Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor Trojan and Malware


  • This topic is locked This topic is locked
9 replies to this topic

#1 Audi_vW

Audi_vW

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:01 AM

Posted 25 November 2008 - 02:01 PM

Hello team! It has been a while since I have been on here, I think since '06, mainly due to the fact that my computer has been clean thanks to Mr Jak3. :thumbsup: This is my Aunt's computer, and here is the first problem. After running zone alarm security suite and it's virus/spyware scanner, along with ad-aware, and registry mechanic, many of the infections were removed. However, now when starting the computer this error comes up - "Windows cannot find 'mssvces.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. "
Any ideas on how to get rid of this error would be appreciated. Also, i know mssvces.exe is a nasty bugger, and I am afraid that not everything has been removed - here is the hijack this file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:43 PM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CBeyond\SecureBackup\Online-Backup.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail.east.cbeyond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe mssvces.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdftk.exe] C:\WINDOWS\system32\kdftk.exe
O4 - HKLM\..\RunOnce: [AskSBar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: CBeyond Secure Backup & Fileshare.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://img.member.yahoo.com/dl/atty/yinst_current.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205265495030
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B456C2D-28DB-4AB6-99D0-CDB86AED3FC5}: NameServer = 85.255.112.184;85.255.112.67
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Software Jukebox v2.0 Service - Unknown owner - C:\Program Files\Common Files\MSJB NA02D Shared\Service\Software Jukebox v2.0 Service File.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8892 bytes

Also, any input as to what software that I have installed on my Aunt's computer would be appreciated. I now use Vista myself, and use different programs. For this computers XP service pack 3 I run Zone Alarm Security Suite 8.0.59 - Ad-Aware - SpywareBlaster - Glary Utilities. And any other input on programs is also welcomed.
I will be patiently waiting for a response. Thank you!

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:01 PM

Posted 01 December 2008 - 06:41 PM

Hello, Audi_vW
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • GMER's Log


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Audi_vW

Audi_vW
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:01 AM

Posted 03 December 2008 - 03:49 PM

Hello Mr. O'Neal :thumbsup: I have been a member since'06 but thank you for the welcome and thank you for taking the time lo¿oking into potential problems. Before I show the scans txts I would like to tell you that in the GMER scan I included the D drive. On this computer it is shop/work based and the D drive has a Secure Backup and Fileshare account. But, since the infections who knows if it is secure anymore, well, you'll know! :) Also, on the OTViewIt scan i left the Use Whitelist check marked, but I'm guessing you knew that since you didn't say otherwise. If any of this is wrong tell me and I will happily re-do the scans as needed.

OT View It.txt

OTViewIt logfile created on: 12/3/2008 1:56:22 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.86% Memory free
2.58 Gb Paging File | 2.00 Gb Available in Paging File | 77.45% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.50 Gb Total Space | 50.15 Gb Free Space | 72.16% Space Free | Partition Type: NTFS
Drive D: | 5.02 Gb Total Space | 1.00 Gb Free Space | 19.97% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-US67PI6LUV
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/10/09 14:25:32 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
[2008/06/03 22:59:02 | 00,139,264 | ---- | M] () -- C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
[2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[1998/05/07 17:04:38 | 00,052,736 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system\hpsysdrv.exe
[2002/06/18 00:11:24 | 00,069,632 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
[2001/07/06 22:56:56 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\hp\KBD\KBD.EXE
[2002/07/16 09:03:00 | 00,106,549 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfswctrl.exe
[2002/05/15 04:29:02 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
[2002/05/15 04:20:50 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2003/07/14 13:55:01 | 01,028,096 | ---- | M] (SBC Yahoo!) -- C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
[2002/09/10 21:26:26 | 00,368,706 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe
[2005/08/24 07:51:18 | 00,442,455 | ---- | M] (Motive, Inc.) -- C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe
[2008/10/09 14:25:34 | 00,981,904 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
[2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2007/07/12 13:49:54 | 01,953,792 | ---- | M] (Online Backup) -- C:\Program Files\CBeyond\SecureBackup\Online-Backup.exe
[2002/07/24 18:33:16 | 00,069,632 | ---- | M] () -- C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
[2002/07/24 18:33:13 | 00,016,384 | ---- | M] () -- C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
[2005/02/24 01:31:56 | 00,663,552 | ---- | M] (Intuit, Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
[2008/05/30 07:37:30 | 00,808,208 | ---- | M] (SonicWALL, Inc.) -- C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
[2006/03/03 14:18:10 | 00,200,704 | ---- | M] (Yahoo!, Inc.) -- C:\Program Files\Yahoo!\browser\ycommon.exe
[2006/07/21 16:19:46 | 00,129,536 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\browser\ybrwicon.exe
[2004/06/23 18:23:00 | 00,015,360 | ---- | M] (Microsoft® Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
[2008/11/14 14:24:12 | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008/12/03 13:54:23 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2002/05/03 18:06:00 | 00,061,440 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Stopped])
[2008/06/16 12:03:53 | 00,068,096 | ---- | M] () -- C:\Program Files\Common Files\MSJB NA02D Shared\Service\Software Jukebox v2.0 Service File.exe -- (Software Jukebox v2.0 Service [On_Demand | Stopped])
[2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
[2008/10/09 14:25:32 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
[2003/05/19 16:07:38 | 00,086,016 | ---- | M] (Yahoo! Inc.) -- C:\WINDOWS\system32\YPcservice.exe -- (YPCService [On_Demand | Stopped])

========== Driver Services ==========

[2004/10/07 19:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K [System | Running])
[2004/10/01 10:24:02 | 02,279,424 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
[2008/04/13 12:31:33 | 00,037,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdk7.sys -- (AmdK7 [System | Stopped])
[2008/04/13 12:39:46 | 00,206,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\dot4.sys -- (Dot4 [On_Demand | Running])
[2001/08/17 13:47:32 | 00,012,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4Prt.sys -- (Dot4Print [On_Demand | Running])
[2002/06/05 11:21:00 | 00,081,552 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
[2002/06/06 10:56:00 | 00,040,368 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])
[2001/08/17 13:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Stopped])
[2001/08/08 14:13:36 | 00,158,140 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x [On_Demand | Stopped])
[2001/08/08 14:13:30 | 00,012,479 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0 [On_Demand | Stopped])
[2001/08/08 14:13:30 | 00,012,031 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1 [On_Demand | Stopped])
[2001/08/08 14:13:30 | 00,011,679 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2 [On_Demand | Stopped])
[2001/08/08 14:13:28 | 00,011,999 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3 [On_Demand | Stopped])
[2001/08/08 14:13:28 | 00,019,359 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4 [On_Demand | Stopped])
[2001/08/08 14:13:24 | 00,029,215 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0 [On_Demand | Stopped])
[2001/08/08 14:13:24 | 00,019,199 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1 [On_Demand | Stopped])
[2001/08/08 14:13:26 | 00,033,503 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3 [On_Demand | Stopped])
[2001/08/08 14:13:24 | 00,023,519 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4 [On_Demand | Stopped])
[2002/05/22 20:42:54 | 00,078,045 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])
[2008/09/18 18:15:14 | 00,148,496 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF [System | Running])
[2003/03/31 14:29:00 | 00,625,537 | ---- | M] (LT) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5 [On_Demand | Running])
[2002/07/24 17:36:23 | 00,028,164 | ---- | M] (MusicMatch, Inc.) -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k [On_Demand | Running])
[2008/11/19 17:21:42 | 00,027,904 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\system32\drivers\ndisprot.sys -- (Ndisprot [On_Demand | Stopped])
[2002/05/03 18:06:00 | 00,931,882 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Stopped])
[2001/08/17 13:50:26 | 00,731,648 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4 [On_Demand | Stopped])
[2001/12/07 22:26:00 | 00,013,502 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv_agp.SYS -- (nv_agp [Boot | Running])
[2002/03/08 22:40:10 | 00,013,780 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
[2001/06/04 15:00:00 | 00,014,112 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2 [On_Demand | Running])
[2001/08/18 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2006/10/03 11:21:48 | 00,036,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2004/08/03 23:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139 [On_Demand | Running])
[2002/07/13 05:27:04 | 00,155,008 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr [On_Demand | Stopped])
[2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2002/04/08 23:44:56 | 00,188,032 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315 [On_Demand | Stopped])
[2001/12/27 04:52:58 | 00,027,136 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\SISAGP.SYS -- (SISAGP [Boot | Running])
[2008/04/21 07:19:58 | 00,051,648 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
[2002/06/19 17:43:44 | 00,005,589 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
[2002/06/19 17:42:58 | 00,022,995 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln [System | Running])
[2005/07/07 10:14:46 | 00,002,368 | ---- | M] (AntiCracking) -- C:\WINDOWS\system32\SVKP.sys -- (SVKP [Auto | Running])
[2002/07/16 09:03:00 | 00,023,701 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])
[2002/07/16 09:03:00 | 00,034,805 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])
[2002/07/16 09:03:00 | 00,004,117 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])
[2002/07/16 09:03:00 | 00,002,201 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres [Auto | Running])
[2002/07/16 09:03:00 | 00,054,900 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])
[2002/07/16 09:03:00 | 00,014,421 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])
[2002/07/16 09:03:00 | 00,006,325 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])
[2002/07/16 09:03:00 | 00,091,156 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])
[2002/07/16 09:03:00 | 00,095,125 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])
[2002/03/04 12:10:00 | 00,027,648 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1 [Boot | Running])
[2008/10/09 14:25:36 | 00,353,680 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant [System | Running])
[2001/08/18 06:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [System | Running])
[2002/05/22 20:43:56 | 00,090,336 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [System | Running])
[2002/05/22 20:44:06 | 00,069,504 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://srch-us6.hpwis.com/
"CustomSearch"=http://red.clientapps.yahoo.com/customize/ie/defaults/cs/sbcydsl/*http://www.yahoo.com/search/ie.html
"SearchAssistant"=http://srch-us6.hpwis.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://us6.hpwis.com/
"Default_Search_URL"=http://srch-us6.hpwis.com/
"First Home Page"=http://go.microsoft.com/fwlink/?LinkId=54843
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=https://mail.east.cbeyond.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = 127.0.0.1;localhost

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://yahoo.sbc.com/dial

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://yahoo.sbc.com/dial

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://us6.hpwis.com/
"Default_Search_URL"=http://srch-us6.hpwis.com/
"First Home Page"=http://go.microsoft.com/fwlink/?LinkId=54843
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=https://mail.east.cbeyond.com/

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = 127.0.0.1;localhost

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} (HKLM) -- C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (HKLM) -- C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} (HKLM) -- C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (Yahoo! Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" (HKLM) -- C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" (HKLM) -- C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" (HKLM) -- C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" (HKLM) -- C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" (HKLM) -- C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"AlcxMonitor"=ALCXMNTR.EXE (Realtek Semiconductor Corp.)
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
"C:\WINDOWS\system32\kdftk.exe"=C:\WINDOWS\system32\kdftk.exe File not found
"CamMonitor"=c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe ()
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe (VERITAS Software, Inc.)
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
"hpsysdrv"=c:\windows\system\hpsysdrv.exe (Hewlett-Packard Company)
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" (Visual Networks)
"KBD"=C:\HP\KBD\KBD.EXE (Hewlett-Packard Company)
"Motive SmartBridge"=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe (Motive, Inc.)
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize (Microsoft Corporation)
"nwiz"=nwiz.exe /install (NVIDIA Corporation)
"PS2"=C:\WINDOWS\system32\ps2.exe (Hewlett-Packard Company)
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE ()
"SBC Yahoo! Connection Manager"="C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe" (SBC Yahoo!)
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r (VERITAS Software, Inc.)
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe 1 File not found

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe 1 File not found

========== (O4) Startup Folders ==========

[2001/09/17 19:22:52 | 00,036,864 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe
[2003/10/10 09:06:10 | 00,217,088 | ---- | M] (Motive Communications, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
[2008/11/14 10:43:08 | 00,002,238 | R--- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CBeyond Secure Backup & Fileshare.lnk = C:\WINDOWS\Installer\{814DC532-769B-4084-BAAD-E300E8DA1E75}\_00C00060B55C3B5EAC1B51.exe
[2002/07/24 18:33:16 | 00,069,632 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
[2002/07/24 18:33:13 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
[2005/02/24 01:31:56 | 00,663,552 | ---- | M] (Intuit, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
[2001/09/17 19:22:52 | 00,036,864 | ---- | M] () -- C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}: Button: AT&T Yahoo! Services -- %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [2006/10/31 15:33:54 | 00,198,136 | ---- | M] (Yahoo! Inc.)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 12:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> [2006/10/31 15:33:54 | 00,198,136 | ---- | M] (Yahoo! Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> [2006/10/31 15:33:54 | 00,198,136 | ---- | M] (Yahoo! Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> [2006/10/31 15:33:54 | 00,198,136 | ---- | M] (Yahoo! Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> [2006/10/31 15:33:54 | 00,198,136 | ---- | M] (Yahoo! Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery
Extension\.spop: -- C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll [2001/01/30 21:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
sbcglobal.net: * in Trusted sites
sbcglobal.net: http in Trusted sites
sbcglobal.net: https in Trusted sites
yahoo.com: * in Trusted sites
yahoo.com: http in Trusted sites
yahoo.com: https in Trusted sites
26 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-3852255402-2731309904-3410288154-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
sbcglobal.net: * in Trusted sites
sbcglobal.net: http in Trusted sites
sbcglobal.net: https in Trusted sites
yahoo.com: * in Trusted sites
yahoo.com: http in Trusted sites
yahoo.com: https in Trusted sites
26 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{0000000A-9980-0010-8000-00AA00389B71}: http://download.microsoft.com/download/8/B...42/wmsp9dmo.cab -- Reg Error: Key does not exist or could not be opened.
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}: http://img.member.yahoo.com/dl/atty/yinst_current.cab -- YInstStarter Class
{33564D57-0000-0010-8000-00AA00389B71}: http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB -- Reg Error: Key does not exist or could not be opened.
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://www.update.microsoft.com/microsoftu...b?1205265495030 -- MUWebControl Class
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{A17E30C4-A9BA-11D4-8673-60DB54C10000}: http://download.yahoo.com/dl/installs/ymail/ymmapi.dll -- YahooYMailTo Class
{B9191F79-5613-4C76-AA2A-398534BB8999}: http://download.yahoo.com/dl/installs/yab_af.cab -- YAddBook Class
{D18F962A-3722-4B59-B08D-28BB9EB2281E}: http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab -- PhotosCtrl Class
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab -- Shockwave Flash Object
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{5B456C2D-28DB-4AB6-99D0-CDB86AED3FC5} (Servers: 85.255.112.184;85.255.112.67 | Description: Realtek RTL8139 Family PCI Fast Ethernet NIC)
{F9FE496B-7F93-4CCD-A8F8-B82F8635C54D} (Servers: | Description: 1394 Net Adapter)

========== (O20) HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=Explorer.exe mssvces.exe
>File not found --

"System"=kdftk.exe
>File not found --


========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2002/07/24 01:18:29 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTOEXEC.BAT []
[2001/07/28 06:07:38 | 00,000,000 | ---- | M] () -- D:\AUTOEXEC.BAT -- [ FAT32 ]

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2008/12/03 13:55:11 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2008/12/03 13:54:22 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2008/12/03 10:52:03 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Builders Letter.3 wps.wps
[2008/12/02 16:56:52 | 00,011,264 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\MerimacMachineCancelation.wps
[2008/11/25 17:31:37 | 00,018,432 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Faith Attendance.12-08.wps
[2008/11/25 16:41:22 | 00,097,280 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Faith Grp Ldrs List.12-08.wps
[2008/11/25 12:42:17 | 00,001,745 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2008/11/25 12:42:16 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/11/25 12:31:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2008/11/25 12:28:57 | 00,267,592 | ---- | C] (Ask.com) -- C:\Program Files\Uninstall Ask Toolbar.dll
[2008/11/25 12:28:25 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2008/11/19 19:51:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\GlarySoft
[2008/11/19 19:49:14 | 00,000,384 | ---- | C] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2008/11/19 19:48:01 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2008/11/19 19:46:11 | 00,000,312 | ---- | C] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2008/11/19 19:46:00 | 00,000,000 | ---D | C] -- C:\Program Files\Glary Utilities
[2008/11/19 18:47:00 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2008/11/19 17:32:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\WinRAR
[2008/11/19 17:32:00 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2008/11/19 17:21:42 | 00,027,904 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ndisprot.sys
[2008/11/19 17:20:57 | 00,000,000 | RHSD | C] -- C:\resycled
[2008/11/19 14:21:18 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2008/11/19 14:21:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/11/19 14:20:21 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2008/11/19 14:01:48 | 00,001,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2008/11/19 13:51:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads
[2008/11/19 13:38:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\MailFrontier
[2008/11/19 13:25:54 | 00,148,496 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2008/11/19 12:41:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2008/11/19 12:25:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2008/11/19 12:25:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2008/11/19 12:25:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2008/11/14 10:43:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\CBeyond
[2008/11/14 10:43:05 | 00,002,387 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CBeyond Secure Backup & Fileshare.lnk
[2008/11/14 10:43:04 | 00,002,393 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CBeyond Secure Backup & Fileshare.lnk
[2008/11/14 10:43:03 | 00,000,000 | ---D | C] -- C:\Program Files\CBeyond
[2008/11/13 09:50:24 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2008/11/11 11:12:23 | 00,085,504 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Price Book.Mirrors.wps
[2008/11/04 15:25:45 | 00,012,288 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\QUOTE.Anytime Fitness.wps
[2008/11/04 15:15:41 | 00,010,752 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\QUOTE for email.wps

========== Files - Modified Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2008/12/03 13:56:50 | 62,648,352 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2008/12/03 13:55:15 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2008/12/03 13:54:23 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2008/12/03 13:44:03 | 00,001,113 | ---- | M] () -- C:\rollback.ini
[2008/12/03 10:52:03 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Builders Letter.3 wps.wps
[2008/12/03 10:52:03 | 00,013,060 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2008/12/02 16:56:52 | 00,011,264 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\MerimacMachineCancelation.wps
[2008/12/02 14:21:13 | 00,097,280 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Faith Grp Ldrs List.12-08.wps
[2008/12/02 09:45:17 | 00,220,160 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Daily Schedule .wps
[2008/12/01 10:00:03 | 00,000,384 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2008/12/01 03:10:00 | 00,000,252 | ---- | M] () -- C:\WINDOWS\tasks\dfrg.job
[2008/11/25 17:46:19 | 00,097,280 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Faith Class Ind.Grp.Ldr.Sheets.wps
[2008/11/25 17:32:37 | 00,018,432 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Faith Attendance.12-08.wps
[2008/11/25 16:24:50 | 00,115,200 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Faith Grp Ldrs List.10-08.wps
[2008/11/25 13:25:19 | 00,349,221 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2008/11/25 13:24:55 | 00,002,393 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CBeyond Secure Backup & Fileshare.lnk
[2008/11/25 13:24:44 | 00,000,312 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2008/11/25 13:24:36 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/11/25 13:24:18 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/11/25 13:19:14 | 00,755,012 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2008/11/25 13:13:01 | 00,004,212 | RH-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2008/11/25 12:42:18 | 00,001,745 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2008/11/25 12:04:33 | 00,226,408 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/25 11:12:53 | 00,062,248 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/19 18:26:22 | 04,232,892 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2008/11/19 17:21:42 | 00,027,904 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ndisprot.sys
[2008/11/19 17:04:48 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/11/19 14:01:48 | 00,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2008/11/19 12:43:59 | 00,313,276 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/19 12:43:59 | 00,040,868 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/19 12:43:58 | 00,358,194 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/19 12:43:08 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2008/11/19 12:41:38 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/19 12:20:31 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2008/11/14 11:06:26 | 00,002,387 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CBeyond Secure Backup & Fileshare.lnk
[2008/11/11 13:15:51 | 00,013,824 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Faith Attendance.11-08.wps
[2008/11/11 11:20:18 | 00,085,504 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Price Book.Mirrors.wps
[2008/11/06 14:07:25 | 00,013,824 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\FAX.Harmon.Ins..wps
[2008/11/04 15:53:16 | 00,012,288 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\QUOTE.Anytime Fitness.wps
[2008/11/04 15:51:45 | 00,010,752 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\QUOTE for email.wps
[2008/11/03 18:10:25 | 17,318,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
< End of report >

Extra.txt

OTViewIt Extras logfile created on: 12/3/2008 1:56:22 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.86% Memory free
2.58 Gb Paging File | 2.00 Gb Available in Paging File | 77.45% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.50 Gb Total Space | 50.15 Gb Free Space | 72.16% Space Free | Partition Type: NTFS
Drive D: | 5.02 Gb Total Space | 1.00 Gb Free Space | 19.97% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-US67PI6LUV
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"antivirusdisablenotify"=1
"antivirusoverride"=1
"firewalldisablenotify"=1
"firewalldisableoverride"=1
"UpdatesDisableNotify"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 18:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 12:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
File not found -- C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE:*:Enabled:Yahoo! Messenger
[2006/10/26 21:21:50 | 00,091,640 | ---- | M] (Yahoo! Inc.) -- C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe:*:Enabled:Yahoo! FT Server
[2008/04/13 18:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 12:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/13 18:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/13 18:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/13 18:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2001/06/20 10:26:46 | 00,221,184 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{08CA9554-B5FE-4313-938F-D4A417B81175}"=QuickTime
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}"=RecordNow Update Manager
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}"=DLA
"{1EBB57D4-63FF-87CC-A0F0-D73982CF6008}"=Adobe Media Player
"{1EEE2A9F-6471-42fa-8923-E8879168CE26}"=HP Photo and Imaging 1.1 - Photosmart Cameras
"{237a4b22-78c2-11d6-a394-00104bd190b1}"=QuickBooks Pro Edition 2003
"{28BA89E7-2F60-4BE7-BAA2-7949EB3FE527}"=Blasterball Wild
"{29D88826-2AB9-11D5-8854-00902761A46D}"=WordPerfect Productivity Pack
"{2B5DDB2C-0807-47FD-9C11-80EA761902C0}"=easy Internet sign-up
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{357ECB62-CD36-4B63-B57E-769D0CA174F4}"=Blasterball 2
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}"=Microsoft Works
"{4EDAE550-ACA5-4EF6-88BD-9F2B8BC2982D}"=GemMaster 2
"{4F0AE1FB-4082-4A27-8363-05D292D92FB0}"=Virtual Warfare
"{5415BC25-6D6C-46C4-B34C-EA8470FE56D5}"=Blackhawk Striker
"{63272979-21F0-48EF-9B97-A83DBC05BE39}"=Disney's Lilo and Stitch Pinball
"{753FE96B-D926-4B6C-BCFB-CC59153D004A}"=Snowboard Extreme
"{7841B68B-B7DD-408E-8B45-D5CA39608185}"=Dark Orbit
"{814DC532-769B-4084-BAAD-E300E8DA1E75}"=Secure Backup and Fileshare
"{8214CC02-6271-4DC8-B8DD-779933450264}"=RecordNow
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel® 845G Chipset Graphics Driver Software
"{8AC16CAD-21FA-429F-9503-E7344B3787E6}"=WPOHotFix_atl
"{922B6E62-57DC-4153-97E3-12443BB5F9AE}"=SabreWing 2
"{96777B4D-1A97-492E-B5DA-C624AA675280}"=Atomic Pop
"{9FA01E11-9015-4140-B10A-5C6AA949B2FC}"=Space Rocks
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}"=VC 9.0 Runtime
"{A27EAF80-CBFC-4F56-94E1-929A401D7515}"=Betty Bad
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}"=Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-7AD7-1033-7B44-A81300000003}"=Adobe Reader 8.1.3
"{B279B0DA-6F60-4FBD-9847-0C9AB79A3674}"=PigPen
"{C1939820-A945-11D4-86F6-0001031E5712}"=InterVideo WinDVD
"{D6CAB2F4-26A4-48F4-A35D-CA83063E3928}"=Speedway
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{E62C706B-1352-4DCA-B4D4-81C24750B70F}"=Detto IntelliMover Demo
"{F4808215-1A0C-4578-A43D-4E97BED64CED}"=Software Jukebox 2.0 NA-02D
"{F7A4D9BE-D989-45B9-BB49-2C0EA34B9991}"=Kublox
"{FF384BDE-429B-45AD-A0C6-E593393D9D1C}"=HP Memories Disc
"Adobe Acrobat 5.0"=Adobe Acrobat 5.0
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"ArcSoft ShowBiz"=ArcSoft ShowBiz
"ArcSoft Software Suite"=ArcSoft Software Suite
"BackWeb-137903 Uninstaller"=hp center
"BroadJump Client Foundation"=BroadJump Client Foundation
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Adobe Media Player
"Glary Utilities_is1"=Glary Utilities 2.8.0.366
"HijackThis"=HijackThis 2.0.2
"HP Instant Support"=HP Instant Support
"HPTOOLKIT"=hp toolkit
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Inactive HP Printer Drivers (Remove only)"=Inactive HP Printer Drivers (Remove only)
"InstallShield_{F4808215-1A0C-4578-A43D-4E97BED64CED}"=Software Jukebox 2.0 NA-02D
"LiveReg"=LiveReg (Symantec Corporation)
"LiveUpdate1.7"=LiveUpdate 1.7 (Symantec Corporation)
"Mozilla Firefox (3.0.4)"=Mozilla Firefox (3.0.4)
"MUSICMATCH Jukebox"=MUSICMATCH Jukebox
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA"=NVIDIA Windows 2000/XP Display Drivers
"PCDoctor"=PC-Doctor for Windows
"PS2"=PS2
"Python 2.2 combined Win32 extensions"=Python 2.2 combined Win32 extensions
"Python 2.2.1"=Python 2.2.1
"Quicken Financial Center"=Quicken Financial Center
"S3Display"=S3Display
"S3Gamma2"=S3Gamma2
"S3Info2"=S3Info2
"S3Overlay"=S3Overlay
"SBC.MCCInstall"=AT&T Self Support Tool
"Smart Defrag_is1"=Smart Defrag 1.02
"tv_enua"=Lernout & Hauspie TruVoice American English TTS Engine
"WildTangentDDC"=WildTangent Channel Manager
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows XP Service Pack"=Windows XP Service Pack 3
"WordPerfect Productivity Pack"=WordPerfect Productivity Pack
"Yahoo! Applications"=AT&T Yahoo! Applications
"ZoneAlarm Security Suite"=ZoneAlarm Security Suite

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/8/2007 7:30:09 PM | Computer Name = YOUR-US67PI6LUV | Source = Application Hang | ID = 1002
Description = Hanging application wpwin10.exe, version 10.0.0.663, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/3/2007 10:31:54 AM | Computer Name = YOUR-US67PI6LUV | Source = Application Hang | ID = 1002
Description = Hanging application Wpwin10.exe, version 10.0.0.663, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/19/2007 9:54:04 PM | Computer Name = YOUR-US67PI6LUV | Source = Application Error | ID = 1000
Description = Faulting application ycommon.exe, version 2006.3.2.1, faulting module
ycommon.exe, version 2006.3.2.1, fault address 0x00004ffc.

Error - 5/10/2007 3:09:44 PM | Computer Name = YOUR-US67PI6LUV | Source = Application Hang | ID = 1002
Description = Hanging application wpwin10.exe, version 10.0.0.663, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/1/2007 2:52:52 PM | Computer Name = YOUR-US67PI6LUV | Source = Application Hang | ID = 1002
Description = Hanging application wpwin10.exe, version 10.0.0.663, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/15/2007 3:53:49 PM | Computer Name = YOUR-US67PI6LUV | Source = Application Hang | ID = 1002
Description = Hanging application wpwin10.exe, version 10.0.0.663, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/9/2007 6:49:18 PM | Computer Name = YOUR-US67PI6LUV | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2600.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/12/2007 1:17:34 PM | Computer Name = YOUR-US67PI6LUV | Source = Application Hang | ID = 1002
Description = Hanging application ybrowser.exe, version 2006.8.11.1, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/17/2008 3:55:59 PM | Computer Name = YOUR-US67PI6LUV | Source = Application Error | ID = 1000
Description = Faulting application ybrowser.exe, version 2006.8.11.1, faulting module
flash.ocx, version 7.0.19.0, fault address 0x00032e17.

Error - 1/17/2008 4:10:54 PM | Computer Name = YOUR-US67PI6LUV | Source = Application Error | ID = 1000
Description = Faulting application ybrowser.exe, version 2006.8.11.1, faulting module
flash.ocx, version 7.0.19.0, fault address 0x00001868.

[ System Events ]
Error - 11/25/2008 3:21:38 PM | Computer Name = YOUR-US67PI6LUV | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 11/25/2008 3:21:38 PM | Computer Name = YOUR-US67PI6LUV | Source = Service Control Manager | ID = 7001
Description = The TrueVector Internet Monitor service depends on the vsdatant service
which failed to start because of the following error: %%31

Error - 11/25/2008 3:21:38 PM | Computer Name = YOUR-US67PI6LUV | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 11/25/2008 3:21:38 PM | Computer Name = YOUR-US67PI6LUV | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant WS2IFSL

Error - 11/25/2008 3:23:26 PM | Computer Name = YOUR-US67PI6LUV | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/25/2008 4:40:38 PM | Computer Name = YOUR-US67PI6LUV | Source = Print | ID = 6161
Description = The document Driving Directions from 420... owned by Owner failed
to print on printer HP LaserJet 1220 Series PCL. Data type: NT EMF 1.008. Size of
the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in
the document: 0. Number of pages printed: 0. Client machine: \\YOUR-US67PI6LUV.
Win32 error code returned by the print processor: 259 (0x103).

Error - 11/26/2008 10:18:21 AM | Computer Name = YOUR-US67PI6LUV | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 11/28/2008 10:18:22 AM | Computer Name = YOUR-US67PI6LUV | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 11/30/2008 10:18:23 AM | Computer Name = YOUR-US67PI6LUV | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/2/2008 10:18:24 AM | Computer Name = YOUR-US67PI6LUV | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >

GMER's log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-03 14:36:55
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB208F8D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB208C6E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB2099490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB208FE90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB2096C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB2096E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB209AD50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB208FF80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB208CC70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB2099D10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB2099AC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB2096600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xB20893B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB209A230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB209A2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xB209AFD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB208CAD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB20984F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB20982B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB209A970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB209A3D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB208F4F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB209A7C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB208FAA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB208CEA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xB2089190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB2099800]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB2097580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB2097400]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xB20895D0]

INT 0x20 srescan.sys F7429C80

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 90, FE, 08, B2, 80, 6C, 09, ... ]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E282C 12 Bytes [ B0, 93, 08, B2, 30, A2, 09, ... ]
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\ctfmon.exe[356] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 000A69D2
.text C:\WINDOWS\system32\ctfmon.exe[356] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 000A6AEF
.text C:\WINDOWS\system32\ctfmon.exe[356] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 000A6791
.text C:\WINDOWS\system32\ctfmon.exe[356] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 000A68D4
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe[368] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe[368] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe[368] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe[368] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\WINDOWS\Explorer.exe[376] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 000969D2
.text C:\WINDOWS\Explorer.exe[376] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00096AEF
.text C:\WINDOWS\Explorer.exe[376] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00096791
.text C:\WINDOWS\Explorer.exe[376] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 000968D4
.text C:\HP\KBD\KBD.EXE[392] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\HP\KBD\KBD.EXE[392] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\HP\KBD\KBD.EXE[392] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\HP\KBD\KBD.EXE[392] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\WINDOWS\system32\spoolsv.exe[456] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 000969D2
.text C:\WINDOWS\system32\spoolsv.exe[456] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00096AEF
.text C:\WINDOWS\system32\spoolsv.exe[456] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00096791
.text C:\WINDOWS\system32\spoolsv.exe[456] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 000968D4
.text C:\WINDOWS\system32\dla\tfswctrl.exe[472] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\WINDOWS\system32\dla\tfswctrl.exe[472] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\WINDOWS\system32\dla\tfswctrl.exe[472] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\WINDOWS\system32\dla\tfswctrl.exe[472] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\WINDOWS\System32\igfxtray.exe[588] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\WINDOWS\System32\igfxtray.exe[588] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\WINDOWS\System32\igfxtray.exe[588] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\WINDOWS\System32\igfxtray.exe[588] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\WINDOWS\System32\hkcmd.exe[632] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\WINDOWS\System32\hkcmd.exe[632] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\WINDOWS\System32\hkcmd.exe[632] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\WINDOWS\System32\hkcmd.exe[632] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\WINDOWS\system32\winlogon.exe[720] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 00CF69D2
.text C:\WINDOWS\system32\winlogon.exe[720] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00CF6AEF
.text C:\WINDOWS\system32\winlogon.exe[720] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00CF6791
.text C:\WINDOWS\system32\winlogon.exe[720] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 00CF68D4
.text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 00BC69D2
.text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00BC6AEF
.text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00BC6791
.text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 00BC68D4
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 00CB69D2
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00CB6AEF
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00CB6791
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 00CB68D4
.text C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe[904] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe[904] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe[904] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe[904] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[1264] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[1264] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[1264] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[1264] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe[1368] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe[1368] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe[1368] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe[1368] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\Program Files\hp center\137903\Program\BackWeb-137903.exe[1424] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\Program Files\hp center\137903\Program\BackWeb-137903.exe[1424] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\Program Files\hp center\137903\Program\BackWeb-137903.exe[1424] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\Program Files\hp center\137903\Program\BackWeb-137903.exe[1424] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\Program Files\CBeyond\SecureBackup\Online-Backup.exe[1444] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001569D2
.text C:\Program Files\CBeyond\SecureBackup\Online-Backup.exe[1444] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00156AEF
.text C:\Program Files\CBeyond\SecureBackup\Online-Backup.exe[1444] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00156791
.text C:\Program Files\CBeyond\SecureBackup\Online-Backup.exe[1444] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001568D4
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1512] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001569D2
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1512] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00156AEF
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1512] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00156791
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1512] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001568D4
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1512] ntdll.dll!KiFastSystemCall + 2 7C90E4F2 2 Bytes [ CD, 20 ]
.text C:\WINDOWS\System32\wdfmgr.exe[1576] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 000869D2
.text C:\WINDOWS\System32\wdfmgr.exe[1576] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00086AEF
.text C:\WINDOWS\System32\wdfmgr.exe[1576] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00086791
.text C:\WINDOWS\System32\wdfmgr.exe[1576] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 000868D4
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1680] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001569D2
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1680] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00156AEF
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1680] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00156791
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1680] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001568D4
.text C:\Program Files\hp center\137903\Shadow\ShadowBar.exe[1704] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\Program Files\hp center\137903\Shadow\ShadowBar.exe[1704] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\Program Files\hp center\137903\Shadow\ShadowBar.exe[1704] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\Program Files\hp center\137903\Shadow\ShadowBar.exe[1704] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\windows\system\hpsysdrv.exe[1804] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\windows\system\hpsysdrv.exe[1804] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\windows\system\hpsysdrv.exe[1804] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\windows\system\hpsysdrv.exe[1804] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe[1876] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001569D2
.text C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe[1876] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00156AEF
.text C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe[1876] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00156791
.text C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe[1876] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001568D4
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001569D2
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00156AEF
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00156791
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1952] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001568D4
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2068] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2068] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2068] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2068] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\Program Files\Yahoo!\browser\ybrwicon.exe[2284] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\Program Files\Yahoo!\browser\ybrwicon.exe[2284] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\Program Files\Yahoo!\browser\ybrwicon.exe[2284] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\Program Files\Yahoo!\browser\ybrwicon.exe[2284] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4
.text C:\WINDOWS\System32\alg.exe[3116] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 000969D2
.text C:\WINDOWS\System32\alg.exe[3116] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00096AEF
.text C:\WINDOWS\System32\alg.exe[3116] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00096791
.text C:\WINDOWS\System32\alg.exe[3116] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 000968D4
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3252] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3252] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3252] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe[3716] ntdll.dll!NtDeleteValueKey 7C90D250 5 Bytes JMP 001469D2
.text C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe[3716] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00146AEF
.text C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe[3716] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00146791
.text C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe[3716] ntdll.dll!NtSetValueKey 7C90DDB0 5 Bytes JMP 001468D4

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B2094410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B2094220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B2094B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B2092780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B2092780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B2094410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B2094220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B2094B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B2094410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B2092780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B2094B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B2094220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B2094B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B2094220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B2094410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B209C870] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B2092780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B2094410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B2094220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B2094B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B2094B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B2094220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B2092780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B2094410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B2094410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B2092780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B2094B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B2094220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B208D320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B208D4D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [B208D040] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [B208D3D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Fastfat \FatCdrom tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\kdftk.exe 77312 bytes executable

---- EOF - GMER 1.0.14 ----

thanks again :)

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:01 PM

Posted 03 December 2008 - 11:11 PM

Hello, Audi_vW
Your System is Infected with a Backdoor!!
Backdoors cause severe damage to windows' internals, and allow an attacker complete control over the infected system. Because this state allows the attacker to download new malware on demand, log keystrokes, execute programs, and/or view the system's screen, it is recommended to reformat and reinstall the operating system on this machine. Several experts in the security community believe that once a system is infected with one of these types of backdoors, the system itself can never be trusted again.

I ask that you disconnect this system from the internet NOW!. While it is attached to the internet, the attacker can modify the system, and prevent fixes from working as intended.

Another danger of this type of infection is that of Identity Theft. Because such malware can read all of your passwords, bank account numbers, etc. from your keystrokes, I would recomend contacting banking institutions accessed from this machine to ensure your accounts are secure. Most banks will not charge to send you new credit/debit cards, and getting these numbers replaced would be a good idea. It would also be a good idea to change passwords for anything you commonly use online. Online stores, Facebook/Myspace, Email, etc. If it has been on that machine it may have been read by someone else. Don't do it from this machine, as it is now compromised. Do it from another known clean machine. A good place to do this is at your local public library.

I would strongly recomend format and reinstallation of this machine. For more information, you may wish to read one of these excellent articles:Please let me know if you wish to continue to clean this machine or if you wish to format.

If you wish to continue, please download this tool:
http://www2.gmer.net/mbr/mbr.exe

And then post the log it makes when you run it.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Audi_vW

Audi_vW
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:01 AM

Posted 05 December 2008 - 01:38 PM

Thanks for taking the time Mr. O'Neal my worst fears have been answered :thumbsup: I would like to continue and fromat the computer. As I have said before, this is a work/shop based computer that has the problem, and it has a Secure Backup and Fileshare account. Mainly it consists of people's names and if they have paid or if they still owe money. The only information is Name and possibly address, it is a Quickbooks program, I'm thinking this information can be saved before the format, no? Thankfully that the computer is used only for business and no credit/banking or any passwords are used through it. Please leave input as to what you think about being able to save certain information from being formatted and the steps you recommend me to take to format :)

Thank you

#6 Audi_vW

Audi_vW
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:01 AM

Posted 05 December 2008 - 02:31 PM

Here is the MBR log

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:01 PM

Posted 05 December 2008 - 04:00 PM

The only information is Name and possibly address, it is a Quickbooks program, I'm thinking this information can be saved before the format, no? Thankfully that the computer is used only for business and no credit/banking or any passwords are used through it. Please leave input as to what you think about being able to save certain information from being formatted and the steps you recommend me to take to format :thumbsup:

You should be able to save your data without fear. But the windows installation is what is suspect.

Good luck!

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 Audi_vW

Audi_vW
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:01 AM

Posted 06 December 2008 - 03:46 PM

Sorry Mr. O'Neal I don't think I made myself clear. I now know I have to format the C drive, thanks to you :thumbsup: but do I also have to do the D drive? The D drive is used for backing up quickbooks on a secure fileshare and backup account.

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:01 PM

Posted 06 December 2008 - 03:46 PM

Sorry Mr. O'Neal I don't think I made myself clear. I now know I have to format the C drive, thanks to you :thumbsup: but do I also have to do the D drive? The D drive is used for backing up quickbooks on a secure fileshare and backup account.

No, you should not have to do that :)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:01 PM

Posted 08 December 2008 - 09:29 PM

Hello, Audi_vW
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users