 03312009_150255

Files moved on Reboot...
File C:\WINDOWS\Temp\JET7290.tmp not found!
File C:\WINDOWS\Temp\Perflib_Perfdata_2d0.dat not found!
File C:\WINDOWS\Temp\Perflib_Perfdata_320.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...






ComboFix 09-03-31.01 - tnoftsger 2009-03-31 15:15:25.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1615 [GMT -4:00]
Running from: c:\documents and settings\tnoftsger\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\tmpPrst.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-31 15:07 . 2009-03-31 15:07 1,025 --a------ c:\windows\system32\serauth2.dll
2009-03-31 15:07 . 2009-03-31 15:07 1,025 --a------ c:\windows\system32\serauth1.dll
2009-03-31 15:07 . 2009-03-31 15:07 87 --a------ c:\windows\system32\nsprs.tgz
2009-03-31 15:02 . 2009-03-31 15:02 <DIR> d-------- C:\_OTListIt
2009-03-27 13:07 . 2009-03-27 13:07 <DIR> d-------- C:\rsit
2009-03-27 09:57 . 2009-03-27 09:57 <DIR> d-------- c:\documents and settings\tnoftsger\DoctorWeb
2009-03-27 08:34 . 2009-03-27 08:35 4,566 --a------ c:\windows\imsins.BAK
2009-03-25 09:17 . 2009-03-27 09:23 <DIR> d-------- c:\program files\Coupons
2009-03-23 14:13 . 2009-03-25 12:14 <DIR> dr------- C:\UDC Output Files
2009-03-23 14:13 . 2009-03-23 14:13 <DIR> d-------- c:\program files\Universal Document Converter
2009-03-23 14:13 . 2008-04-04 18:07 5,632 --a------ c:\windows\system32\udcpm.dll
2009-03-23 13:49 . 2009-03-23 13:49 <DIR> d-------- c:\program files\LizardTech
2009-03-20 13:40 . 2009-03-20 13:51 <DIR> d-------- c:\windows\system32\Adobe
2009-03-13 12:59 . 2009-03-13 12:59 <DIR> d-------- c:\program files\AvantGo Connect
2009-03-13 12:58 . 2004-12-06 14:07 114,688 --a------ c:\windows\system32\malslib.dll
2009-03-13 12:58 . 2005-01-04 11:49 77,899 --a------ c:\windows\system32\rapi.dll
2009-03-13 12:58 . 2004-12-06 14:07 69,632 --a------ c:\windows\system32\mbllnk.cpl
2009-03-13 12:58 . 2005-01-04 11:50 65,615 --a------ c:\windows\system32\pmailext.dll
2009-03-13 12:58 . 2005-01-04 11:51 65,613 --a------ c:\windows\system32\ppvexp.dll
2009-03-13 12:58 . 2005-01-04 11:50 57,423 --a------ c:\windows\system32\MsgStRPC.dll
2009-03-13 12:58 . 2005-01-04 11:50 36,942 --a------ c:\windows\system32\ppcload.dll
2009-03-13 12:58 . 2005-01-04 11:49 24,653 --a------ c:\windows\system32\ceutil.dll
2009-03-13 12:58 . 2005-01-04 11:49 24,652 --a------ c:\windows\system32\uicom.dll
2009-03-13 12:58 . 2009-03-13 12:58 2,464 --a------ c:\windows\$_hpcst$.hpc
2009-03-13 12:40 . 2005-01-04 11:37 57,422 --a------ c:\windows\system32\mobileV.acm
2009-03-13 12:37 . 2009-03-13 12:59 2,510 --a------ c:\windows\Microsoft.MIF
2009-03-12 08:37 . 2009-03-12 08:37 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-11 14:11 . 2009-03-11 14:11 <DIR> d-------- C:\adobe fix
2009-03-11 10:19 . 2009-03-12 07:53 <DIR> d-------- C:\UBCD4Win
2009-03-11 07:08 . 2009-03-11 07:08 <DIR> dr------- c:\program files\Norton Support
2009-03-09 10:59 . 2009-03-09 10:59 <DIR> d-------- c:\documents and settings\tnoftsger\Application Data\Apple Computer
2009-03-05 08:50 . 2009-03-05 08:50 <DIR> d-------- c:\documents and settings\tnoftsger\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-04 13:49 . 2009-03-19 13:11 11 --a------ c:\windows\NetWare.INI
2009-02-26 12:04 . 2009-03-09 06:02 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-02-26 12:04 . 2009-02-26 12:04 <DIR> d-------- c:\program files\Windows Sidebar
2009-02-26 12:04 . 2009-03-04 11:49 <DIR> d-------- c:\program files\Symantec
2009-02-26 12:04 . 2009-02-26 12:04 <DIR> d-------- c:\program files\NortonInstaller
2009-02-26 12:04 . 2009-02-26 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-26 12:04 . 2009-02-26 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-02-26 12:04 . 2009-03-04 11:49 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-26 12:04 . 2009-03-04 11:49 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-26 12:04 . 2009-02-27 07:02 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-02-26 12:04 . 2009-03-04 11:49 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-26 12:04 . 2009-03-04 11:49 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-26 11:25 . 2009-02-26 11:25 <DIR> d-------- c:\windows\system32\novell
2009-02-26 11:25 . 2009-02-26 11:25 <DIR> d-------- c:\windows\system32\NetWare
2009-02-26 11:25 . 2009-02-26 11:25 <DIR> d-------- c:\windows\system\nls
2009-02-26 11:25 . 2007-06-04 12:36 823,296 --------- c:\windows\system32\ccsw32.dll
2009-02-26 11:19 . 2009-02-26 11:25 <DIR> d-------- c:\windows\system32\nls
2009-02-26 11:19 . 2009-02-26 11:27 <DIR> d-------- c:\program files\CUAgent
2009-02-26 11:18 . 2009-02-26 11:18 <DIR> d-------- C:\Novell
2009-02-13 09:38 . 2009-02-16 16:27 <DIR> d-------- c:\documents and settings\tnoftsger\Application Data\Samsung
2009-02-13 09:01 . 2006-05-03 23:53 174,592 --a------ c:\windows\system32\framedyn.dll
2009-02-13 09:00 . 2009-02-17 09:14 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2009-02-13 09:00 . 2005-08-28 21:51 766 --a------ c:\windows\system32\Uninstall.ico
2009-02-13 08:59 . 2009-02-13 08:59 <DIR> d-------- c:\program files\Samsung
2009-02-13 08:59 . 2006-07-24 17:05 5,632 --a------ c:\windows\system32\drivers\StarOpen.sys
2009-02-12 08:35 . 2009-02-12 08:35 4,329 --a------ C:\VAULT_2009_SERVE.MDS
2009-02-12 08:33 . 2009-02-12 08:35 796,524,544 --a------ C:\VAULT_2009_SERVE.ISO
2009-02-11 04:00 . 2009-02-11 04:02 <DIR> d-------- C:\microsoft Malicious Tool Removal
2009-02-05 15:44 . 2008-04-13 20:11 21,504 --a------ c:\windows\system32\drivers\hidserv.dll
2009-02-05 15:44 . 2009-02-05 15:44 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-02-05 13:32 . 2009-02-05 13:32 <DIR> d-------- c:\program files\Microsoft IntelliPoint
2009-02-05 13:32 . 2008-12-04 12:34 27,784 --a------ c:\windows\system32\drivers\point32.sys
2009-02-05 13:32 . 2008-06-09 14:12 18,504 --a------ c:\windows\system32\drivers\nuidfltr.sys
2009-02-03 14:29 . 2009-02-03 14:47 <DIR> d-------- c:\documents and settings\tnoftsger\Application Data\Copan
2009-02-03 11:28 . 2009-02-03 11:29 <DIR> d-------- c:\program files\QuickTime
2009-02-03 11:28 . 2009-02-03 11:28 <DIR> d-------- c:\program files\Apple Software Update
2009-02-03 11:28 . 2009-02-03 11:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-03 11:28 . 2009-02-03 11:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-02 09:07 . 2009-02-02 09:07 <DIR> d-------- c:\documents and settings\shogue\locals~1
2009-02-02 09:07 . 2009-02-02 09:07 <DIR> d-------- c:\documents and settings\shogue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 10:04 57,448 ----a-w c:\documents and settings\tnoftsger\Application Data\GDIPFONTCACHEV1.DAT
2009-03-31 08:10 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-27 18:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 20:16 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-26 17:50 --------- d-----w c:\program files\Land Desktop 2005
2009-03-25 15:57 --------- d-----w c:\documents and settings\tnoftsger\Application Data\AdobeUM
2009-03-25 15:43 --------- d-----w c:\program files\Common Files\Adobe
2009-03-23 18:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-20 16:17 --------- d-----w c:\documents and settings\tnoftsger\Application Data\Winamp
2009-03-18 18:50 --------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-03-16 14:44 --------- d-----w c:\program files\AutoCAD Civil 3D Land Desktop Companion 2008
2009-03-13 17:03 --------- d-----w c:\program files\Microsoft ActiveSync
2009-03-13 11:01 --------- d-----w c:\program files\NOS
2009-03-13 11:01 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-12 11:32 --------- d-----w c:\documents and settings\tnoftsger\Application Data\LimeWire
2009-02-26 16:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 16:04 --------- d-----w c:\program files\Norton AntiVirus
2009-02-26 15:43 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-20 18:06 --------- d-----w c:\program files\Common Files\Motorola Shared
2009-02-04 12:35 --------- d-----w c:\documents and settings\tnoftsger\Application Data\Autodesk
2008-09-11 17:50 92,064 ----a-w c:\documents and settings\tnoftsger\mqdmmdm.sys
2008-09-11 17:50 9,232 ----a-w c:\documents and settings\tnoftsger\mqdmmdfl.sys
2008-09-11 17:50 79,328 ----a-w c:\documents and settings\tnoftsger\mqdmserd.sys
2008-09-11 17:50 66,656 ----a-w c:\documents and settings\tnoftsger\mqdmbus.sys
2008-09-11 17:50 6,208 ----a-w c:\documents and settings\tnoftsger\mqdmcmnt.sys
2008-09-11 17:50 5,936 ----a-w c:\documents and settings\tnoftsger\mqdmwhnt.sys
2008-09-11 17:50 4,048 ----a-w c:\documents and settings\tnoftsger\mqdmcr.sys
2008-09-11 17:50 25,600 ----a-w c:\documents and settings\tnoftsger\usbsermptxp.sys
2008-09-11 17:50 22,768 ----a-w c:\documents and settings\tnoftsger\usbsermpt.sys
2008-09-18 20:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091820080919\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_13.56.13.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 00:11:56 149,768 ----a-w c:\windows\system32\favipvox32.dll
+ 2008-04-14 00:11:56 153,642 ----a-w c:\windows\system32\favipvox32.dll
- 2009-03-27 17:51:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2cc.dat
+ 2009-03-31 19:18:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2cc.dat
+ 2009-03-31 19:19:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_320.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 405583]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2009-03-20 181624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-03-25 25214]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2468:TCP"= 2468:TCP:System Event Dispatcher

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [2009-03-04 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-04 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [2009-03-04 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090318.001\IDSXpx86.sys [2009-03-23 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-04 115560]
R2 SentinelLM;SentinelLM;d:\program files\Rainbow Technologies\SentinelLM 7.1.0 Server\English\lservnt.exe [2009-01-20 555520]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-10-23 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-10-23 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-10-23 42112]
S3 NGPSSER;NGPSSER;c:\windows\system32\drivers\ngpsser.sys [2008-11-24 91520]
S3 NGPSUSB;NGPSUSB;c:\windows\system32\drivers\ngpsusb.sys [2008-11-24 76928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7aa7bdba-75c3-11dd-b768-000a5e40fe71}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 20:02]

2009-03-31 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-03-20 13:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
TCP: {A180D1CB-0884-45CF-ADF5-A26997FAACD5} = 204.152.114.181,204.152.114.182
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\LizardTech\Express View\expressview.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\LizardTech\Express View\expressview.dll
DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} - hxxp://www.programchecker.com/dll/nixon.cab
FF - ProfilePath - c:\documents and settings\tnoftsger\Application Data\Mozilla\Firefox\Profiles\qdxi2v8a.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 15:24:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-816959666-2918063317-318358597-1610\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1216)
c:\windows\system32\NETWIN32.DLL
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\progra~1\MICROS~2\Office10\OUTLOOK.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\msiexec.exe
c:\program files\Microsoft Office\Office10\WINWORD.EXE
.
**************************************************************************
.
Completion time: 2009-03-31 15:26:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 19:26:27
ComboFix2.txt 2009-03-27 19:58:21
ComboFix3.txt 2009-03-27 17:57:20

Pre-Run: 17,093,074,944 bytes free
Post-Run: 17,093,091,328 bytes free

271 --- E O F --- 2009-03-25 07:00:13

#8 tnoftsger

tnoftsger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 31 March 2009 - 03:07 PM

I forgot the scan warned that c:\windows\system32\serauth1.dll was not a valid windows file and should be compared or replaced by the one on my cd.....

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:10 AM

Posted 01 April 2009 - 10:06 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Rootkit::
C:\WINDOWS\System32\uixiai.dll
C:\WINDOWS\System32\sapovdoc.dll
C:\WINDOWS\System32\ceribbas.dll

File::
C:\WINDOWS\System32\serauth2.dll
C:\WINDOWS\System32\serauth1.dll
C:\WINDOWS\System32\nsprs.tgz
C:\WINDOWS\System32\deluwwin.dll
C:\WINDOWS\system32\sapovdoc.dll
C:\WINDOWS\System32\favipvox32.dll
C:\WINDOWS\System32\exemodll.dll
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================


Let's update Malwarebytes and run a new scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 tnoftsger

tnoftsger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 01 April 2009 - 02:47 PM

Combofix Log:

ComboFix 09-04-01.01 - tnoftsger 2009-04-01 15:35:56.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1529 [GMT -4:00]
Running from: c:\documents and settings\tnoftsger\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\tnoftsger\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\System32\deluwwin.dll
c:\windows\System32\exemodll.dll
c:\windows\System32\favipvox32.dll
c:\windows\System32\nsprs.tgz
c:\windows\system32\sapovdoc.dll
c:\windows\System32\serauth1.dll
c:\windows\System32\serauth2.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\ceribbas.dll
c:\windows\System32\exemodll.dll
c:\windows\System32\favipvox32.dll
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\System32\nsprs.tgz
c:\windows\System32\sapovdoc.dll
c:\windows\System32\serauth1.dll
c:\windows\System32\serauth2.dll
c:\windows\system32\tmpPrst.dll
c:\windows\System32\uixiai.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-03-31 15:02 . 2009-03-31 15:02 <DIR> d-------- C:\_OTListIt
2009-03-27 13:07 . 2009-03-27 13:07 <DIR> d-------- C:\rsit
2009-03-27 09:57 . 2009-03-27 09:57 <DIR> d-------- c:\documents and settings\tnoftsger\DoctorWeb
2009-03-27 08:34 . 2009-03-27 08:35 4,566 --a------ c:\windows\imsins.BAK
2009-03-25 09:17 . 2009-03-27 09:23 <DIR> d-------- c:\program files\Coupons
2009-03-23 14:13 . 2009-03-25 12:14 <DIR> dr------- C:\UDC Output Files
2009-03-23 14:13 . 2009-03-23 14:13 <DIR> d-------- c:\program files\Universal Document Converter
2009-03-23 14:13 . 2008-04-04 18:07 5,632 --a------ c:\windows\system32\udcpm.dll
2009-03-23 13:49 . 2009-03-23 13:49 <DIR> d-------- c:\program files\LizardTech
2009-03-20 13:40 . 2009-03-20 13:51 <DIR> d-------- c:\windows\system32\Adobe
2009-03-13 12:59 . 2009-03-13 12:59 <DIR> d-------- c:\program files\AvantGo Connect
2009-03-13 12:58 . 2004-12-06 14:07 114,688 --a------ c:\windows\system32\malslib.dll
2009-03-13 12:58 . 2005-01-04 11:49 77,899 --a------ c:\windows\system32\rapi.dll
2009-03-13 12:58 . 2004-12-06 14:07 69,632 --a------ c:\windows\system32\mbllnk.cpl
2009-03-13 12:58 . 2005-01-04 11:50 65,615 --a------ c:\windows\system32\pmailext.dll
2009-03-13 12:58 . 2005-01-04 11:51 65,613 --a------ c:\windows\system32\ppvexp.dll
2009-03-13 12:58 . 2005-01-04 11:50 57,423 --a------ c:\windows\system32\MsgStRPC.dll
2009-03-13 12:58 . 2005-01-04 11:50 36,942 --a------ c:\windows\system32\ppcload.dll
2009-03-13 12:58 . 2005-01-04 11:49 24,653 --a------ c:\windows\system32\ceutil.dll
2009-03-13 12:58 . 2005-01-04 11:49 24,652 --a------ c:\windows\system32\uicom.dll
2009-03-13 12:58 . 2009-03-13 12:58 2,464 --a------ c:\windows\$_hpcst$.hpc
2009-03-13 12:40 . 2005-01-04 11:37 57,422 --a------ c:\windows\system32\mobileV.acm
2009-03-13 12:37 . 2009-03-13 12:59 2,510 --a------ c:\windows\Microsoft.MIF
2009-03-12 08:37 . 2009-03-12 08:37 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-11 14:11 . 2009-03-11 14:11 <DIR> d-------- C:\adobe fix
2009-03-11 10:19 . 2009-03-12 07:53 <DIR> d-------- C:\UBCD4Win
2009-03-11 07:08 . 2009-03-11 07:08 <DIR> dr------- c:\program files\Norton Support
2009-03-09 10:59 . 2009-03-09 10:59 <DIR> d-------- c:\documents and settings\tnoftsger\Application Data\Apple Computer
2009-03-05 08:50 . 2009-03-05 08:50 <DIR> d-------- c:\documents and settings\tnoftsger\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-04 13:49 . 2009-03-19 13:11 11 --a------ c:\windows\NetWare.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 09:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-31 10:04 57,448 ----a-w c:\documents and settings\tnoftsger\Application Data\GDIPFONTCACHEV1.DAT
2009-03-27 18:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 20:16 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-26 17:50 --------- d-----w c:\program files\Land Desktop 2005
2009-03-25 15:57 --------- d-----w c:\documents and settings\tnoftsger\Application Data\AdobeUM
2009-03-25 15:43 --------- d-----w c:\program files\Common Files\Adobe
2009-03-23 18:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-20 16:17 --------- d-----w c:\documents and settings\tnoftsger\Application Data\Winamp
2009-03-18 18:50 --------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-03-16 14:44 --------- d-----w c:\program files\AutoCAD Civil 3D Land Desktop Companion 2008
2009-03-13 17:03 --------- d-----w c:\program files\Microsoft ActiveSync
2009-03-13 11:01 --------- d-----w c:\program files\NOS
2009-03-13 11:01 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-12 11:32 --------- d-----w c:\documents and settings\tnoftsger\Application Data\LimeWire
2009-03-04 15:49 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-04 15:49 7,386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-04 15:49 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-04 15:49 --------- d-----w c:\program files\Symantec
2009-02-27 11:02 36,400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-02-26 16:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 16:04 --------- d-----w c:\program files\Windows Sidebar
2009-02-26 16:04 --------- d-----w c:\program files\NortonInstaller
2009-02-26 16:04 --------- d-----w c:\program files\Norton AntiVirus
2009-02-26 16:04 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-26 16:04 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-02-26 15:43 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-26 15:27 --------- d-----w c:\program files\CUAgent
2009-02-20 18:06 --------- d-----w c:\program files\Common Files\Motorola Shared
2009-02-16 20:27 --------- d-----w c:\documents and settings\tnoftsger\Application Data\Samsung
2009-02-13 12:59 --------- d-----w c:\program files\Samsung
2009-02-05 19:44 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-02-05 17:32 --------- d-----w c:\program files\Microsoft IntelliPoint
2009-02-04 12:35 --------- d-----w c:\documents and settings\tnoftsger\Application Data\Autodesk
2009-02-03 18:47 --------- d-----w c:\documents and settings\tnoftsger\Application Data\Copan
2009-02-03 15:29 --------- d-----w c:\program files\QuickTime
2009-02-03 15:28 --------- d-----w c:\program files\Apple Software Update
2009-02-03 15:28 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-03 15:28 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-09-11 17:50 92,064 ----a-w c:\documents and settings\tnoftsger\mqdmmdm.sys
2008-09-11 17:50 9,232 ----a-w c:\documents and settings\tnoftsger\mqdmmdfl.sys
2008-09-11 17:50 79,328 ----a-w c:\documents and settings\tnoftsger\mqdmserd.sys
2008-09-11 17:50 66,656 ----a-w c:\documents and settings\tnoftsger\mqdmbus.sys
2008-09-11 17:50 6,208 ----a-w c:\documents and settings\tnoftsger\mqdmcmnt.sys
2008-09-11 17:50 5,936 ----a-w c:\documents and settings\tnoftsger\mqdmwhnt.sys
2008-09-11 17:50 4,048 ----a-w c:\documents and settings\tnoftsger\mqdmcr.sys
2008-09-11 17:50 25,600 ----a-w c:\documents and settings\tnoftsger\usbsermptxp.sys
2008-09-11 17:50 22,768 ----a-w c:\documents and settings\tnoftsger\usbsermpt.sys
2008-09-18 20:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091820080919\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_13.56.13.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-07 17:45:35 104,474 ----a-w c:\windows\HPFins09.dat
+ 2009-04-01 10:35:31 104,474 ----a-w c:\windows\HPFins09.dat
+ 2009-04-01 19:40:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2b4.dat
+ 2009-04-01 19:40:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_304.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 405583]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2009-03-20 181624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-03-25 25214]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2468:TCP"= 2468:TCP:System Event Dispatcher

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [2009-03-04 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-04 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [2009-03-04 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.003\IDSXpx86.sys [2009-03-31 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-04 115560]
R2 SentinelLM;SentinelLM;d:\program files\Rainbow Technologies\SentinelLM 7.1.0 Server\English\lservnt.exe [2009-01-20 555520]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-10-23 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-10-23 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-10-23 42112]
S3 NGPSSER;NGPSSER;c:\windows\system32\drivers\ngpsser.sys [2008-11-24 91520]
S3 NGPSUSB;NGPSUSB;c:\windows\system32\drivers\ngpsusb.sys [2008-11-24 76928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7aa7bdba-75c3-11dd-b768-000a5e40fe71}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-04-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 20:02]

2009-04-01 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-03-20 13:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
TCP: {A180D1CB-0884-45CF-ADF5-A26997FAACD5} = 204.152.114.181,204.152.114.182
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\LizardTech\Express View\expressview.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\LizardTech\Express View\expressview.dll
DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} - hxxp://www.programchecker.com/dll/nixon.cab
FF - ProfilePath - c:\documents and settings\tnoftsger\Application Data\Mozilla\Firefox\Profiles\qdxi2v8a.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 15:40:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-816959666-2918063317-318358597-1610\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1216)
c:\windows\system32\NETWIN32.DLL
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\system32\NETUI2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Microsoft Office\Office10\WINWORD.EXE
.
**************************************************************************
.
Completion time: 2009-04-01 15:42:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-01 19:42:42
ComboFix2.txt 2009-03-31 19:26:31
ComboFix3.txt 2009-03-27 19:58:21
ComboFix4.txt 2009-03-27 17:57:20

Pre-Run: 17,010,470,912 bytes free
Post-Run: 17,011,965,952 bytes free

265 --- E O F --- 2009-03-25 07:00:13


Malwarebytes is running and i will post when complete

#11 tnoftsger

tnoftsger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 02 April 2009 - 04:59 AM

Malwarebytes' Anti-Malware 1.35
Database version: 1929
Windows 5.1.2600 Service Pack 3

2009-04-02 05:57:35
mbam-log-2009-04-02 (05-57-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 179229
Time elapsed: 19 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:10 AM

Posted 02 April 2009 - 11:40 AM

Looks much better. How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 tnoftsger

tnoftsger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 03 April 2009 - 08:45 AM

No change, after a re-boot

C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\nsprs.dll
C:\WINDOWS\system32\tmpPrst.dll
C:\WINDOWS\system32\serauth1.dll
C:\WINDOWS\system32\serauth2.dll


all are still present. We seem to be killing the files, but not finding and killing the "Master" file that keeps regenerating them...

Oh, Mozilla FoxFire is still opening other website that i ask for. But not crashing as much.

#14 tnoftsger

tnoftsger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 03 April 2009 - 08:54 AM

Quick Scan MBAM log:

Malwarebytes' Anti-Malware 1.35
Database version: 1936
Windows 5.1.2600 Service Pack 3

2009-04-03 09:51:42
mbam-log-2009-04-03 (09-51-30).txt

Scan type: Quick Scan
Objects scanned: 78842
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> No action taken.

And i don't know if it's new or i just havn't noticed before, but double clicking the Internet Explorer Icon on the desktop, does not open IE only creates another desktop icon for IE.

Edited by tnoftsger, 03 April 2009 - 08:56 AM.


#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:10 AM

Posted 03 April 2009 - 03:19 PM

Please post a new log from Combofix and also a new Gmer log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users