 Hacktool Rootkit virus, Can't remove it |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help DO NOT post a ComboFix log unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
  Nov 20 2009, 01:10 PM
Post
#1
|
|
|
Member  Group: Members Posts: 18 Joined: 19-November 09 Member No.: 405,104  |
DDS (Ver_09-10-26.01) - NTFSx86 Run by Administrator at 12:04:55.98 on Fri 11/20/2009 Internet Explorer: 8.0.6001.18828 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1133 [GMT -6:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files\Creative\Shared Files\CTAudSvc.exe C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\ASUS\AASP\1.00.33\aaCenter.exe C:\Windows\System32\rundll32.exe C:\Program Files\ASUS\PC Probe II\Probe2.exe C:\Windows\System32\wpcumi.exe C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Windows\System32\rundll32.exe C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k regsvc C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\ehome\ehmsas.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\DllHost.exe C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\ctfmon.exe C:\Windows\system32\Taskmgr.exe C:\Users\Administrator\Downloads\dds.scr C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File uRun: [AdobeBridge] uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe" uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Launch PC Probe II] "c:\program files\asus\pc probe ii\Probe2.exe" 1 mRun: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe" mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe" mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15109/CTPID.cab Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\lxjkc682.default\ FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-18 207280] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-8-31 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-8-31 259632] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-8-31 482432] R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091111.001\IDSvix86.sys [2009-11-12 343088] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-18 112592] R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680] R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-8-31 117640] R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808] R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2009-1-10 1298944] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448] R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0305020.00b\symndisv.sys [2009-8-31 48688] S2 gupdate1c9cdcf85b107a4;Google Update Service (gupdate1c9cdcf85b107a4);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?] S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-9-22 79360] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-9-22 79360] S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504] S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-4-18 55280] S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360] S3 rootrepeal;rootrepeal;c:\windows\system32\drivers\rootrepeal.sys [2009-11-20 34816] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-18 358600] =============== Created Last 30 ================ 2009-11-20 17:36:58 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys 2009-11-19 19:14:43 0 ----a-w- c:\windows\system32\settings.dat 2009-11-19 09:03:31 0 d-----w- c:\program files\Trend Micro 2009-11-19 04:54:52 883 ----a-w- c:\windows\RegSDImport.xml 2009-11-19 04:54:52 880 ----a-w- c:\windows\RegISSImport.xml 2009-11-19 04:54:52 767952 ----a-w- c:\windows\BDTSupport.dll 2009-11-19 04:54:52 165840 ----a-w- c:\windows\PCTBDRes.dll 2009-11-19 04:54:52 1636304 ----a-w- c:\windows\PCTBDCore.dll 2009-11-19 04:54:52 149456 ----a-w- c:\windows\SGDetectionTool.dll 2009-11-19 04:54:52 131 ----a-w- c:\windows\IDB.zip 2009-11-19 04:54:52 1152470 ----a-w- c:\windows\UDB.zip 2009-11-19 04:53:21 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat 2009-11-19 04:53:20 97208 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys 2009-11-19 04:53:20 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-11-19 04:53:16 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-11-19 04:53:16 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat 2009-11-19 04:53:16 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat 2009-11-19 04:53:16 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-11-19 04:53:05 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat 2009-11-19 04:53:05 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-11-19 04:52:51 0 d-----w- c:\users\admini~1\appdata\roaming\PC Tools 2009-11-19 04:52:51 0 d-----w- c:\programdata\PC Tools 2009-11-19 04:52:51 0 d-----w- c:\program files\Spyware Doctor 2009-11-19 04:52:51 0 d-----w- c:\program files\common files\PC Tools 2009-11-19 04:17:07 0 d-----w- c:\program files\CCleaner 2009-11-18 05:15:46 0 d-----w- C:\$WINDOWS.~BT 2009-11-14 01:38:09 65 ----a-w- c:\windows\FISHUI.INI 2009-11-11 02:14:12 2036736 ----a-w- c:\windows\system32\win32k.sys 2009-11-11 02:14:06 355328 ----a-w- c:\windows\system32\WSDApi.dll 2009-11-10 05:17:50 0 d-----w- c:\program files\Windows Portable Devices 2009-11-10 05:17:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf 2009-11-10 05:17:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf 2009-11-10 05:16:07 92672 ----a-w- c:\windows\system32\UIAnimation.dll 2009-11-10 05:16:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll 2009-11-10 05:16:01 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll 2009-11-10 05:13:54 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll 2009-11-10 05:12:33 4096 ----a-w- c:\windows\system32\oleaccrc.dll 2009-11-10 05:12:32 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll 2009-11-10 05:12:32 234496 ----a-w- c:\windows\system32\oleacc.dll 2009-11-10 05:11:55 48823 ----a-w- c:\programdata\nvModes.dat 2009-11-05 18:00:29 24 ---h--w- c:\windows\msbgctb.ini 2009-11-05 18:00:29 24 ---h--w- c:\windows\msbgcta.ini 2009-11-05 17:59:37 137000 ----a-w- c:\windows\system32\msmapi32.ocx 2009-11-04 16:43:21 1638912 ----a-w- c:\windows\system32\mshtml.tlb 2009-11-01 19:59:47 0 d-----w- c:\programdata\Research In Motion 2009-11-01 19:58:57 67 ----a-w- c:\windows\Power Video Converter.INI 2009-11-01 19:58:29 0 d-----w- c:\program files\Power Video Converter 2009-10-28 21:37:49 0 d-----w- c:\users\administrator\.idlerc 2009-10-28 16:14:30 310784 ----a-w- c:\windows\system32\unregmp2.exe 2009-10-28 16:14:29 8147456 ----a-w- c:\windows\system32\wmploc.DLL 2009-10-26 18:29:13 2421760 ----a-w- c:\windows\system32\wucltux.dll 2009-10-26 18:28:28 87552 ----a-w- c:\windows\system32\wudriver.dll 2009-10-26 18:28:11 33792 ----a-w- c:\windows\system32\wuapp.exe 2009-10-26 18:28:11 171608 ----a-w- c:\windows\system32\wuwebv.dll 2009-10-26 01:29:53 722416 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-10-22 15:34:01 549 ----a-w- c:\users\admini~1\appdata\roaming\settings.dat ==================== Find3M ==================== 2009-11-14 04:10:23 51200 ----a-w- c:\windows\inf\infpub.dat 2009-11-10 05:32:16 413696 ----a-w- c:\windows\system32\wrap_oal.dll 2009-11-10 05:32:16 110592 ----a-w- c:\windows\system32\OpenAL32.dll 2009-11-10 05:31:04 143360 ----a-w- c:\windows\inf\infstrng.dat 2009-11-10 05:31:02 86016 ----a-w- c:\windows\inf\infstor.dat 2009-11-10 05:17:48 665600 ----a-w- c:\windows\inf\drvindex.dat 2009-10-16 08:11:56 1168896 ----a-w- c:\windows\system32\drivers\P17.sys 2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-07 16:05:14 232712 ----a-w- c:\windows\system32\PDBoot.exe 2009-10-02 16:50:28 315392 ----a-w- c:\windows\system32\TubeFinder.exe 2009-10-02 15:02:45 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys 2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll 2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe 2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll 2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll 2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll 2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll 2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll 2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll 2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll 2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll 2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll 2009-10-01 01:01:54 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys 2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll 2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll 2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll 2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll 2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll 2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll 2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll 2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll 2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll 2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll 2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll 2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll 2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll 2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll 2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll 2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll 2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll 2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll 2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll 2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll 2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe 2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll 2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll 2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll 2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll 2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll 2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll 2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll 2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll 2009-09-25 01:27:25 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys 2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll 2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll 2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll 2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv 2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe 2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll 2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll 2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll 2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll 2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2009-08-25 08:31:18 613503 ----a-w- c:\windows\system32\APOIM32.exe 2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini 2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat 2008-05-29 17:39:07 8 --sha-r- c:\windows\system32\5B02780D30.sys 2008-05-29 17:39:08 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 12:06:02.14 =============== 
Attach.txt ( 15.68k )
Number of downloads: 0 |
 |
 
|
|
Nov 20 2009, 05:23 PM
Post
#2
|
|
|
Member Group: Members Posts: 18 Joined: 19-November 09 Member No.: 405,104 |
ok I opened CMD and waited for the music to start. here is a list of dll's that the process was running
Image Name PID Modules ========================= ======== ============================================ iexplore.exe 4228 ntdll.dll, kernel32.dll, ADVAPI32.dll, RPCRT4.dll, USER32.dll, GDI32.dll, msvcrt.dll, SHLWAPI.dll, SHELL32.dll, ole32.dll, iertutil.dll, urlmon.dll, OLEAUT32.dll, IMM32.DLL, MSCTF.dll, LPK.DLL, USP10.dll, comctl32.dll, comdlg32.dll, COMCTL32.dll, winmm.dll, OLEACC.dll, WININET.dll, Normaliz.dll, imagehlp.dll, mswsock.dll, WS2_32.dll, NSI.dll, IEFRAME.dll, Secur32.dll, NTMARTA.DLL, WLDAP32.dll, PSAPI.DLL, SAMLIB.dll, VERSION.dll, wshtcpip.dll, wship6.dll, NLAapi.dll, IPHLPAPI.DLL, dhcpcsvc.DLL, DNSAPI.dll, WINNSI.DLL, dhcpcsvc6.DLL, napinsp.dll, pnrpnsp.dll, uxtheme.dll, winrnr.dll, rasadhlp.dll, rsaenh.dll, apphelp.dll, CLBCatQ.DLL, RASAPI32.dll, rasman.dll, NETAPI32.dll, TAPI32.dll, rtutils.dll, USERENV.dll, CRYPT32.dll, MSASN1.dll, credssp.dll, schannel.dll, sensapi.dll, IEUI.dll, MSIMG32.dll, ACTXPRXY.DLL, ieproxy.dll, PROPSYS.dll, SETUPAPI.dll, xmllite.dll, msfeeds.dll, SXS.DLL, MLANG.dll, mssprxy.dll, msxml3.dll iexplore.exe 5484 ntdll.dll, kernel32.dll, ADVAPI32.dll, RPCRT4.dll, USER32.dll, GDI32.dll, msvcrt.dll, SHLWAPI.dll, SHELL32.dll, ole32.dll, iertutil.dll, urlmon.dll, OLEAUT32.dll, IMM32.DLL, MSCTF.dll, LPK.DLL, USP10.dll, comctl32.dll, comdlg32.dll, COMCTL32.dll, winmm.dll, OLEACC.dll, WININET.dll, Normaliz.dll, imagehlp.dll, mswsock.dll, WS2_32.dll, NSI.dll, IEFRAME.dll, IEShims.dll, uxtheme.dll, USERENV.dll, Secur32.dll, PROPSYS.dll, CLBCatQ.DLL, SETUPAPI.dll, rsaenh.dll, ieproxy.dll, ACTXPRXY.DLL, apphelp.dll, NTMARTA.DLL, WLDAP32.dll, PSAPI.DLL, SAMLIB.dll, VERSION.dll, RASAPI32.dll, rasman.dll, NETAPI32.dll, TAPI32.dll, rtutils.dll, CRYPT32.dll, MSASN1.dll, credssp.dll, schannel.dll, sensapi.dll, wshtcpip.dll, MLANG.dll, NLAapi.dll, IPHLPAPI.DLL, dhcpcsvc.DLL, DNSAPI.dll, WINNSI.DLL, dhcpcsvc6.DLL, rasadhlp.dll, wship6.dll, napinsp.dll, pnrpnsp.dll, winrnr.dll, coIEPlg.dll, MSVCP80.dll, MSVCR80.dll, ccL80U.dll, RICHED20.DLL, SYMHTML.DLL, AcroIEHelper.dll, PCTBrowserDefender.dll, PCTBDCore.dll, dbghelp.dll, msxml3.dll, mshtml.dll, msls31.dll, ccVrTrst.dll, WinTrust.dll, EFACli.dll, ccSet.dll, ccIPC.dll, coUICtlr.dll, coWPPlg.dll, Cabinet.dll, WINHTTP.dll, isDataPr.dll, IVPlugin.dll, FFPrefs.dll, rf.dll, WINSPOOL.DRV, oledlg.dll, OLEPRO32.DLL, ccGEvt.dll, coParse.dll, IPSBHO.DLL, Scxpx86.dll, WindowsLiveLogin.dll, msidcrl40.dll, hpswp_BHO.dll, gdiplus.dll, UtilityLib.dll, RsrcLoaderLib.dll, ATL80.DLL, NeoLoggingLib.dll, SatelliteENU.dll, ClipBookDBComponent.dll, SXS.DLL, msimtf.dll, jscript.dll, ccsubeng.dll, iepeers.dll, Flash10c.ocx, mscms.dll, wdmaud.drv, ksuser.dll, MMDevAPI.DLL, AVRT.dll, AUDIOSES.DLL, audioeng.dll, msacm32.drv, MSACM32.dll, midimap.dll, ImgUtil.dll, pngfilt.dll, MSOXMLMF.DLL |
|
|
|
|
Nov 27 2009, 08:19 PM
Post
#3
|
|
 I know the drill! Group: Malware Response Team Posts: 9,284 Joined: 24-July 08 From: London Member No.: 224,929 |
Hi,
Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
---------------------------------------------- Can you run RootRepeal We Need to check for Rootkits with RootRepeal
--------------------  m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
on your desktop.
tab.
button.
button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.|
Nov 30 2009, 01:41 AM
Post
#4
|
|
|
Member Group: Members Posts: 18 Joined: 19-November 09 Member No.: 405,104 |
no I can't it just freezes up my entire computer and I have to do a hard reboot
|
|
|
|
|
Nov 30 2009, 04:41 PM
Post
#5
|
|
|
I know the drill! Group: Malware Response Team Posts: 9,284 Joined: 24-July 08 From: London Member No.: 224,929 |
Okay, let's run a small program to try and work out what's orchestrating this all.
Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. "%userprofile%\desktop\win32kdiag.exe" -f -r When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. Then Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in peek.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad. CODE @ECHO OFF DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt START Log.txt DEL %0 Locate the peek.bat icon on your desktop and double click it. Then copy and paste the resulting log in your next reply. Thanks 
-------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Dec 3 2009, 08:24 PM
Post
#6
|
|
|
I know the drill! Group: Malware Response Team Posts: 9,284 Joined: 24-July 08 From: London Member No.: 224,929 |
Hi,
I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you. If you like you can PM me. Thanks, m0le -------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Dec 5 2009, 07:38 AM
Post
#7
|
|
|
I know the drill! Group: Malware Response Team Posts: 9,284 Joined: 24-July 08 From: London Member No.: 224,929 |
Since this issue appears to be resolved ... this topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread. Everyone else please begin a New Topic. -------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Dec 17 2009, 05:10 PM
Post
#8
|
|
|
Member Group: Members Posts: 18 Joined: 19-November 09 Member No.: 405,104 |
Win32kdiag.exe
Running from: C:\Users\Administrator\Desktop\Win32kDiag.exe Log file at : C:\Users\Administrator\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\Windows'... Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Finished! Peek.bat Volume in drive C has no label. Volume Serial Number is FCD8-7D07 Directory of C:\WINDOWS\System32 04/11/2009 12:28 AM 177,152 scecli.dll Directory of C:\WINDOWS\System32 04/11/2009 12:28 AM 592,896 netlogon.dll Directory of C:\WINDOWS\System32 11/02/2006 03:46 AM 11,776 cngaudit.dll 3 File(s) 781,824 bytes Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6 11/02/2006 03:46 AM 11,776 cngaudit.dll 1 File(s) 11,776 bytes Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12 01/20/2008 08:24 PM 177,152 scecli.dll 1 File(s) 177,152 bytes Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e 04/11/2009 12:28 AM 177,152 scecli.dll 1 File(s) 177,152 bytes Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857 01/20/2008 08:24 PM 592,384 netlogon.dll 1 File(s) 592,384 bytes Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3 04/11/2009 12:28 AM 592,896 netlogon.dll 1 File(s) 592,896 bytes Total Files Listed: 8 File(s) 2,333,184 bytes 0 Dir(s) 404,312,649,728 bytes free |
|
|
|
|
Dec 17 2009, 09:57 PM
Post
#9
|
|
|
Member Group: Members Posts: 18 Joined: 19-November 09 Member No.: 405,104 |
Oh, and I don't have a desktop or system tray. I get a system shell error notification icon. I have to use the file system and use run through task manager, well Process explorer is what I use.
This post has been edited by Jlegion: Dec 17 2009, 09:59 PM |
|
|
|
|
Dec 22 2009, 05:46 PM
Post
#10
|
|
|
I know the drill! Group: Malware Response Team Posts: 9,284 Joined: 24-July 08 From: London Member No.: 224,929 |
Download and Run RKill
Please download RKill by Grinler from one of the 4 links below and save it to your desktop. Link 1 Link 2 Link 3 Link 4
Then Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
 Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:  Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Thanks 
-------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Dec 27 2009, 07:51 AM
Post
#11
|
|
|
I know the drill! Group: Malware Response Team Posts: 9,284 Joined: 24-July 08 From: London Member No.: 224,929 |
Hi,
I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you. If you like you can PM me. Thanks, m0le -------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Dec 27 2009, 03:12 PM
Post
#12
|
|
|
Member Group: Members Posts: 18 Joined: 19-November 09 Member No.: 405,104 |
yes I still have the issue and am doing the last suggestion now. I was at my family's for christmas
|
|
|
|
|
Dec 27 2009, 03:59 PM
Post
#13
|
|
|
Member Group: Members Posts: 18 Joined: 19-November 09 Member No.: 405,104 |
rkill ran fine, but it would close my explorer.exe process. Comfix.exe doesn't work, the little blue box flashes to quick to read it all but it starts with Access Denied and restarts my computer. I saved it to my desktop and renamed it to comfix.exe as instructed. I also disabled my norton anti-virus and firewall before running. When I would run the Comfix.exe it would say that cd emulator engines were running and had to disable them before continuing, click ok, and that is when blue box would get writing in it, close and restart my pc. I am not sure if has anything to do with the problem with the program but as I stated before, I have no desktop or system tray. I have to use the explorer.exe process to access the file system and that is how I navigate my computer. Oh, and I have noticed that my USB's do not work.
|
|
|
|
|
Dec 27 2009, 04:22 PM
Post
#14
|
|
|
I know the drill! Group: Malware Response Team Posts: 9,284 Joined: 24-July 08 From: London Member No.: 224,929 |
Can you run ExeHelper and then Gmer
Please download exeHelper to your desktop. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan) Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file). Then Please download GMER from one of the following locations and save it to your desktop:
-------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Dec 27 2009, 04:58 PM
Post
#15
|
|
|
Member Group: Members Posts: 18 Joined: 19-November 09 Member No.: 405,104 |
exeHelper by Raktor
Build 20091220 Run at 15:34:28 on 12/27/09 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished ================================================================================ ===================== GMER 1.0.15.15252 - http://www.gmer.net Rootkit scan 2009-12-27 15:56:09 Windows 6.0.6002 Service Pack 2 Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\uxldapod.sys ---- System - GMER 1.0.15 ---- SSDT 871A1150 ZwAlertResumeThread SSDT 86F375D8 ZwAlertThread SSDT 87372320 ZwAllocateVirtualMemory SSDT 86BFE1D0 ZwAlpcConnectPort SSDT 86AF3430 ZwAssignProcessToJobObject SSDT 87300008 ZwCreateMutant SSDT 87301920 ZwCreateSymbolicLinkObject SSDT 86E56FB0 ZwCreateThread SSDT 86FAB3C0 ZwDebugActiveProcess SSDT 87372530 ZwDuplicateObject SSDT 87346B28 ZwFreeVirtualMemory SSDT 86FAADC0 ZwImpersonateAnonymousToken SSDT 87003E28 ZwImpersonateThread SSDT 86BDCE18 ZwLoadDriver SSDT 873469C8 ZwMapViewOfSection SSDT 86469810 ZwOpenEvent SSDT 87372790 ZwOpenProcess SSDT 86E1C150 ZwOpenProcessToken SSDT 86F1AC48 ZwOpenSection SSDT 87372640 ZwOpenThread SSDT 8755FF80 ZwProtectVirtualMemory SSDT 86BE56B8 ZwResumeThread SSDT 874CC150 ZwSetContextThread SSDT 86E7D818 ZwSetInformationProcess SSDT 8727C150 ZwSetSystemInformation SSDT 86FDE150 ZwSuspendProcess SSDT 87309150 ZwSuspendThread SSDT 86E41538 ZwTerminateProcess SSDT 86E01E80 ZwTerminateThread SSDT 87041410 ZwUnmapViewOfSection SSDT 87346EB8 ZwWriteVirtualMemory SSDT 87301E70 ZwCreateThreadEx INT 0x52 ? 84059BF8 INT 0x62 ? 84059BF8 INT 0x63 ? 84058EB0 INT 0x84 ? 85871BF8 INT 0xB3 ? 84058EB0 INT 0xB4 ? 85871BF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 11D 81EAC860 8 Bytes [50, 11, 1A, 87, D8, 75, F3, ...] .text ntkrnlpa.exe!KeSetEvent + 131 81EAC874 4 Bytes [20, 23, 37, 87] .text ntkrnlpa.exe!KeSetEvent + 13D 81EAC880 4 Bytes [D0, E1, BF, 86] .text ntkrnlpa.exe!KeSetEvent + 191 81EAC8D4 4 Bytes [30, 34, AF, 86] .text ntkrnlpa.exe!KeSetEvent + 1F5 81EAC938 4 Bytes [08, 00, 30, 87] .text ... ? System32\Drivers\spdy.sys The system cannot find the path specified. ! .text USBPORT.SYS!DllUnload 87FE141B 5 Bytes JMP 858711D8 ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[772] ole32.dll!CoCreateInstance 75EF9EA6 5 Bytes JMP 0098000A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806116D6] \SystemRoot\System32\Drivers\spdy.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80611042] \SystemRoot\System32\Drivers\spdy.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80611800] \SystemRoot\System32\Drivers\spdy.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806110C0] \SystemRoot\System32\Drivers\spdy.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8061113E] \SystemRoot\System32\Drivers\spdy.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [80620E9C] \SystemRoot\System32\Drivers\spdy.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74237817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7428A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7423BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7422F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [742375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7422E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74268395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7423DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7422FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7422FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [742271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [742BCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7425C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7422D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74226853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7422687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74232AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396 ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 84E401F8 Device \FileSystem\udfs \UdfsCdRom 871CC1F8 Device \FileSystem\udfs \UdfsDisk 871CC1F8 Device \Driver\volmgr \Device\VolMgrControl 8405B1F8 Device \Driver\usbohci \Device\USBPDO-0 859C5500 Device \Driver\usbehci \Device\USBPDO-1 859C2500 AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\volmgr \Device\HarddiskVolume1 8405B1F8 Device \Driver\cdrom \Device\CdRom0 859D0500 Device \Driver\cdrom \Device\CdRom1 859D0500 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84E3E1F8 Device \Driver\atapi \Device\Ide\IdePort0 84E3E1F8 Device \Driver\atapi \Device\Ide\IdePort1 84E3E1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 84E3E1F8 Device \Driver\netbt \Device\NetBt_Wins_Export 86E06358 Device \Driver\netbt \Device\NetBT_Tcpip_{5C3CFCCB-8DD4-4719-9428-72B084B51BD0} 86E06358 Device \Driver\Smb \Device\NetbiosSmb 86DF0420 Device \Driver\nvstor32 \Device\RaidPort0 84E3F1F8 AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\nvstor32 \Device\RaidPort1 84E3F1F8 AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\iScsiPrt \Device\RaidPort2 8598E500 Device \Driver\usbohci \Device\USBFDO-0 859C5500 Device \Driver\usbehci \Device\USBFDO-1 859C2500 Device \Driver\00001816 -> \Driver\nvstor32 \Device\Harddisk0\DR0 87076E07 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x38 0x0F 0x98 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x38 0x0F 0x98 0x02 ... ---- Files - GMER 1.0.15 ---- File C:\Windows\system32\drivers\nvstor32.sys suspicious modification ---- EOF - GMER 1.0.15 ---- |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 14th March 2010 - 09:30 PM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.