Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ic32pp in autoruns but not in HijackThis


  • This topic is locked This topic is locked
10 replies to this topic

#1 leza

leza

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 30 November 2008 - 06:32 AM

Hi.
Recently , taking a look at Autoruns, i notice this entry:

+ ic32pp c:\windows\wc98pp.dll

Shearching, i found it could be a leftover of some old infection.

HijackThis didn´t found it. It should be at O18 ??
Here´s the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:25:47, on 28/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\ARQUIV~1\Iomega\System32\AppServices.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\- internet\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
C:\Arquivos de programas\Microsoft IntelliPoint\point32.exe
C:\Arquivos de programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Arquivos de programas\Spybot - Search & Destroy152\TeaTimer.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\VideoLAN\VLC\vlc.exe
C:\Arquivos de programas\Trend Micro\HijackThis\Luiz Márcio.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/intl/la/brazil/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~2\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\- utilities\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Arquivos de programas\- internet\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Arquivos de programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Deskup] C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [CTSysVol] C:\Arquivos de programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ADUserMon] C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Arquivos de programas\- utilities\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [AnyDVD] "C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy152\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2237029002-2704639424-2437969446-1005\..\Run: [SoniqueQuickStart] C:\Arquivos de programas\- utilities\Sonique\sqstart.exe -nostick (User '?')
O4 - HKUS\S-1-5-21-2237029002-2704639424-2437969446-1005\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy152\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-2237029002-2704639424-2437969446-1005 Startup: ERUNT AutoBackup.lnk = C:\Arquivos de programas\ERUNT\AUTOBACK.EXE (User '?')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Arquivos de programas\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Arquivos de programas\- utilities\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Arquivos de programas\- utilities\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Arquivos de programas\- utilities\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Arquivos de programas\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\ARQUIV~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Arquivos de programas\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe

--
End of file - 9213 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:11:26 PM

Posted 14 December 2008 - 05:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 leza

leza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 17 December 2008 - 07:12 PM

Hi.
Six months ago avast detected this:

4/6/2008 08:36:33 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz2A.tmp" file.
4/6/2008 08:29:26 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz29.tmp" file.
4/6/2008 08:28:45 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz28.tmp" file.
4/6/2008 08:27:39 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz27.tmp" file.
4/6/2008 08:26:03 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz26.tmp" file.
4/6/2008 05:38:28 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\unp28195895.tmp" file.
4/6/2008 03:23:38 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\I386\SVCHOST.EXE" file.
4/6/2008 00:42:47 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\windows\system32\SET23.tmp" file.
4/6/2008 00:42:27 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe" file.
4/6/2008 00:42:03 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\SVCHOST.EXE" file.
3/6/2008 23:56:19 Luiz Márcio 1280 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\SVCHOST.EXE" file.
3/6/2008 23:49:15 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\svchost.exe" file.

Avast deleted svchost. I repleaced.
Next boot, and a lot of services disappeared from the registry.
I got help from a hijackthis log forum, and received an ok , your computer is clean , you can do a system repair and install xp sp2.
But i´m not sure if the rootkit problem is solved.
I still havent fixed that machine , but now i have a Rootkit Unhooker log.
Can i list it here ?

Here is the log from DDS:


DDS (Version 1.1.0) - NTFSx86
Run by Luiz M rcio at 20:00:26,42 on qua 17/12/2008
Internet Explorer: 6.0.2800.1106

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.dell.com/intl/la/brazil/index.htm
uInternet Settings,ProxyServer = localhost:12080
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\arquivos de programas\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\arquiv~1\spybot~2\SDHelper.dll
BHO: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\arquivos de programas\- utilities\free download manager\iefdmcks.dll
TB: {8E718888-423F-11D2-876E-00A0C9082467} - c:\windows\system32\msdxm.ocx
uRun: [SoniqueQuickStart] c:\arquivos de programas\- utilities\sonique\sqstart.exe -nostick
uRun: [AnyDVD] "c:\arquivos de programas\slysoft\anydvd\AnyDVD.exe"
mRun: [avast!] c:\arquiv~1\alwils~1\avast4\ashDisp.exe
mRun: [Zone Labs Client] c:\arquivos de programas\- internet\zonealarm\zlclient.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\arquivos de programas\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Iomega Drive Icons] c:\arquivos de programas\iomega\driveicons\ImgIcon.exe
mRun: [IntelliPoint] "c:\arquivos de programas\microsoft intellipoint\point32.exe"
mRun: [Deskup] c:\arquivos de programas\iomega\driveicons\deskup.exe /IMGSTART
mRun: [CTSysVol] c:\arquivos de programas\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDet] c:\arquivos de programas\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [ADUserMon] c:\arquivos de programas\iomega\autodisk\ADUserMon.exe
mRun: [AdaptecDirectCD] "c:\arquivos de programas\roxio\easy cd creator 5\directcd\DirectCD.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\luizmr~1\menuin~1\progra~1\inicia~1\erunta~1.lnk - c:\arquivos de programas\erunt\AUTOBACK.EXE
mPolicies-explorer: <NO NAME> =
IE: Download all with Free Download Manager - file://c:\arquivos de programas\- utilities\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\arquivos de programas\- utilities\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\arquivos de programas\- utilities\free download manager\dllink.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\arquiv~1\spybot~2\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\MSMSGS.EXE
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\arquivos de programas\belarc\advisor\system\BAVoilaX.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - c:\windows\system32\msdxm.ocx
Notify: !SASWinLogon - c:\arquivos de programas\superantispyware\SASWINLO.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\arquivos de programas\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\luizmr~1\dadosd~1\mozilla\firefox\profiles\yv3i16gi.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\arquivos de programas\- utilities\free download manager\firefox\extension\components\component.dll
FF - component: c:\arquivos de programas\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

RSPR?S?C?P?P?01234RSPR?S?C?P?P?01234

=============== Created Last 30 ================

2008-12-13 20:45 <DIR> --d----- C:\RkUnhooker
2008-12-13 16:08 28,047,820 a------- C:\digest.md5
2008-12-13 15:27 344,064 a------- c:\windows\fsum.exe
2008-12-10 16:37 <DIR> a-d----- C:\IceSword122en
2008-12-09 02:37 19,248 a------- c:\windows\system32\drivers\rspsc32.sys
2008-12-09 02:37 <DIR> --d----- c:\arquivos de programas\RootKit Hook Analyzer
2008-12-09 01:04 345 a------- c:\windows\gmer.ini

==================== Find3M ====================

2008-12-14 02:41 6,815,744 a------- c:\documents and settings\luiz márcio\ntuser.dat
2008-11-15 20:45 8,959 a------- c:\windows\system32\drivers\U3sHlpDr.sys
2004-04-04 15:37 73,728 a------- c:\documents and settings\luiz márcio\SetupNI.dll
2035-08-27 03:36 1,537 a--sh--- c:\windows\page files\maxmeg.sys
2004-09-20 19:56 56 ---shr-- c:\windows\system32\3FE621EB0F.sys
2006-05-03 07:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2008-07-01 03:03 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-02-21 08:47 31,232 ---shr-- c:\windows\system32\msfDX.dll

============= FINISH: 20:00:50,09 ===============


This is some kind of malware?
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll

About the other file from DDS (attach.txt) .Zipped it, and tried to upload, but couln´t managed to complete it.
So here it is:
-------------------------


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


3ds max 4.2
3ds max 6
3ds max 6 Architectural Materials
3ds max 6 Reference Files
3ds max 6 Sample Files
7-Zip 4.42
Active Disk
Ad-Aware 2007
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
Adobe Download Manager 2.0 (Só remoção)
Adobe Flash Player 9 ActiveX
Adobe Photoshop CS
Adobe Reader 7.0
Adobe Shockwave Player
Advanced Disk Catalog
AIDA32 v3.75
AnswerWorks Runtime
ATI Display Driver
Atualização de Segurança para o Windows Media Player (KB911564)
Atualização de Segurança para o Windows Media Player 10 (KB911565)
Atualização de Segurança para o Windows Media Player 10 (KB917734)
Atualização de Segurança para Windows XP (KB890046)
Atualização de Segurança para Windows XP (KB893756)
Atualização de Segurança para Windows XP (KB896358)
Atualização de Segurança para Windows XP (KB896422)
Atualização de Segurança para Windows XP (KB896423)
Atualização de Segurança para Windows XP (KB896424)
Atualização de Segurança para Windows XP (KB896426)
Atualização de Segurança para Windows XP (KB896428)
Atualização de Segurança para Windows XP (KB899587)
Atualização de Segurança para Windows XP (KB899588)
Atualização de Segurança para Windows XP (KB899589)
Atualização de Segurança para Windows XP (KB899591)
Atualização de Segurança para Windows XP (KB900725)
Atualização de Segurança para Windows XP (KB901017)
Atualização de Segurança para Windows XP (KB901214)
Atualização de Segurança para Windows XP (KB902400)
Atualização de Segurança para Windows XP (KB904706)
Atualização de Segurança para Windows XP (KB905414)
Atualização de Segurança para Windows XP (KB905495)
Atualização de Segurança para Windows XP (KB905749)
Atualização de Segurança para Windows XP (KB908519)
Atualização de Segurança para Windows XP (KB908531)
Atualização de Segurança para Windows XP (KB911562)
Atualização de Segurança para Windows XP (KB911927)
Atualização de Segurança para Windows XP (KB912919)
Atualização de Segurança para Windows XP (KB913446)
Atualização de Segurança para Windows XP (KB913580)
Atualização de Segurança para Windows XP (KB914388)
Atualização de Segurança para Windows XP (KB914389)
Atualização de Segurança para Windows XP (KB914798)
Atualização de Segurança para Windows XP (KB917159)
Atualização de Segurança para Windows XP (KB917344)
Atualização de Segurança para Windows XP (KB917422)
Atualização de Segurança para Windows XP (KB917953)
Atualização de Segurança para Windows XP (KB919007)
Atualização de Segurança para Windows XP (KB920670)
Atualização de Segurança para Windows XP (KB920683)
Atualização de Segurança para Windows XP (KB920685)
Atualização de Segurança para Windows XP (KB921398)
Atualização de Segurança para Windows XP (KB921883)
Atualização de Segurança para Windows XP (KB922616)
Atualização de Segurança para Windows XP (KB922819)
Atualização de Segurança para Windows XP (KB923191)
Atualização de Segurança para Windows XP (KB923414)
Atualização de Segurança para Windows XP (KB924191)
Atualização de Segurança para Windows XP (KB924496)
Atualização para Windows XP (KB835409)
Atualização para Windows XP (KB898461)
Atualização para Windows XP (KB910437)
Atualização para Windows XP (KB911280)
AutoUpdate
avast! Antivirus
Belarc Advisor 7.2
C-Dilla Licence Management System
character studio 4.2
Classic PhoneTools
combustion 3
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
CoreFLAC Audio Decoder+Source Filter (remove only)
Corel Painter 8
Crash Analysis Tool
Creative MediaSource
CuteFTP 5.0 XP
dBpowerAMP Mp4 Codec
dBpowerAMP Musepack Codec
dBpowerAMP Music Converter
Deep Paint 3D
Dell ResourceCD
Dell Solution Center
Digital Line Detect
DioneSS Playlist Editor v2.1
Diskeeper Professional Edition
DivX Player
DivX Pro Codec
Dr.DivX
Easy CD Creator 5 Basic
ERUNT 1.1j
ffdshow [rev 497] [2006-11-04]
FileAlyzer
FLV Player 1.3.3
Forté Agent
Free Download Manager 2.1
Help and Support Customization
HijackThis 2.0.2
Hotfix do Windows Media Player [consulte wm828026 para obter mais informações]
Illustrate! 5.2
Illustrate! 5.3
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Explorer Q903235
IomegaWare 4.0.2
Ipswitch WS_FTP LE
IRPF2004 - Declaração de Ajuste Anual
IRPF2005 - Declaração de Ajuste Anual
IRPF2006 - Declaração de Ajuste Anual
IRPF2007 - Declaração de Ajuste Anual
IRPF2008 Windows - Declaração de Ajuste Anual
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Macromedia Flash MX 2004
Magic ISO Maker v5.0 (build 0166)
Media Tagger v1.3.5
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 5.0
Microsoft Office PowerPoint Viewer 2003
Microsoft Works 7.0
Modem Helper
Mozilla Firefox (2.0.0.14)
Nero 6 Ultra Edition
Netscape (7.1)
NetWaiting
Panda ActiveScan
Panda ActiveScan 2.0
Poser 5
PowerBooleans for MAX 6
Quick Dirt
QuickTime
RAR Password Cracker 4.12
RAR Password Recovery v1.1 RC1 (remove only)
RealPlayer
Receitanet 2008
Registry Mechanic
RootKit Hook Analyzer 3.02
Rootkit Unhooker Uninstall
SafeCast Shared Components
SketchUp 3.0
Sonique
Sound Blaster Audigy 2
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SUPER © Version 2007.bld.23 (July 4, 2007)
SUPERAntiSpyware Free Edition
VideoLAN VLC media player 0.8.6c
WebFldrs XP
WinAce Archiver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883357
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB916281
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix Package [See Q329115 for more information]
Windows XP Hotfix Package [See Q329390 for more information]
Windows XP Hotfix Package [See Q329834 for more information]
WinISO v5.3.0.125
WinRAR archiver
ZoneAlarm Pro

==== End Of File ===========================



Here is the log from Rootkit Unhooker:
------------------------------------------

>SSDT State
NtClose
Actual Address 0xF440C588
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtConnectPort
Actual Address 0xF2A7B61D
Hooked by: C:\WINDOWS\System32\vsdatant.sys

NtCreateKey
Actual Address 0xF440C444
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtCreatePagingFile
Actual Address 0xF86EEB00
Hooked by: a347bus.sys

NtDeleteValueKey
Actual Address 0xF440C922
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtDuplicateObject
Actual Address 0xF440C01C
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtEnumerateKey
Actual Address 0xF86EF5DC
Hooked by: a347bus.sys

NtEnumerateValueKey
Actual Address 0xF86FB120
Hooked by: a347bus.sys

NtOpenFile
Actual Address 0xF86EEB40
Hooked by: a347bus.sys

NtOpenKey
Actual Address 0xF440C51E
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtOpenProcess
Actual Address 0xF2A8C6F0
Hooked by: C:\WINDOWS\System32\vsdatant.sys

NtOpenThread
Actual Address 0xF440BFC0
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtQueryKey
Actual Address 0xF86EF5FC
Hooked by: a347bus.sys

NtQueryValueKey
Actual Address 0xF440C63E
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtRestoreKey
Actual Address 0xF440C5FE
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtSetSystemPowerState
Actual Address 0xF86FA550
Hooked by: a347bus.sys

NtSetValueKey
Actual Address 0xF440C77E
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

>Shadow
NtUserMessageCall
Actual Address 0xF2A7B270
Hooked by: C:\WINDOWS\System32\vsdatant.sys

NtUserPostMessage
Actual Address 0xF2A7B2C0
Hooked by: C:\WINDOWS\System32\vsdatant.sys

NtUserSendInput
Actual Address 0xF2A7B380
Hooked by: C:\WINDOWS\System32\vsdatant.sys

>Processes
>Drivers
>Stealth
>Files
Suspect File: C:\3dsmax42 Status: Hidden
Suspect File: C:\3dsmax6 Status: Hidden

>Hooks
ntoskrnl.exe+0x00003E2A, Type: Inline - RelativeJump 0x804D7E2A [ntoskrnl.exe]
ntoskrnl.exe+0x0000A7C8, Type: Inline - RelativeJump 0x804DE7C8 [ntoskrnl.exe]
ntoskrnl.exe+0x0000A9D4, Type: Inline - RelativeJump 0x804DE9D4 [ntoskrnl.exe]
ntoskrnl.exe-->KeFindConfigurationEntry, Type: Inline - RelativeJump 0x8069B630 [unknown_code_page]
ntoskrnl.exe-->NtCreateProcess, Type: Inline - RelativeJump 0x805A7DCD [gmer.sys]
ntoskrnl.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x80574107 [gmer.sys]
ntoskrnl.exe-->NtCreateSection, Type: Inline - RelativeJump 0x80552CC9 [gmer.sys]
ntoskrnl.exe-->NtLoadDriver, Type: Inline - RelativeJump 0x80597880 [gmer.sys]
ntoskrnl.exe-->NtSetSystemInformation, Type: Inline - RelativeJump 0x80583824 [gmer.sys]
[1380]explorer.exe-->shell32.dll-->SHFileOperation, Type: Inline - RelativeJump 0x7CD56A7B [Imghook.dll]
[1380]explorer.exe-->shell32.dll-->SHFileOperationW, Type: Inline - RelativeJump 0x7CD56870 [Imghook.dll]
[1772]ashDisp.exe-->shell32.dll-->SHFileOperation, Type: Inline - RelativeJump 0x7CD56A7B [Imghook.dll]
[1772]ashDisp.exe-->shell32.dll-->SHFileOperationW, Type: Inline - RelativeJump 0x7CD56870 [Imghook.dll]
[1848]Imgicon.exe-->shell32.dll-->SHFileOperation, Type: Inline - RelativeJump 0x7CD56A7B [Imghook.dll]
[1848]Imgicon.exe-->shell32.dll-->SHFileOperationW, Type: Inline - RelativeJump 0x7CD56870 [Imghook.dll]
[1884]CTHELPER.EXE-->shell32.dll-->SHFileOperation, Type: Inline - RelativeJump 0x7CD56A7B [Imghook.dll]
[1884]CTHELPER.EXE-->shell32.dll-->SHFileOperationW, Type: Inline - RelativeJump 0x7CD56870 [Imghook.dll]
[1924]Directcd.exe-->shell32.dll-->SHFileOperation, Type: Inline - RelativeJump 0x7CD56A7B [Imghook.dll]
[1924]Directcd.exe-->shell32.dll-->SHFileOperationW, Type: Inline - RelativeJump 0x7CD56870 [Imghook.dll]
[824]services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x010010E8 [unknown_code_page]
[824]services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x01001180 [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

------------------------------------

In the files section of Rootkit Unhooker , i´ve got a lot of hidden files, but not really hidden for windows explorer !

#4 leza

leza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 17 December 2008 - 08:24 PM

Hi.
Just one more log.
In this one, i don´t know if the presence of IsDrv118.sys is a sign of some rootkit...

-----------------------
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-10 23:55:51
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF86EF5DC]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF86FB120]

Code \SystemRoot\System32\Drivers\rkhdrv40.SYS ExAllocatePool
Code \SystemRoot\System32\Drivers\rkhdrv40.SYS ExAllocatePoolWithTag
Code \SystemRoot\System32\Drivers\rkhdrv40.SYS KeDelayExecutionThread

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 82F44FB0

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \Fat FF0DA4A0

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv118.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv118.sys

---- Modules - GMER 1.0.14 ----

Module _________ F8668000-F867E000 (90112 bytes)

---- EOF - GMER 1.0.14 ----

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:26 PM

Posted 17 December 2008 - 08:56 PM

Hello, leza
I don't see any malware in here. The ""rootkits"" are part of Avast's self protection module.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
In your next reply, please include the following:
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 leza

leza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 18 December 2008 - 09:43 AM

Hi BillyIII.
So all that Hooks were made by Avast ?

As a result of the virus from 6 months ago, i´m using another system , an older one, to acess the internet , as the infected needs a system repair to have it´s functions (services) and the internet ok again.
My idea was to only do the repair after cleaning the viri. Maybe the virus could be asleep due to the machine being partly inactive.
Any other option besides using an online scanner ?

About my suspects of infection , i´ve been serching and couldn´t get assurance of the nature of IsDrv118.sys and
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Some sites affirm they are malware.
in:
http://www.bleepingcomputer.com/startups/I....sys-19227.html
Added by the Troj/NTRootK-BU rootkit
in:
http://www.threatexpert.com/report.aspx?ui...6c-8c679d11b51d
mention the file wc98pp.dll with the same CLSID as mine:
BBCA9F81-8F4F-11D2-90FF-0080C83D3571

What could be those two ??
Maybe Malwarebytes Antimalware colud kill those ?

Thanks
Leza.

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:26 PM

Posted 18 December 2008 - 07:10 PM

Hello, leza

Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll

As far as I could tell, this file is part of MSNMessenger. But if you wish me to take a closer look, please upload the file here:
http://bleepingcomputer.com/submit-malware.php?channel=54

IsDrv118.sys

I don't see this file in your logs. Please upload the file
C:\Windows\System32\Drivers\IsDrv118.sys
to
http://bleepingcomputer.com/submit-malware.php?channel=54

That file concerns me, and that you've had reports of it but it's hidden from the logging tools. Would like to take a closer look:

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbsup:
In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 leza

leza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 19 December 2008 - 07:10 AM

Hi BillyIII.
About the file IsDrv118.sys , it´s in the log from Gmer, in the second reply i sent :

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv118.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv118.sys

About that file , i think it´s hidden or does´n exist anymore, only the reference for it.
Looking for through Windows Explorer didn´t return nothing.
I Will try another way.

Leza.

#9 leza

leza
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 20 December 2008 - 09:27 AM

Hi BillyIII.
I´ve sent to you the file Wc98pp.dll , including a comment about the analysis from virustotal.com , that found nothing bad.
About the other (IsDrv118.sys ) . Tried to detect its presence trough the logs from GMER and IceSword , but it doesn´t show anymore . It showed up once like this:

IceSword , Kernel Module tab:
\SystemRoot\System32\Drivers\IsDrv122.sys
\SystemRoot\System32\Drivers\IsDrv118.sys

GMER
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv118.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv118.sys

But anymore , only the references for IsDrv122.sys remain.
Maybe that log was taken when i accidentaly run both GMER and Icesword at the same time.....
Tried to search for IsDrv118.sys from inside IceSword , giving a File and a Registry find , but the file was not found , and the registry entries were the same that i got using Regedit.

By the way , here is an text export from the registry:

Nome da chave: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ISDRV118
Nome da classe: <Sem classe>
Hora da última gravação: 10/12/2008 - 19:23
Valor 0
Nome: NextInstance
Tipo: REG_DWORD
Dados: 0x1


Nome da chave: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ISDRV118\0000
Nome da classe: <Sem classe>
Hora da última gravação: 10/12/2008 - 19:23
Valor 0
Nome: Service
Tipo: REG_SZ
Dados: IsDrv118

Valor 1
Nome: Legacy
Tipo: REG_DWORD
Dados: 0x1

Valor 2
Nome: ConfigFlags
Tipo: REG_DWORD
Dados: 0x0

Valor 3
Nome: Class
Tipo: REG_SZ
Dados: LegacyDriver

Valor 4
Nome: ClassGUID
Tipo: REG_SZ
Dados: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Valor 5
Nome: DeviceDesc
Tipo: REG_SZ
Dados: IsDrv118


Nome da chave: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ISDRV118\0000\Control
Nome da classe: <Sem classe>
Hora da última gravação: 10/12/2008 - 19:23
Valor 0
Nome: *NewlyCreated*
Tipo: REG_DWORD
Dados: 0x0

Valor 1
Nome: ActiveService
Tipo: REG_SZ
Dados: IsDrv118


Here is the log from Combofix:


ComboFix 08-12-18.01 - Luiz Márcio 2008-12-19 17:09:14.2 - NTFSx86

Executando de: c:\documents and settings\Luiz Márcio\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\open.ico

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GBPSV
-------\Service_GbpSv


(((((((((((((((( Arquivos/Ficheiros criados de 2008-11-19 to 2008-12-19 ))))))))))))))))))))))))))))
.

2008-12-13 20:45 . 2008-12-13 20:45 <DIR> d-------- C:\RkUnhooker
2008-12-13 16:08 . 2008-12-13 18:08 28,047,820 --a------ C:\digest.md5
2008-12-13 15:27 . 2007-03-03 21:02 344,064 --a------ c:\windows\fsum.exe
2008-12-10 16:37 . 2008-12-10 16:37 <DIR> d-a------ C:\IceSword122en
2008-12-09 02:37 . 2008-12-09 03:04 <DIR> d-------- c:\arquivos de programas\RootKit Hook Analyzer
2008-12-09 02:37 . 2007-07-07 00:39 19,248 --a------ c:\windows\SYSTEM32\DRIVERS\rspsc32.sys
2008-12-09 01:04 . 2008-12-11 00:03 345 --a------ c:\windows\gmer.ini

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 22:45 8,959 ----a-w c:\windows\system32\drivers\U3sHlpDr.sys
2008-11-07 22:30 3,108,864 ----a-w c:\windows\Internet Logs\xDBF.tmp
2008-11-07 22:30 10,472,448 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-11-05 18:28 --------- d-----w c:\arquivos de programas\Safer Networking
2004-04-04 17:37 73,728 ----a-w c:\documents and settings\Luiz Márcio\SetupNI.dll
2004-04-04 17:37 73,728 ----a-w c:\documents and settings\Luiz Márcio\SetupNI.dll
2008-04-21 00:09 67,696 ----a-w c:\arquivos de programas\mozilla firefox\components\jar50.dll
2008-04-21 00:09 54,376 ----a-w c:\arquivos de programas\mozilla firefox\components\jsd3250.dll
2008-04-21 00:09 34,952 ----a-w c:\arquivos de programas\mozilla firefox\components\myspell.dll
2008-04-21 00:09 46,720 ----a-w c:\arquivos de programas\mozilla firefox\components\spellchk.dll
2008-04-21 00:09 172,144 ----a-w c:\arquivos de programas\mozilla firefox\components\xpinstal.dll
2004-09-20 21:56 56 --sh--r c:\windows\SYSTEM32\3FE621EB0F.sys
2006-05-03 09:06 163,328 --sh--r c:\windows\SYSTEM32\flvDX.dll
2008-07-01 05:03 2,516 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sh--r c:\windows\SYSTEM32\msfDX.dll
.

------- Sigcheck -------

2001-09-06 00:50 12800 979f27f95f9a60ad6292b803aee12de5 c:\windows\LastGood.Tmp\system32\svchost.exe
2001-09-06 00:50 12800 979f27f95f9a60ad6292b803aee12de5 c:\windows\SYSTEM32\svchost.exe
2001-09-06 00:50 12800 979f27f95f9a60ad6292b803aee12de5 c:\windows\SYSTEM32\DLLCACHE\svchost.exe

2005-03-02 16:18 577536 7ffbcf1b94e6929deece06670c2407d6 c:\windows\$hf_mig$\KB890859\SP2GDR\user32.dll
2005-03-02 16:20 577536 3ed0a4d74efd5aaf8408095f452e2613 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2002-11-22 13:33 529408 675625ebe22d91177ceced37de3fe309 c:\windows\$NtUninstallKB824141$\user32.dll
2003-09-25 15:15 560640 ddf64e680eaf6aa8e3748d3f467f6973 c:\windows\$NtUninstallKB840987$\user32.dll
2004-12-28 23:32 574976 61c3034fd17499811ef2ff4c7cdb9775 c:\windows\$NtUninstallKB890859$\user32.dll
2004-06-17 15:56 560640 a2ae6841d7868c2f2f34e27b7cb1c178 c:\windows\$NtUninstallKB891711$\user32.dll
2002-09-11 08:00 560640 d58adf4a1298bf0068ef0566e2081bbb c:\windows\$NtUninstallQ328310$\user32.dll
2005-03-02 16:21 561664 2eb0ba8a2751647abe564183aaf4e8f5 c:\windows\LastGood.Tmp\system32\user32.dll
2005-03-02 16:21 561664 2eb0ba8a2751647abe564183aaf4e8f5 c:\windows\SYSTEM32\user32.dll

2002-09-11 08:00 75264 4a95e7320199ec0e3a695494f140c69f c:\windows\$NtUninstallKB914388$\ws2_32.dll
2006-05-19 10:14 70656 33bae2d63547096a41e278887f3fb6de c:\windows\$NtUninstallKB922819$\ws2_32.dll
2006-08-16 10:16 70656 f3b582f087a11b29b68f65fbffe8193b c:\windows\LastGood.Tmp\system32\ws2_32.dll
2006-08-16 10:16 70656 f3b582f087a11b29b68f65fbffe8193b c:\windows\SYSTEM32\ws2_32.dll

2004-02-06 19:07 591360 f122028a6b40261154b089a1a6eca3b8 c:\windows\$NtUninstallKB834707-IE6SP1-20040929.091901$\wininet.dll
2004-08-23 20:35 592384 180e7ba2e75950cbd85937ce89a26edf c:\windows\$NtUninstallKB867282-IE6SP1-20050127.163319$\wininet.dll
2005-02-18 18:34 595456 01914f27e971e88fdbeb8564ceb4564e c:\windows\$NtUninstallKB883939-IE6SP1-20050428.125228$\wininet.dll
2004-12-07 20:15 593408 f85b54f2289023199c2f6f766c697750 c:\windows\$NtUninstallKB890923-IE6SP1-20050225.103456$\wininet.dll
2005-04-27 17:41 578560 8a8877577befae9e30626a83bd205a17 c:\windows\$NtUninstallKB896727-IE6SP1-20050719.165959$\wininet.dll
2005-06-18 01:24 578560 98751f560761b8f2734415f59e9bdb53 c:\windows\$NtUninstallKB905915-IE6SP1-20051122.175908$\wininet.dll
2005-10-21 16:49 579072 6ff3777332c3700ef59d4ff3d5c8cf2b c:\windows\$NtUninstallKB912812-IE6SP1-20060322.182418$\wininet.dll
2006-02-24 16:20 579072 b7cb1f00fe7ac58cec9a6457555ca1ef c:\windows\$NtUninstallKB916281-IE6SP1-20060526.162249$\wininet.dll
2006-04-28 16:07 579072 e32e5d541d9f303d603bab6ddcf00673 c:\windows\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2006-06-23 14:27 579072 db0415f1aa72595b79deec0fc8ae1322 c:\windows\LastGood.Tmp\system32\wininet.dll
2006-06-23 14:27 579072 db0415f1aa72595b79deec0fc8ae1322 c:\windows\SYSTEM32\wininet.dll

2005-05-25 17:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys
2005-05-25 17:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 00:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$hf_mig$\KB913446\SP2GDR\tcpip.sys
2006-01-13 15:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 09:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 10:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2002-09-11 08:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-25 17:41 339968 228b0385bbfca24332fa22db45a8b684 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 23:13 340480 8c101c9c566e2384af28ef7c1de4a36e c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 09:38 340480 b8158e2a6112c0a5ca67bc158fc70218 c:\windows\SYSTEM32\DRIVERS\tcpip.sys

2002-09-11 08:00 518656 3fad976292fb63de9891e31d8fe46ed9 c:\windows\$NtUninstallKB841533$\winlogon.exe
2004-06-16 22:08 485376 337420e424161ff7dd2ec9175dacb034 c:\windows\LastGood.Tmp\system32\winlogon.exe
2004-06-16 22:08 485376 337420e424161ff7dd2ec9175dacb034 c:\windows\SYSTEM32\winlogon.exe

2003-03-06 11:30 162432 09b38768036508b51564201afb000950 c:\windows\Driver Cache\I386\ndis.sys
2003-03-06 11:30 162432 09b38768036508b51564201afb000950 c:\windows\SYSTEM32\DRIVERS\ndis.sys

2005-03-02 16:08 2061056 d5ed391b213fa2a6ee25de5ab8512360 c:\windows\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
2005-03-02 16:13 2061184 aed7b3aa86ad031cf39c6e4bba37e818 c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2003-04-24 11:20 1953024 ecec9fd54df1d43d890520b1f3a9837d c:\windows\$NtUninstallKB840987$\ntkrnlpa.exe
2004-06-17 15:43 1958272 f1b356ca171df54094f58c2120a99196 c:\windows\$NtUninstallKB885835$\ntkrnlpa.exe
2004-10-27 23:27 1959424 07406b93b788c7173d76f7bb14af0ac9 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2002-09-09 14:18 1951488 a4906a5ef1dc6fa464dfe46e3a280afd c:\windows\$NtUninstallQ811493$\ntkrnlpa.exe
2005-03-02 16:18 1959424 b7207cc6923f5ba5842600d0e67d314b c:\windows\Driver Cache\I386\ntkrnlpa.exe
2005-03-02 16:18 1959424 b7207cc6923f5ba5842600d0e67d314b c:\windows\LastGood.Tmp\system32\ntkrnlpa.exe
2005-03-02 16:18 1959424 b7207cc6923f5ba5842600d0e67d314b c:\windows\SYSTEM32\ntkrnlpa.exe

2005-03-02 16:09 2183552 0da99d0cbd578ad96effd3a571ce8437 c:\windows\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
2005-03-02 16:13 2183808 6e3ab4241e058b248cb7cdc5157449c3 c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2003-04-24 11:20 1929344 2c7ff48a27783bc526c6b40e3d45fbc4 c:\windows\$NtUninstallKB840987$\ntoskrnl.exe
2004-06-17 15:43 2055168 ecedf200bbeafe558986690e6a5b2df6 c:\windows\$NtUninstallKB885835$\ntoskrnl.exe
2004-10-27 23:27 2092032 62ab7487668bb7d3c7fbd86e76fb2fee c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2002-09-09 14:18 2045824 ba32ba40a940d0b8e6017fd6adc99288 c:\windows\$NtUninstallQ811493$\ntoskrnl.exe
2005-03-02 16:18 2044416 dd15836553e95dacd280931b3c583138 c:\windows\Driver Cache\I386\ntoskrnl.exe
2005-03-02 16:18 2044416 dd15836553e95dacd280931b3c583138 c:\windows\LastGood.Tmp\system32\ntoskrnl.exe
2005-03-02 16:18 2044416 dd15836553e95dacd280931b3c583138 c:\windows\SYSTEM32\ntoskrnl.exe

2002-09-11 08:00 1006080 7de395d7b1f0c5c0ba2635bb01d0f5c8 c:\windows\explorer.exe
2002-09-11 08:00 1006080 7de395d7b1f0c5c0ba2635bb01d0f5c8 c:\windows\LastGood.Tmp\explorer.exe

2002-09-11 08:00 101888 ab1b155a5c021b4344aabe5f001b5260 c:\windows\LastGood.Tmp\system32\services.exe
2002-09-11 08:00 101888 ab1b155a5c021b4344aabe5f001b5260 c:\windows\SYSTEM32\services.exe

2002-09-11 08:00 11776 50898a35b0c98440b71c75e61392233b c:\windows\LastGood.Tmp\system32\lsass.exe
2002-09-11 08:00 11776 50898a35b0c98440b71c75e61392233b c:\windows\SYSTEM32\lsass.exe

2002-09-11 08:00 13312 2296241d47d58254658fac1918cb05d0 c:\windows\SYSTEM32\ctfmon.exe

2005-06-10 21:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
2005-06-10 22:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2002-09-11 08:00 51200 9459644e947febefd4ed3041cbd608ba c:\windows\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 21:55 53248 6b4bf97957a0b8795811975d4bf1acfe c:\windows\LastGood.Tmp\system32\spoolsv.exe
2005-06-10 21:55 53248 6b4bf97957a0b8795811975d4bf1acfe c:\windows\SYSTEM32\spoolsv.exe

2002-09-11 08:00 22016 b04e69fc9544c66709f5bb5754e9c69d c:\windows\LastGood.Tmp\system32\userinit.exe
2002-09-11 08:00 22016 b04e69fc9544c66709f5bb5754e9c69d c:\windows\SYSTEM32\userinit.exe

2002-09-11 08:00 201728 f646aeb9ab9650bd45bc1f9bda29bed0 c:\windows\LastGood.Tmp\system32\termsrv.dll
2002-09-11 08:00 201728 f646aeb9ab9650bd45bc1f9bda29bed0 c:\windows\SYSTEM32\termsrv.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-23_20.18.42,17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\24-9-2008\ERDNT.EXE
+ 2008-09-25 02:00:36 6,758,400 ----a-w c:\windows\ERDNT\24-9-2008\Users\00000001\ntuser.dat
+ 2008-09-25 02:00:36 16,384 ----a-w c:\windows\ERDNT\24-9-2008\Users\00000002\UsrClass.dat
+ 2008-09-25 02:00:37 233,472 ----a-w c:\windows\ERDNT\24-9-2008\Users\00000003\NTUSER.DAT
+ 2008-09-25 02:00:37 8,192 ----a-w c:\windows\ERDNT\24-9-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\7-9-2008\ERDNT.EXE
+ 2008-09-08 02:41:39 6,746,112 ----a-w c:\windows\ERDNT\7-9-2008\Users\00000001\ntuser.dat
+ 2008-09-08 02:41:39 16,384 ----a-w c:\windows\ERDNT\7-9-2008\Users\00000002\UsrClass.dat
+ 2008-09-08 02:41:39 233,472 ----a-w c:\windows\ERDNT\7-9-2008\Users\00000003\NTUSER.DAT
+ 2008-09-08 02:41:39 8,192 ----a-w c:\windows\ERDNT\7-9-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\10-12-2008\ERDNT.EXE
+ 2008-12-10 17:59:29 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\10-12-2008\Users\00000001\ntuser.dat
+ 2008-12-10 17:59:29 16,384 ----a-w c:\windows\ERDNT\AutoBackup\10-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-10 17:59:30 233,472 ----a-w c:\windows\ERDNT\AutoBackup\10-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-10 17:59:30 8,192 ----a-w c:\windows\ERDNT\AutoBackup\10-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\13-11-2008\ERDNT.EXE
+ 2008-11-13 21:11:29 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\13-11-2008\Users\00000001\ntuser.dat
+ 2008-11-13 21:11:29 16,384 ----a-w c:\windows\ERDNT\AutoBackup\13-11-2008\Users\00000002\UsrClass.dat
+ 2008-11-13 21:11:30 233,472 ----a-w c:\windows\ERDNT\AutoBackup\13-11-2008\Users\00000003\NTUSER.DAT
+ 2008-11-13 21:11:30 8,192 ----a-w c:\windows\ERDNT\AutoBackup\13-11-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\13-12-2008\ERDNT.EXE
+ 2008-12-13 14:27:25 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\13-12-2008\Users\00000001\ntuser.dat
+ 2008-12-13 14:27:26 16,384 ----a-w c:\windows\ERDNT\AutoBackup\13-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-13 14:27:26 233,472 ----a-w c:\windows\ERDNT\AutoBackup\13-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-13 14:27:27 8,192 ----a-w c:\windows\ERDNT\AutoBackup\13-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\15-11-2008\ERDNT.EXE
+ 2008-11-15 17:31:34 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\15-11-2008\Users\00000001\ntuser.dat
+ 2008-11-15 17:31:34 16,384 ----a-w c:\windows\ERDNT\AutoBackup\15-11-2008\Users\00000002\UsrClass.dat
+ 2008-11-15 17:31:35 233,472 ----a-w c:\windows\ERDNT\AutoBackup\15-11-2008\Users\00000003\NTUSER.DAT
+ 2008-11-15 17:31:35 8,192 ----a-w c:\windows\ERDNT\AutoBackup\15-11-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\17-12-2008\ERDNT.EXE
+ 2008-12-17 21:46:28 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\17-12-2008\Users\00000001\ntuser.dat
+ 2008-12-17 21:46:29 16,384 ----a-w c:\windows\ERDNT\AutoBackup\17-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-17 21:46:29 233,472 ----a-w c:\windows\ERDNT\AutoBackup\17-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-17 21:46:29 8,192 ----a-w c:\windows\ERDNT\AutoBackup\17-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\18-12-2008\ERDNT.EXE
+ 2008-12-18 08:46:45 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\18-12-2008\Users\00000001\ntuser.dat
+ 2008-12-18 08:46:46 16,384 ----a-w c:\windows\ERDNT\AutoBackup\18-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-18 08:46:46 233,472 ----a-w c:\windows\ERDNT\AutoBackup\18-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-18 08:46:47 8,192 ----a-w c:\windows\ERDNT\AutoBackup\18-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\19-12-2008\ERDNT.EXE
+ 2008-12-19 18:26:02 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\19-12-2008\Users\00000001\ntuser.dat
+ 2008-12-19 18:26:02 16,384 ----a-w c:\windows\ERDNT\AutoBackup\19-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-19 18:26:02 233,472 ----a-w c:\windows\ERDNT\AutoBackup\19-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-19 18:26:03 8,192 ----a-w c:\windows\ERDNT\AutoBackup\19-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2-12-2008\ERDNT.EXE
+ 2008-12-02 20:16:22 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\2-12-2008\Users\00000001\ntuser.dat
+ 2008-12-02 20:16:23 16,384 ----a-w c:\windows\ERDNT\AutoBackup\2-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-02 20:16:23 233,472 ----a-w c:\windows\ERDNT\AutoBackup\2-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-02 20:16:23 8,192 ----a-w c:\windows\ERDNT\AutoBackup\2-12-2008\Users\00000004\UsrClass.dat
+ 2008-12-19 19:15:24 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-19\Users\00000001\ntuser.dat
+ 2008-12-19 19:15:25 16,384 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-19\Users\00000002\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\22-10-2008\ERDNT.EXE
+ 2008-10-22 18:37:45 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\22-10-2008\Users\00000001\ntuser.dat
+ 2008-10-22 18:37:46 16,384 ----a-w c:\windows\ERDNT\AutoBackup\22-10-2008\Users\00000002\UsrClass.dat
+ 2008-10-22 18:37:46 233,472 ----a-w c:\windows\ERDNT\AutoBackup\22-10-2008\Users\00000003\NTUSER.DAT
+ 2008-10-22 18:37:47 8,192 ----a-w c:\windows\ERDNT\AutoBackup\22-10-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\22-11-2008\ERDNT.EXE
+ 2008-11-22 16:22:47 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\22-11-2008\Users\00000001\ntuser.dat
+ 2008-11-22 16:22:48 16,384 ----a-w c:\windows\ERDNT\AutoBackup\22-11-2008\Users\00000002\UsrClass.dat
+ 2008-11-22 16:22:48 233,472 ----a-w c:\windows\ERDNT\AutoBackup\22-11-2008\Users\00000003\NTUSER.DAT
+ 2008-11-22 16:22:48 8,192 ----a-w c:\windows\ERDNT\AutoBackup\22-11-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\23-10-2008\ERDNT.EXE
+ 2008-10-23 18:14:50 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\23-10-2008\Users\00000001\ntuser.dat
+ 2008-10-23 18:14:50 16,384 ----a-w c:\windows\ERDNT\AutoBackup\23-10-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\24-10-2008\ERDNT.EXE
+ 2008-10-24 21:10:53 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\24-10-2008\Users\00000001\ntuser.dat
+ 2008-10-24 21:10:53 16,384 ----a-w c:\windows\ERDNT\AutoBackup\24-10-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\24-11-2008\ERDNT.EXE
+ 2008-11-24 20:22:40 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\24-11-2008\Users\00000001\ntuser.dat
+ 2008-11-24 20:22:41 16,384 ----a-w c:\windows\ERDNT\AutoBackup\24-11-2008\Users\00000002\UsrClass.dat
+ 2008-11-24 20:22:41 233,472 ----a-w c:\windows\ERDNT\AutoBackup\24-11-2008\Users\00000003\NTUSER.DAT
+ 2008-11-24 20:22:42 8,192 ----a-w c:\windows\ERDNT\AutoBackup\24-11-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\25-10-2008\ERDNT.EXE
+ 2008-10-25 17:36:46 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\25-10-2008\Users\00000001\ntuser.dat
+ 2008-10-25 17:36:46 16,384 ----a-w c:\windows\ERDNT\AutoBackup\25-10-2008\Users\00000002\UsrClass.dat
+ 2008-10-25 17:36:46 233,472 ----a-w c:\windows\ERDNT\AutoBackup\25-10-2008\Users\00000003\NTUSER.DAT
+ 2008-10-25 17:36:46 8,192 ----a-w c:\windows\ERDNT\AutoBackup\25-10-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\26-10-2008\ERDNT.EXE
+ 2008-10-26 17:32:52 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\26-10-2008\Users\00000001\ntuser.dat
+ 2008-10-26 17:32:53 16,384 ----a-w c:\windows\ERDNT\AutoBackup\26-10-2008\Users\00000002\UsrClass.dat
+ 2008-10-26 17:32:53 233,472 ----a-w c:\windows\ERDNT\AutoBackup\26-10-2008\Users\00000003\NTUSER.DAT
+ 2008-10-26 17:32:54 8,192 ----a-w c:\windows\ERDNT\AutoBackup\26-10-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\27-10-2008\ERDNT.EXE
+ 2008-10-27 02:08:17 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\27-10-2008\Users\00000001\ntuser.dat
+ 2008-10-27 02:08:17 16,384 ----a-w c:\windows\ERDNT\AutoBackup\27-10-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\28-11-2008\ERDNT.EXE
+ 2008-11-28 18:42:19 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\28-11-2008\Users\00000001\ntuser.dat
+ 2008-11-28 18:42:20 16,384 ----a-w c:\windows\ERDNT\AutoBackup\28-11-2008\Users\00000002\UsrClass.dat
+ 2008-11-28 18:42:20 233,472 ----a-w c:\windows\ERDNT\AutoBackup\28-11-2008\Users\00000003\NTUSER.DAT
+ 2008-11-28 18:42:20 8,192 ----a-w c:\windows\ERDNT\AutoBackup\28-11-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\3-11-2008\ERDNT.EXE
+ 2008-11-03 17:23:30 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\3-11-2008\Users\00000001\ntuser.dat
+ 2008-11-03 17:23:30 16,384 ----a-w c:\windows\ERDNT\AutoBackup\3-11-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\3-12-2008\ERDNT.EXE
+ 2008-12-03 21:35:16 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\3-12-2008\Users\00000001\ntuser.dat
+ 2008-12-03 21:35:16 16,384 ----a-w c:\windows\ERDNT\AutoBackup\3-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-03 21:35:17 233,472 ----a-w c:\windows\ERDNT\AutoBackup\3-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-03 21:35:17 8,192 ----a-w c:\windows\ERDNT\AutoBackup\3-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\30-10-2008\ERDNT.EXE
+ 2008-10-30 19:52:32 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\30-10-2008\Users\00000001\ntuser.dat
+ 2008-10-30 19:52:32 16,384 ----a-w c:\windows\ERDNT\AutoBackup\30-10-2008\Users\00000002\UsrClass.dat
+ 2008-10-30 19:52:32 233,472 ----a-w c:\windows\ERDNT\AutoBackup\30-10-2008\Users\00000003\NTUSER.DAT
+ 2008-10-30 19:52:33 8,192 ----a-w c:\windows\ERDNT\AutoBackup\30-10-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\4-12-2008\ERDNT.EXE
+ 2008-12-04 17:39:40 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\4-12-2008\Users\00000001\ntuser.dat
+ 2008-12-04 17:39:41 16,384 ----a-w c:\windows\ERDNT\AutoBackup\4-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-04 17:39:41 233,472 ----a-w c:\windows\ERDNT\AutoBackup\4-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-04 17:39:41 8,192 ----a-w c:\windows\ERDNT\AutoBackup\4-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\5-11-2008\ERDNT.EXE
+ 2008-11-05 17:40:46 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\5-11-2008\Users\00000001\ntuser.dat
+ 2008-11-05 17:40:46 16,384 ----a-w c:\windows\ERDNT\AutoBackup\5-11-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\5-12-2008\ERDNT.EXE
+ 2008-12-05 22:39:35 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\5-12-2008\Users\00000001\ntuser.dat
+ 2008-12-05 22:39:35 16,384 ----a-w c:\windows\ERDNT\AutoBackup\5-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-05 22:39:35 233,472 ----a-w c:\windows\ERDNT\AutoBackup\5-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-05 22:39:36 8,192 ----a-w c:\windows\ERDNT\AutoBackup\5-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\6-11-2008\ERDNT.EXE
+ 2008-11-06 18:06:43 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\6-11-2008\Users\00000001\ntuser.dat
+ 2008-11-06 18:06:44 16,384 ----a-w c:\windows\ERDNT\AutoBackup\6-11-2008\Users\00000002\UsrClass.dat
+ 2008-11-06 18:06:44 233,472 ----a-w c:\windows\ERDNT\AutoBackup\6-11-2008\Users\00000003\NTUSER.DAT
+ 2008-11-06 18:06:45 8,192 ----a-w c:\windows\ERDNT\AutoBackup\6-11-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\6-12-2008\ERDNT.EXE
+ 2008-12-06 17:51:44 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\6-12-2008\Users\00000001\ntuser.dat
+ 2008-12-06 17:51:45 16,384 ----a-w c:\windows\ERDNT\AutoBackup\6-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-06 17:51:45 233,472 ----a-w c:\windows\ERDNT\AutoBackup\6-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-06 17:51:45 8,192 ----a-w c:\windows\ERDNT\AutoBackup\6-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\7-11-2008\ERDNT.EXE
+ 2008-11-07 21:14:03 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\7-11-2008\Users\00000001\ntuser.dat
+ 2008-11-07 21:14:04 16,384 ----a-w c:\windows\ERDNT\AutoBackup\7-11-2008\Users\00000002\UsrClass.dat
+ 2008-11-07 21:14:04 233,472 ----a-w c:\windows\ERDNT\AutoBackup\7-11-2008\Users\00000003\NTUSER.DAT
+ 2008-11-07 21:14:04 8,192 ----a-w c:\windows\ERDNT\AutoBackup\7-11-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\7-12-2008\ERDNT.EXE
+ 2008-12-07 16:24:59 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\7-12-2008\Users\00000001\ntuser.dat
+ 2008-12-07 16:24:59 16,384 ----a-w c:\windows\ERDNT\AutoBackup\7-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-07 16:25:00 233,472 ----a-w c:\windows\ERDNT\AutoBackup\7-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-07 16:25:00 8,192 ----a-w c:\windows\ERDNT\AutoBackup\7-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\8-11-2008\ERDNT.EXE
+ 2008-11-08 18:09:04 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\8-11-2008\Users\00000001\ntuser.dat
+ 2008-11-08 18:09:05 16,384 ----a-w c:\windows\ERDNT\AutoBackup\8-11-2008\Users\00000002\UsrClass.dat
+ 2008-11-08 18:09:06 233,472 ----a-w c:\windows\ERDNT\AutoBackup\8-11-2008\Users\00000003\NTUSER.DAT
+ 2008-11-08 18:09:08 8,192 ----a-w c:\windows\ERDNT\AutoBackup\8-11-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\8-12-2008\ERDNT.EXE
+ 2008-12-08 17:48:48 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\8-12-2008\Users\00000001\ntuser.dat
+ 2008-12-08 17:48:48 16,384 ----a-w c:\windows\ERDNT\AutoBackup\8-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-08 17:48:49 233,472 ----a-w c:\windows\ERDNT\AutoBackup\8-12-2008\Users\00000003\NTUSER.DAT
+ 2008-12-08 17:48:49 8,192 ----a-w c:\windows\ERDNT\AutoBackup\8-12-2008\Users\00000004\UsrClass.dat
+ 2005-10-20 15:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\9-11-2008\ERDNT.EXE
+ 2008-11-09 20:15:13 6,778,880 ----a-w c:\windows\ERDNT\AutoBackup\9-11-2008\Users\00000001\ntuser.dat
+ 2008-11-09 20:15:14 16,384 ----a-w c:\windows\ERDNT\AutoBackup\9-11-2008\Users\00000002\UsrClass.dat
- 2005-10-20 23:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 22:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 22:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-12-09 03:04:10 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 23:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-06-29 23:18:20 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-06-29 23:18:20 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-07-12 21:18:26 7,406 ----a-r c:\windows\Installer\{D5F881C2-B134-474E-AA60-B25DD218AE0D}\ARPPRODUCTICON.exe
+ 2008-07-12 21:18:26 7,406 ----a-r c:\windows\Installer\{D5F881C2-B134-474E-AA60-B25DD218AE0D}\NewShortcut2.exe
+ 2002-09-11 10:00:00 33,792 ----a-w c:\windows\LastGood\System32\DRIVERS\disk.sys
+ 2002-09-11 10:00:00 69,248 ----a-w c:\windows\LastGood\System32\DRIVERS\sr.sys
+ 2002-08-29 04:32:52 21,760 ----a-w c:\windows\LastGood\System32\DRIVERS\USBSTOR.SYS
+ 2002-09-11 10:00:00 373,248 ----a-w c:\windows\LastGood\System32\Restore\rstrui.exe
+ 2002-09-11 10:00:00 47,104 ----a-w c:\windows\LastGood\System32\Restore\srdiag.exe
+ 2002-09-11 10:00:00 63,488 ----a-w c:\windows\LastGood\System32\srclient.dll
+ 2005-10-27 19:07:53 228,352 ----a-w c:\windows\LastGood\System32\srrstr.dll
+ 2002-09-11 10:00:00 159,232 ----a-w c:\windows\LastGood\System32\srsvc.dll
- 2000-08-31 11:00:00 28,672 ----a-w c:\windows\Nircmd.exe
+ 2000-08-31 10:00:00 28,672 ----a-w c:\windows\Nircmd.exe
- 2000-08-31 11:00:00 161,792 ----a-w c:\windows\swreg.exe
+ 2000-08-31 10:00:00 161,792 ----a-w c:\windows\swreg.exe
+ 2008-02-27 16:49:00 3,840 ----a-w c:\windows\SYSTEM32\DRIVERS\BANTExt.sys
- 2002-09-11 10:00:00 33,792 ----a-w c:\windows\SYSTEM32\DRIVERS\disk.sys
+ 2002-08-29 03:27:58 33,792 ----a-w c:\windows\SYSTEM32\DRIVERS\disk.sys
+ 2008-12-09 03:04:10 85,969 ----a-w c:\windows\SYSTEM32\DRIVERS\gmer.sys
- 2002-09-11 10:00:00 69,248 ----a-w c:\windows\SYSTEM32\DRIVERS\sr.sys
+ 2002-09-11 05:00:00 69,248 ----a-w c:\windows\SYSTEM32\DRIVERS\sr.sys
- 2002-08-29 04:32:52 21,760 ----a-w c:\windows\SYSTEM32\DRIVERS\usbstor.sys
+ 2002-08-29 03:32:52 21,760 ----a-w c:\windows\SYSTEM32\DRIVERS\USBSTOR.SYS
- 2002-09-11 10:00:00 373,248 ----a-w c:\windows\SYSTEM32\Restore\rstrui.exe
+ 2002-09-11 05:00:00 373,248 ----a-w c:\windows\SYSTEM32\Restore\rstrui.exe
- 2002-09-11 10:00:00 47,104 ----a-w c:\windows\SYSTEM32\Restore\srdiag.exe
+ 2002-09-11 05:00:00 47,104 ----a-w c:\windows\SYSTEM32\Restore\srdiag.exe
+ 2002-03-11 20:32:16 2,560 ----a-w c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BVRPWF2000.DLL
- 2001-09-06 01:47:08 620,032 ----a-w c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\UNIRES.DLL
+ 2001-09-06 02:47:08 620,032 ----a-w c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\UNIRES.DLL
+ 2002-03-11 20:32:16 2,560 ------w c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\bvrpwf2000.dll
+ 2001-09-06 02:50:24 251,904 ----a-w c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\unidrv.dll
+ 2001-09-06 02:50:24 197,120 ----a-w c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\unidrvui.dll
+ 2001-09-06 02:47:08 620,032 ----a-w c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\unires.dll
+ 2002-05-14 19:50:34 11,264 ------w c:\windows\SYSTEM32\SPOOL\PRTPROCS\W32X86\wfxprint2000.dll
- 2002-09-11 10:00:00 63,488 ----a-w c:\windows\SYSTEM32\srclient.dll
+ 2002-09-11 05:00:00 63,488 ----a-w c:\windows\SYSTEM32\srclient.dll
+ 2008-12-19 19:13:25 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_494.dat
.
-- Snapshot resetado para data atual --
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoniqueQuickStart"="c:\arquivos de programas\- utilities\Sonique\sqstart.exe" [2003-10-02 69632]
"AnyDVD"="c:\arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe" [2007-07-29 1461184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224]
"Zone Labs Client"="c:\arquivos de programas\- internet\ZoneAlarm\zlclient.exe" [2004-02-17 693528]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\arquivos de programas\QuickTime\qttask.exe" [2006-04-23 155648]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Iomega Drive Icons"="c:\arquivos de programas\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"IntelliPoint"="c:\arquivos de programas\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"Deskup"="c:\arquivos de programas\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"CTSysVol"="c:\arquivos de programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248]
"CTDVDDet"="c:\arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"ADUserMon"="c:\arquivos de programas\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"AdaptecDirectCD"="c:\arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2004-05-22 684032]
"CTHelper"="CTHELPER.EXE" [2002-09-03 c:\windows\SYSTEM32\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-11 13312]

c:\documents and settings\Luiz M rcio\Menu Iniciar\Programas\Inicializar\
ERUNT AutoBackup.lnk - c:\arquivos de programas\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\arquivos de programas\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 14:41 294912 c:\arquivos de programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

.
.
------- Scan Suplementar -------
.
uStart Page = about:blank
mStart Page = hxxp://www.dell.com/intl/la/brazil/index.htm
uInternet Settings,ProxyServer = localhost:12080
IE: Download all with Free Download Manager - file://c:\arquivos de programas\- utilities\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\arquivos de programas\- utilities\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\arquivos de programas\- utilities\Free Download Manager\dllink.htm
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\gbpdist.dll - O16 -: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}
hxxps://imagem.caixa.gov.br/cab/gbpdist.cab
c:\windows\Downloaded Program Files\gbpdist.inf
FF - ProfilePath - c:\documents and settings\Luiz Márcio\Dados de aplicativos\Mozilla\Firefox\Profiles\yv3i16gi.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\arquivos de programas\- utilities\Free Download Manager\Firefox\Extension\components\component.dll
FF - component: c:\arquivos de programas\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 17:13:46
Windows 5.1.2600 Service Pack 1 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\ODBC32.dll
c:\arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\l3codecx.acm

- - - - - - - > 'lsass.exe'(824)
c:\windows\System32\dssenh.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
c:\arquivos de programas\Alwil Software\Avast4\ashServ.exe
c:\arquivos de programas\Executive Software\Diskeeper\DkService.exe
c:\arquiv~1\Iomega\System32\AppServices.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\ZoneLabs\vsmon.exe
c:\arquivos de programas\Iomega\AutoDisk\ADService.exe
c:\arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
c:\arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Tempo para conclusão: 2008-12-19 17:19:05 - Máquina reiniciou
ComboFix-quarantined-files.txt 2008-12-19 19:18:54
ComboFix2.txt 2008-06-23 23:18:51

Pré-execução: 27 pasta(s) 20.798.480.384 bytes disponíveis
Pós execução: 27 pasta(s) 20,752,523,264 bytes disponíveis

411 --- E O F --- 2008-06-01 00:45:48

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:26 PM

Posted 20 December 2008 - 11:04 AM

Hello, leza
That file appears clean to me. I don't think you're having a malware issue at this point.

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:26 PM

Posted 22 December 2008 - 11:57 PM

Hello, leza
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users