Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/Gmail Redirect Problem


  • This topic is locked This topic is locked
14 replies to this topic

#1 fuqizi

fuqizi

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 31 December 2008 - 04:56 PM

:thumbsup: Well I am annoyed, shouldn't google post on a program that defeats using their own site.

Google advertising redirects
Gmail redirects to mihey.svservers.com and ultimately a 404

What I have done:
1. Run Bitdefender always
2. Tried Kapersky online scanner - found one virus
3. Tried Live from MS and it found and deleted a thing or two
4. Malwarebytes
5. Spybot
6. Adaware
7. Combofix

OK. I am stuck. Need some help here. What is next? Thanks!

ComboFix Log
ComboFix 08-12-30.02 - David Beck 2008-12-31 7:52:42.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1575 [GMT -6:00]
Running from: c:\documents and settings\David Beck\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David Beck\Desktop\winxpsp1_en_pro_bf.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-31 07:26 . 2008-12-31 07:26 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-31 05:31 . 2008-12-31 05:31 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 05:31 . 2008-12-31 05:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 05:22 . 2008-12-31 05:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-31 05:22 . 2008-12-31 05:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-30 23:09 . 2008-12-30 23:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 23:09 . 2008-12-30 23:09 <DIR> d-------- c:\documents and settings\David Beck\Application Data\Malwarebytes
2008-12-30 23:09 . 2008-12-30 23:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 23:09 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 23:09 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 18:17 . 2008-12-30 18:17 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-30 09:53 . 2008-12-30 09:53 <DIR> d---s---- c:\documents and settings\David Beck\UserData
2008-12-21 04:41 . 2008-12-29 14:00 2,048 --a------ c:\windows\vknt.tmp
2008-12-21 04:41 . 2008-12-29 14:00 416 --a------ c:\windows\vknt.cfg
2008-12-21 04:40 . 2008-12-21 04:40 <DIR> d-------- c:\program files\Vietkey2000
2008-12-21 04:40 . 2008-12-21 04:40 <DIR> d-------- c:\program files\mtd2002
2008-12-16 06:13 . 2008-12-16 06:13 90,399 --a------ c:\documents and settings\David Beck\S87ekhV.exe
2008-12-16 06:13 . 2008-12-16 06:14 11 --a------ C:\sdkfofjkd.bak
2008-12-15 17:15 . 2008-12-15 17:15 <DIR> d-------- c:\program files\Synchromagic
2008-12-15 17:15 . 2008-10-06 23:45 941,872 --a------ c:\windows\system32\wodFtpDLX.dll
2008-12-15 17:15 . 2008-10-06 23:45 581,384 --a------ c:\windows\system32\wodCertificate.dll
2008-12-15 17:15 . 2007-01-31 14:42 353,280 --a------ c:\windows\system32\skinengine.dll
2008-12-15 17:15 . 1997-12-22 01:30 99,840 --a------ c:\windows\system32\ZIPDLL.DLL
2008-12-15 17:15 . 1997-12-22 01:30 94,208 --a------ c:\windows\system32\UNZDLL.DLL
2008-12-13 12:55 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2008-12-13 12:55 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2008-12-09 07:58 . 2008-12-09 10:00 479 --a------ c:\windows\system32\BDUpdateV1.xml
2008-11-16 18:03 . 2008-11-16 18:03 <DIR> d-------- c:\program files\Mozilla Thunderbird
2008-11-16 18:03 . 2008-11-16 18:03 <DIR> d-------- c:\documents and settings\David Beck\Application Data\Thunderbird

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 11:49 65,536 ----a-w c:\windows\DUMPe337.tmp
2008-11-18 00:50 192,512 ----a-w c:\windows\system32\txmlutil.dll
2008-11-18 00:50 104,328 ----a-w c:\windows\system32\drivers\bdfndisf.sys
2008-11-18 00:48 230,920 ----a-w c:\windows\system32\drivers\bdfsfltr.sys
2008-11-18 00:48 111,112 ----a-w c:\windows\system32\drivers\bdfm.sys
2008-11-14 22:37 65,536 ----a-w c:\windows\DUMP6c94.tmp
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2005-07-28 102400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-01 7118848]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2003-09-19 172032]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2005-06-16 86016]
"NB Probe"="c:\program files\ASUS\NB Probe\NBProbe.exe" [2005-07-27 765952]
"Wireless Console"="c:\program files\ASUS\Wireless Console\wcourier.exe" [2005-07-22 57344]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 688218]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-05-31 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-06-03 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-05-31 356352]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 618496]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2008-11-17 741376]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-11-17 69632]
"nwiz"="nwiz.exe" [2005-07-01 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-06 c:\windows\RTHDCPL.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-05-31 22:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASUS ChkMail.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ASUS ChkMail.lnk
backup=c:\windows\pss\ASUS ChkMail.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GameFace Messenger]
--a------ 2005-08-10 19:39 1916928 c:\program files\GameFace Messenger\GameFace.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 R592;R592;c:\windows\system32\DRIVERS\R592.sys [2004-10-15 57088]
R0 risdpntk;risdpntk;c:\windows\system32\DRIVERS\risdpntk.sys [2004-10-15 27264]
R1 n_jgks;n_jgks;\??\c:\program files\Common Files\System\n_jgks32.dll [2008-12-16 27648]
R2 BDVEDISK;BDVEDISK;\??\c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82440]
R2 ssoftnt4;ssoftnt4;\??\c:\windows\system32\Drivers\ssoftnt4.sys [2008-06-17 100728]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-08-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2008-08-14 104328]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D.sys [2004-07-06 44544]
S3 Arrakis3;BitDefender Arrakis Server;"c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe" [2008-07-17 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{825f77f8-c243-11dd-8c46-001500316b98}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: www.gmail.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 07:56:59
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\BITDEFENDER\BITDEFENDER UPDATE SERVICE\LIVESRV.EXE
c:\program files\BITDEFENDER\BITDEFENDER 2009\VSSERV.EXE
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\INTEL\WIRELESS\BIN\1XCONFIG.EXE
c:\windows\ATKKBSERVICE.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\INTEL\WIRELESS\BIN\OPROTSVC.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\program files\ASUS\NB PROBE\SPM\SPMGR.EXE
c:\windows\SYSTEM32\CRYPTAINERSRV.EXE
c:\windows\SYSTEM32\TABLET.EXE
c:\windows\SYSTEM32\WTABLET\TABUSERW.EXE
c:\windows\SYSTEM32\TABLET.EXE
c:\windows\ATK0100\ATKOSD.EXE
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-12-31 8:00:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 14:00:44

Pre-Run: 37,313,380,352 bytes free
Post-Run: 37,634,441,216 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

200


---------------------
DDS program log

DDS (Version 1.1.0) - FAT32x86
Run by David Beck at 15:53:00.57 on Wed 12/31/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1253 [GMT -6:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
FW: BitDefender Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ASUS\Wireless Console\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\David Beck\Local Settings\Temporary Internet Files\Content.IE5\AXCL65WZ\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [NB Probe] c:\program files\asus\nb probe\NBProbe.exe
mRun: [Wireless Console] c:\program files\asus\wireless console\wcourier.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [EOUApp] c:\program files\intel\wireless\bin\EOUWiz.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: gmail.com\www
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

============= SERVICES / DRIVERS ===============

R0 R592;R592;c:\windows\system32\drivers\R592.sys [2004-10-15 57088]
R0 risdpntk;risdpntk;c:\windows\system32\drivers\risdpntk.sys [2004-10-15 27264]
R1 n_jgks;n_jgks;\??\c:\program files\common files\system\n_jgks32.dll [2008-12-16 27648]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 BDVEDISK;BDVEDISK;\??\c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-7-2 82440]
R2 ssoftnt4;ssoftnt4;\??\c:\windows\system32\drivers\ssoftnt4.sys [2008-6-17 100728]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-8-14 104328]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D.sys [2004-7-6 44544]
S3 Arrakis3;BitDefender Arrakis Server;"c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe" [2008-7-17 118784]

=============== Created Last 30 ================

2008-12-31 08:12 <DIR> --d----- c:\program files\MSXML 4.0
2008-12-31 07:45 <DIR> a-dshr-- C:\cmdcons
2008-12-31 07:42 161,792 a------- c:\windows\SWREG.exe
2008-12-31 07:42 98,816 a------- c:\windows\sed.exe
2008-12-31 07:26 <DIR> --d----- c:\windows\system32\CatRoot_bak
2008-12-31 07:25 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-31 07:25 272,128 -------- c:\windows\system32\drivers\bthport.sys
2008-12-31 07:25 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2008-12-31 07:25 138,368 -------- c:\windows\system32\dllcache\afd.sys
2008-12-31 07:25 546,304 -------- c:\windows\system32\dllcache\hhctrl.ocx
2008-12-31 07:22 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2008-12-31 07:22 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-31 07:22 2,180,352 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-31 07:22 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-31 07:22 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-31 07:21 202,752 -------- c:\windows\system32\dllcache\rmcast.sys
2008-12-31 07:21 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-31 07:21 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2008-12-31 07:21 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-12-31 07:21 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-12-31 07:21 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-12-31 05:31 <DIR> --d----- c:\program files\Lavasoft
2008-12-31 05:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-31 05:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-30 23:09 <DIR> --d----- c:\docume~1\davidb~1\applic~1\Malwarebytes
2008-12-30 23:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 23:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 23:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 23:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-30 09:53 <DIR> --ds---- c:\documents and settings\david beck\UserData
2008-12-29 14:37 <DIR> a-dshr-- C:\autorun.inf
2008-12-21 04:41 2,048 a------- c:\windows\vknt.tmp
2008-12-21 04:41 416 a------- c:\windows\vknt.cfg
2008-12-21 04:40 <DIR> --d----- c:\program files\Vietkey2000
2008-12-21 04:40 <DIR> --d----- c:\program files\mtd2002
2008-12-16 06:13 11 a------- C:\sdkfofjkd.bak
2008-12-16 06:13 90,399 a------- c:\documents and settings\david beck\S87ekhV.exe
2008-12-15 17:15 353,280 a------- c:\windows\system32\skinengine.dll
2008-12-15 17:15 941,872 a------- c:\windows\system32\wodFtpDLX.dll
2008-12-15 17:15 581,384 a------- c:\windows\system32\wodCertificate.dll
2008-12-15 17:15 99,840 a------- c:\windows\system32\ZIPDLL.DLL
2008-12-15 17:15 94,208 a------- c:\windows\system32\UNZDLL.DLL
2008-12-15 17:15 <DIR> --d----- c:\program files\Synchromagic
2008-12-13 12:55 266,360 a------- c:\windows\system32\TweakUI.exe
2008-12-13 12:55 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2008-12-09 07:58 479 a------- c:\windows\system32\BDUpdateV1.xml

==================== Find3M ====================

2008-12-16 05:49 65,536 a------- c:\windows\DUMPe337.tmp
2008-11-17 18:50 192,512 a------- c:\windows\system32\txmlutil.dll
2008-11-17 18:50 104,328 a------- c:\windows\system32\drivers\bdfndisf.sys
2008-11-17 18:48 111,112 a------- c:\windows\system32\drivers\bdfm.sys
2008-11-17 18:48 230,920 a------- c:\windows\system32\drivers\bdfsfltr.sys
2008-11-14 16:37 65,536 a------- c:\windows\DUMP6c94.tmp
2008-11-07 18:32 2,109,440 -------- c:\windows\system32\dllcache\WMVCore.dll
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 03:45 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2008-10-03 04:15 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 15:53:48.68 ===============

BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:26 PM

Posted 10 January 2009 - 08:32 PM

Welcome to BC :thumbsup:

We don't recommend running our custom tools without supervision, but i need a fresh Hiajckthis log.

Sorry for the delay.
Microsoft MVP Consumer Security--2007-2010

#3 fuqizi

fuqizi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 15 January 2009 - 06:59 PM

Log file

--------------

Logfile of random's system information tool 1.05 (written by random/random)
Run by David Beck at 2009-01-15 17:57:08
Microsoft Windows XP Professional Service Pack 2
System drive C: has 34 GB (61%) free of 56 GB
Total RAM: 2047 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:12 PM, on 1/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Program Files\ASUS\Wireless Console\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Intel\Wireless\Bin\iWrap.exe
C:\Program Files\Intel\Wireless\Bin\iWrap.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\David Beck\Desktop\SpywareKillers\RSIT.exe
C:\Program Files\trend micro\David Beck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Wireless Console] C:\Program Files\ASUS\Wireless Console\wcourier.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 10244 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-09-29 1082880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2007-12-12 222448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll [2008-11-17 90112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HControl"=C:\WINDOWS\ATK0100\HControl.exe [2005-07-28 102400]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-07-01 7118848]
"nwiz"=nwiz.exe /install []
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-09-06 14850560]
"ASUS Live Update"=C:\Program Files\ASUS\ASUS Live Update\ALU.exe [2003-09-19 172032]
"Power_Gear"=C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe [2005-06-16 86016]
"NB Probe"=C:\Program Files\ASUS\NB Probe\NBProbe.exe [2005-07-27 765952]
"Wireless Console"=C:\Program Files\ASUS\Wireless Console\wcourier.exe [2005-07-22 57344]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-12-22 98394]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-12-22 688218]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2005-05-31 401408]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2005-06-03 385024]
"EOUApp"=C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe [2005-05-31 356352]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2005-12-04 461584]
"ToolBoxFX"=C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe [2006-06-15 49152]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-02-16 49152]
"hpbdfawep"=C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe [2007-12-23 618496]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe [2008-11-17 741376]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe [2008-11-17 69632]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-09-29 21755688]
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2008-09-19 4347120]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GameFace Messenger]
C:\Program Files\GameFace Messenger\GameFace.exe [2005-08-10 1916928]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASUS ChkMail.lnk]
C:\PROGRA~1\ASUS\ASUSCH~1\ChkMail.exe [2003-09-12 32768]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [2005-05-31 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{825f77f8-c243-11dd-8c46-001500316b98}]
shell\AutoRun\command - H:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-01-15 17:55:23 ----D---- C:\ComboFix
2009-01-15 17:54:33 ----A---- C:\WINDOWS\system32\CF15443.exe
2009-01-12 22:41:22 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-01-11 23:41:00 ----HD---- C:\WINDOWS\$NtUninstallKB926239$
2009-01-11 23:40:48 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-01-11 23:40:47 ----HD---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2009-01-11 23:40:24 ----D---- C:\Program Files\Windows Media Connect 2
2009-01-11 23:40:09 ----HD---- C:\WINDOWS\$NtUninstallwmp11$
2009-01-11 23:39:34 ----D---- C:\631fb55e82b0e724710b0540
2009-01-11 23:39:04 ----HD---- C:\WINDOWS\$NtUninstallWMFDist11$
2009-01-11 23:38:30 ----D---- C:\0d96a291d34f240f1aaafeecdfbe
2009-01-11 23:38:20 ----D---- C:\WINDOWS\system32\LogFiles
2009-01-11 23:38:14 ----HD---- C:\WINDOWS\$NtUninstallWudf01000$
2009-01-11 23:37:37 ----D---- C:\093b9ce56ae7d5273340
2009-01-07 23:35:18 ----D---- C:\Documents and Settings\David Beck\Application Data\Netscape
2009-01-07 23:35:02 ----D---- C:\Program Files\Netscape
2009-01-04 00:16:23 ----D---- C:\Program Files\trend micro
2009-01-04 00:16:22 ----D---- C:\rsit
2009-01-04 00:15:15 ----A---- C:\look.txt
2008-12-31 22:54:13 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-12-31 22:49:57 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-12-31 22:36:09 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2008-12-31 22:36:08 ----D---- C:\Program Files\NOS
2008-12-31 16:16:31 ----D---- C:\Program Files\Spyware Cease
2008-12-31 08:17:25 ----HD---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-31 08:17:15 ----HD---- C:\WINDOWS\$NtUninstallKB952954$
2008-12-31 08:17:06 ----HD---- C:\WINDOWS\$NtUninstallKB946648$
2008-12-31 08:16:55 ----HD---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-31 08:16:46 ----HD---- C:\WINDOWS\$NtUninstallKB935448$
2008-12-31 08:16:35 ----HD---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-31 08:16:28 ----HD---- C:\WINDOWS\$NtUninstallKB923723$
2008-12-31 08:16:19 ----HD---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-31 08:16:08 ----HD---- C:\WINDOWS\$NtUninstallKB957095$
2008-12-31 08:15:42 ----HD---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-31 08:15:27 ----HD---- C:\WINDOWS\$NtUninstallKB950974$
2008-12-31 08:15:16 ----HD---- C:\WINDOWS\$NtUninstallKB951698$
2008-12-31 08:15:05 ----HD---- C:\WINDOWS\$NtUninstallKB954211$
2008-12-31 08:14:43 ----HD---- C:\WINDOWS\$NtUninstallKB956841$
2008-12-31 08:14:26 ----HD---- C:\WINDOWS\$NtUninstallKB960714$
2008-12-31 08:14:16 ----HD---- C:\WINDOWS\$NtUninstallKB950762$
2008-12-31 08:14:06 ----HD---- C:\WINDOWS\$NtUninstallKB957097$
2008-12-31 08:13:56 ----HD---- C:\WINDOWS\$NtUninstallKB952287$
2008-12-31 08:13:41 ----HD---- C:\WINDOWS\$NtUninstallKB901190$
2008-12-31 08:13:31 ----HD---- C:\WINDOWS\$NtUninstallKB938464$
2008-12-31 08:13:21 ----HD---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-31 08:13:12 ----HD---- C:\WINDOWS\$NtUninstallKB958644$
2008-12-31 08:13:01 ----HD---- C:\WINDOWS\$NtUninstallKB955069$
2008-12-31 08:12:50 ----HD---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-31 08:12:46 ----D---- C:\Program Files\MSXML 4.0
2008-12-31 08:12:14 ----HD---- C:\WINDOWS\$NtUninstallKB944338-v2$
2008-12-31 07:45:38 ----A---- C:\Boot.bak
2008-12-31 07:45:24 ----RASHD---- C:\cmdcons
2008-12-31 07:42:29 ----D---- C:\WINDOWS\ERDNT
2008-12-31 07:42:28 ----D---- C:\Qoobox
2008-12-31 07:26:43 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-12-31 07:24:12 ----N---- C:\WINDOWS\system32\xpsp3res.dll
2008-12-31 05:31:43 ----D---- C:\Program Files\Lavasoft
2008-12-31 05:31:40 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-31 05:22:34 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-31 05:22:34 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-30 23:09:30 ----D---- C:\Documents and Settings\David Beck\Application Data\Malwarebytes
2008-12-30 23:09:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-30 23:09:20 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-30 18:17:16 ----D---- C:\Program Files\Windows Live Safety Center
2008-12-29 14:37:50 ----RASHD---- C:\autorun.inf
2008-12-21 04:41:38 ----A---- C:\WINDOWS\vknt.tmp
2008-12-21 04:40:30 ----D---- C:\Program Files\Vietkey2000
2008-12-21 04:40:25 ----D---- C:\Program Files\mtd2002
2008-12-16 06:13:33 ----A---- C:\sdkfofjkd.bak

======List of files/folders modified in the last 1 months======

2009-01-15 17:56:50 ----A---- C:\WINDOWS\bdagent.INI
2009-01-14 09:45:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-11 23:40:54 ----A---- C:\WINDOWS\imsins.BAK
2009-01-11 23:40:36 ----A---- C:\WINDOWS\win.ini
2008-12-31 07:57:08 ----A---- C:\WINDOWS\system.ini
2008-12-31 07:45:40 ----RASH---- C:\boot.ini
2008-12-16 05:49:30 ----A---- C:\WINDOWS\DUMPe337.tmp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 asuskbnt;Enhanced Display Driver Helper Service; C:\WINDOWS\system32\drivers\atkkbnt.sys [2005-06-09 23040]
R1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 n_jgks;n_jgks; \??\C:\Program Files\Common Files\System\n_jgks32.dll []
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-11-17 17801]
R2 BDVEDISK;BDVEDISK; \??\C:\Program Files\BitDefender\BitDefender 2009\BDVEDISK.sys []
R2 ghaio;ghaio; \??\C:\Program Files\ASUS\NB Probe\SPM\ghaio.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-03 87424]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2004-04-13 15781]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-01-16 13059]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2005-05-03 11354]
R2 ssoftnt4;ssoftnt4; \??\C:\WINDOWS\system32\Drivers\ssoftnt4.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 bdfm;BDFM; C:\WINDOWS\system32\drivers\bdfm.sys [2008-11-17 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service; C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-11-17 104328]
R3 bdfsfltr;bdfsfltr; C:\WINDOWS\system32\drivers\bdfsfltr.sys [2009-01-15 242184]
R3 BDSelfPr;BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys []
R3 Cam5603D;BisonCam, NB Pro; C:\WINDOWS\System32\Drivers\BisonCam.sys [2005-04-18 646656]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2005-01-16 1036928]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-01-16 163328]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-08 3959808]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-17 18688]
R3 IWCA;Intel Wireless Connection Agent Miniport for Win XP; C:\WINDOWS\system32\DRIVERS\iwca.sys [2004-08-12 234496]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MTsensor;ATK0100 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ATKACPI.sys [2005-02-17 5632]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-07-01 3208800]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-07-01 9856]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-12-22 186240]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 Video3D;ASUS Video3D Service; C:\WINDOWS\System32\Drivers\Video3D.sys [2004-07-06 44544]
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2005-04-30 3281408]
R3 wacommousefilter;Wacom Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-14 5632]
R3 wacomvhid;Wacom Virtual Hid Driver; C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-11-15 6272]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-01-16 702592]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter; C:\WINDOWS\system32\DRIVERS\yukonwxp.sys [2004-06-01 142464]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 Asushwio;Asushwio; \??\C:\WINDOWS\system32\drivers\Asushwio.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 HPFXBULK;HPFXBULK; C:\WINDOWS\system32\drivers\hpfxbulk.sys [2006-06-12 9344]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2005-12-01 21760]
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 RkHit;RkHit; \??\C:\WINDOWS\system32\drivers\RKHit.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 ATKKeyboardService;ATK Keyboard Service; C:\WINDOWS\ATKKBService.exe [2005-08-07 253952]
R2 EvtEng;EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2005-06-03 86016]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-06-20 53248]
R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [2008-11-17 401408]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-07-01 127042]
R2 OwnershipProtocol;OwnershipProtocol; C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe [2005-05-31 98304]
R2 RegSrvc;RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2005-06-03 139264]
R2 S24EventMonitor;Spectrum24 Event Monitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2005-06-03 372809]
R2 spmgr;spmgr; C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe [2005-04-20 118784]
R2 ssoftservice;Cryptainer service; C:\WINDOWS\system32\cryptainersrv.exe [2007-01-24 74240]
R2 TabletService;TabletService; C:\WINDOWS\system32\Tablet.exe [2007-01-26 1185328]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe [2008-12-03 1572864]
S3 Arrakis3;BitDefender Arrakis Server; C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2003-02-20 32768]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2002-08-01 65536]
S3 scan;BitDefender Threat Scanner; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:26 PM

Posted 16 January 2009 - 04:07 PM

how is everything running?
Microsoft MVP Consumer Security--2007-2010

#5 fuqizi

fuqizi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 17 January 2009 - 12:54 AM

Problem is unchanged.

1. Google redirects to a variety of advertising websites.
2. Gmail will not open

Installling Netscape is a nice work around for google, and thunderbird works for gmail. So I am annoyed but still working.

This started when I used a Tmobile hotspot at San Francisco Airport. Very annoying. I also at that time updated a piece of browser add-in software like adobe flash or something. But maybe that was me being a sucker. It was a standard plug-in update I recognized the name though I didn't file the name into the memory banks upstairs.

Other things I have noticed
3. A couple of times spybot has blocked a disable Cmd.exe addition to the registry.
4. Recently my Wireless Network will not allow me to disable the connection and gives an error saying that maybe another user started the wireless network or there is a program that does not support plug and play.

Not sure if issue 3 and 4 have anything to do with 1 and 2.

Thanks!

#6 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:26 PM

Posted 17 January 2009 - 11:20 AM

Are you behind a router?

Download GMER Antirootkit and uzip it to a folder that you create such as C:\Gmer\: http://www.gmer.net/gmer.zip
  • Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
  • Double-click Gmer.exe to run the program.
  • When the program opens, click the "Rootkit" Tab
  • On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  • Select all drives that are connected to your system to be scanned
  • Click the Scan button
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Save the gmer scan log and post it in your next reply.
  • Close Gmer
  • Open a command prompt (Start | run |type cmd and hit Enter)
    • Type or paste the following to unload the gmer driver:
    • net stop gmer
    • Hit Enter
    • Exit the command prompt.
  • Re-enable all active protection.

Microsoft MVP Consumer Security--2007-2010

#7 fuqizi

fuqizi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 17 January 2009 - 06:44 PM

Router

At home I am behind a AT&T supplied router with only authenticated computers allowed to connect to it, passworded etc.

At work - um - well - I have to log into their wireless service. But they are really good at solving your "computer problems" if you forget to turn on the printer, or plug the thing in. But if I had a computer problem I would call someone else.


GMER highlighted the last one in red and screamed a little.
------------------ THe GMER Report is IN ----------- Enjoy! and P.S. THANKS!!!!!!!!!--------------------
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-17 17:17:29
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xB4ABFBCE] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xB4ABFCBC] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xB4ABFB32] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.14 ----

INIT n_jgks32.dll BAA81029 3 Bytes [ 10, A8, BA ]
INIT n_jgks32.dll BAA8102D 3 Bytes [ 10, A8, BA ]
INIT n_jgks32.dll BAA81031 3 Bytes [ 10, A8, BA ]
INIT n_jgks32.dll BAA81035 3 Bytes [ 10, A8, BA ]
INIT n_jgks32.dll BAA81039 3 Bytes [ 11, A8, BA ]
INIT ...
? C:\Program Files\Common Files\System\n_jgks32.dll The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2292] WININET.dll!InternetConnectA 771C30A3 5 Bytes JMP 10002547
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2292] WININET.dll!HttpOpenRequestA 771C368D 5 Bytes JMP 10002615
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2292] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 100025A7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2292] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 100026C8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2292] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 10002825
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2292] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 100028B8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2292] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 10002760
.text C:\WINDOWS\Explorer.EXE[3612] Explorer.EXE 0101E24E 5 Bytes JMP 00090000

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [61119CC3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61118B2C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61118AB0] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61118AEE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61118C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61118AEE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61118B2C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61118BEF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61118AB0] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [61119CC3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3064] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service C:\Program Files\Common Files\System\n_jgks32.dll (*** hidden *** ) [SYSTEM] n_jgks <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

#8 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:26 PM

Posted 18 January 2009 - 09:49 PM

Please delete your current copy of ComboFix and download a fresh copy from here to your desktop. It must be saved to your Desktop!!!!!!


Open notepad and copy/paste the text in the quote box below into it:

http://www.bleepingcomputer.com/forums/top...ml#entry1097310

Collect::
c:\program files\Common Files\System\n_jgks32.dll
Driver::
n_jgks
DirLook::
c:\program files\Common Files\System


Save this as CFScript.txt

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this computer only!!!!
Microsoft MVP Consumer Security--2007-2010

#9 fuqizi

fuqizi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 18 January 2009 - 10:19 PM

ComboFix 09-01-18.01 - David Beck 2009-01-18 21:05:56.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1264 [GMT -6:00]
Running from: c:\documents and settings\David Beck\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David Beck\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Spyware Cease
c:\documents and settings\All Users\Start Menu\Programs\Spyware Cease\Spyware Cease on the Web.lnk
c:\documents and settings\All Users\Start Menu\Programs\Spyware Cease\Spyware Cease.lnk
c:\documents and settings\All Users\Start Menu\Programs\Spyware Cease\Uninstall Spyware Cease.lnk
c:\program files\Common Files\System\n_jgks32.dll
c:\program files\Spyware Cease
c:\program files\Spyware Cease\AutoUpdate.exe
c:\program files\Spyware Cease\LSR.lsr
c:\program files\Spyware Cease\md5.dll
c:\program files\Spyware Cease\networkdll.dll
c:\program files\Spyware Cease\opfile.dll
c:\program files\Spyware Cease\RegDefend.ini
c:\program files\Spyware Cease\RkHitApi.dll
c:\program files\Spyware Cease\spkdll.dll
c:\program files\Spyware Cease\SpywareCease.exe
c:\program files\Spyware Cease\SpywareCease.url
c:\program files\Spyware Cease\swdb.ssk
c:\program files\Spyware Cease\unins000.dat
c:\program files\Spyware Cease\unins000.exe
c:\program files\Spyware Cease\update\opfile.dll
c:\program files\Spyware Cease\update\swdb.ssk
c:\program files\Spyware Cease\update\Update.ini
c:\program files\Spyware Cease\zlib1.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_N_JGKS
-------\Legacy_RKHIT
-------\Service_n_jgks
-------\Service_RkHit


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-17 17:09 . 2009-01-17 17:11 250 --a------ c:\windows\gmer.ini
2009-01-16 07:00 . 2009-01-18 21:09 81,984 --a------ c:\windows\system32\bdod.bin
2009-01-11 23:40 . 2009-01-11 23:40 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-11 23:40 . 2006-10-04 08:06 1,197,294 --------- c:\windows\system32\dllcache\sysmain.sdb
2009-01-11 23:40 . 2006-10-04 08:06 764,868 --------- c:\windows\system32\dllcache\apph_sp.sdb
2009-01-11 23:40 . 2006-10-04 08:06 217,118 --------- c:\windows\system32\dllcache\apphelp.sdb
2009-01-11 23:39 . 2009-01-11 23:39 <DIR> d-------- C:\631fb55e82b0e724710b0540
2009-01-11 23:38 . 2009-01-11 23:38 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-11 23:38 . 2009-01-11 23:38 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-01-11 23:38 . 2009-01-11 23:38 <DIR> d-------- C:\0d96a291d34f240f1aaafeecdfbe
2009-01-11 23:37 . 2009-01-11 23:37 <DIR> d-------- C:\093b9ce56ae7d5273340
2009-01-07 23:35 . 2009-01-07 23:35 <DIR> d-------- c:\program files\Netscape
2009-01-07 23:35 . 2009-01-07 23:35 <DIR> d-------- c:\documents and settings\David Beck\Application Data\Netscape
2009-01-04 00:16 . 2009-01-04 00:16 <DIR> d-------- C:\rsit
2009-01-04 00:16 . 2009-01-04 00:16 <DIR> d-------- c:\program files\trend micro
2008-12-31 22:54 . 2008-12-31 22:54 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-31 22:36 . 2008-12-31 22:36 <DIR> d-------- c:\program files\NOS
2008-12-31 22:36 . 2008-12-31 22:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-12-31 08:12 . 2008-12-31 08:12 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-31 07:26 . 2008-12-31 07:26 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-31 07:25 . 2008-12-12 11:33 3,060,224 --------- c:\windows\system32\dllcache\mshtml.dll
2008-12-31 07:25 . 2007-04-01 23:58 546,304 --------- c:\windows\system32\dllcache\hhctrl.ocx
2008-12-31 07:25 . 2008-06-13 07:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-31 07:25 . 2008-06-13 07:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-31 07:25 . 2008-08-14 03:51 138,368 --------- c:\windows\system32\dllcache\afd.sys
2008-12-31 07:22 . 2008-08-14 04:00 2,180,352 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-31 07:22 . 2008-08-14 03:58 2,136,064 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-31 07:22 . 2008-08-14 03:22 2,057,728 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-31 07:22 . 2008-08-14 03:22 2,015,744 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-31 07:22 . 2008-09-15 05:57 1,846,016 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-31 07:21 . 2008-09-04 10:42 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-31 07:21 . 2008-10-24 05:10 453,632 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-31 07:21 . 2008-10-15 10:57 332,800 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-31 07:21 . 2008-05-01 08:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-31 07:21 . 2008-10-03 04:15 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
2008-12-31 07:21 . 2008-05-08 06:28 202,752 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-31 05:31 . 2008-12-31 05:31 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 05:31 . 2008-12-31 05:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 05:22 . 2008-12-31 05:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-31 05:22 . 2008-12-31 05:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-30 23:09 . 2008-12-30 23:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 23:09 . 2008-12-30 23:09 <DIR> d-------- c:\documents and settings\David Beck\Application Data\Malwarebytes
2008-12-30 23:09 . 2008-12-30 23:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 23:09 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 23:09 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 18:17 . 2008-12-30 18:17 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-30 09:53 . 2008-12-30 09:53 <DIR> d---s---- c:\documents and settings\David Beck\UserData
2008-12-21 04:41 . 2008-12-29 14:00 2,048 --a------ c:\windows\vknt.tmp
2008-12-21 04:41 . 2008-12-29 14:00 416 --a------ c:\windows\vknt.cfg
2008-12-21 04:40 . 2008-12-21 04:40 <DIR> d-------- c:\program files\Vietkey2000
2008-12-21 04:40 . 2008-12-21 04:40 <DIR> d-------- c:\program files\mtd2002

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 13:44 242,184 ----a-w c:\windows\system32\drivers\bdfsfltr.sys
2008-12-16 12:13 90,399 ----a-w c:\documents and settings\David Beck\S87ekhV.exe
2008-12-16 11:49 65,536 ----a-w c:\windows\DUMPe337.tmp
2008-12-15 23:15 --------- d-----w c:\program files\Synchromagic
2008-11-18 00:50 192,512 ----a-w c:\windows\system32\txmlutil.dll
2008-11-14 22:37 65,536 ----a-w c:\windows\DUMP6c94.tmp
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\Common Files\System ----

2008-05-01 08:30 331776 --a------ c:\program files\Common Files\System\msadc\msadce.dll
2004-08-04 20:00 9975 --a------ c:\program files\Common Files\System\Ole DB\oledbvbs.inc
2004-08-04 20:00 9804 --a------ c:\program files\Common Files\System\Ole DB\oledbjvs.inc
2004-08-04 20:00 94208 --a------ c:\program files\Common Files\System\Ole DB\msdatl3.dll
2004-08-04 20:00 81920 --a------ c:\program files\Common Files\System\ado\msado27.tlb
2004-08-04 20:00 81920 --a------ c:\program files\Common Files\System\ado\msado26.tlb
2004-08-04 20:00 81920 --a------ c:\program files\Common Files\System\ado\msado25.tlb
2004-08-04 20:00 81408 --a------ c:\program files\Common Files\System\directdb.dll
2004-08-04 20:00 77824 --a------ c:\program files\Common Files\System\Ole DB\msdaosp.dll
2004-08-04 20:00 65536 --a------ c:\program files\Common Files\System\Ole DB\oledb32r.dll
2004-08-04 20:00 629 --a------ c:\program files\Common Files\System\msadc\adcjavas.inc
2004-08-04 20:00 622 --a------ c:\program files\Common Files\System\msadc\adcvbs.inc
2004-08-04 20:00 61440 --a------ c:\program files\Common Files\System\Ole DB\sqloledb.rll
2004-08-04 20:00 61440 --a------ c:\program files\Common Files\System\msadc\msadcf.dll
2004-08-04 20:00 61440 --a------ c:\program files\Common Files\System\ado\msado21.tlb
2004-08-04 20:00 61440 --a------ c:\program files\Common Files\System\ado\msado20.tlb
2004-08-04 20:00 588 --a------ c:\program files\Common Files\System\msadc\handsafe.reg
2004-08-04 20:00 57344 --a------ c:\program files\Common Files\System\ado\msadrh15.dll
2004-08-04 20:00 57344 --a------ c:\program files\Common Files\System\ado\msador15.dll
2004-08-04 20:00 543 --a------ c:\program files\Common Files\System\ado\MDACReadme.htm
2004-08-04 20:00 536576 --a------ c:\program files\Common Files\System\ado\msado15.dll
2004-08-04 20:00 53248 --a------ c:\program files\Common Files\System\msadc\msadcs.dll
2004-08-04 20:00 528384 --a------ c:\program files\Common Files\System\Ole DB\sqloledb.dll
2004-08-04 20:00 518 --a------ c:\program files\Common Files\System\msadc\handler.reg
2004-08-04 20:00 504832 --a------ c:\program files\Common Files\System\wab32.dll
2004-08-04 20:00 487424 --a------ c:\program files\Common Files\System\Ole DB\oledb32.dll
2004-08-04 20:00 4096 --a------ c:\program files\Common Files\System\Ole DB\msdaurl.dll
2004-08-04 20:00 4096 --a------ c:\program files\Common Files\System\Ole DB\msdasc.dll
2004-08-04 20:00 4096 --a------ c:\program files\Common Files\System\Ole DB\msdaer.dll
2004-08-04 20:00 4096 --a------ c:\program files\Common Files\System\Ole DB\msdaenum.dll
2004-08-04 20:00 4096 --a------ c:\program files\Common Files\System\Ole DB\msdadc.dll
2004-08-04 20:00 36864 --a------ c:\program files\Common Files\System\msadc\msdfmap.dll
2004-08-04 20:00 35631 --a------ c:\program files\Common Files\System\Ole DB\sqlsoldb.chm
2004-08-04 20:00 315392 --a------ c:\program files\Common Files\System\Ole DB\msdasql.dll
2004-08-04 20:00 28672 --a------ c:\program files\Common Files\System\Ole DB\sqlxmlx.rll
2004-08-04 20:00 249856 --a------ c:\program files\Common Files\System\wab32res.dll
2004-08-04 20:00 24576 --a------ c:\program files\Common Files\System\Ole DB\msxactps.dll
2004-08-04 20:00 24576 --a------ c:\program files\Common Files\System\msadc\msaddsr.dll
2004-08-04 20:00 24576 --a------ c:\program files\Common Files\System\ado\msader15.dll
2004-08-04 20:00 233472 --a------ c:\program files\Common Files\System\Ole DB\msdaora.dll
2004-08-04 20:00 217088 --a------ c:\program files\Common Files\System\Ole DB\sqlxmlx.dll
2004-08-04 20:00 204800 --a------ c:\program files\Common Files\System\Ole DB\msdaps.dll
2004-08-04 20:00 20480 --a------ c:\program files\Common Files\System\Ole DB\msdatt.dll
2004-08-04 20:00 20480 --a------ c:\program files\Common Files\System\msadc\msadcer.dll
2004-08-04 20:00 200704 --a------ c:\program files\Common Files\System\msadc\msdaprst.dll
2004-08-04 20:00 200704 --a------ c:\program files\Common Files\System\ado\msadox.dll
2004-08-04 20:00 180224 --a------ c:\program files\Common Files\System\ado\msadomd.dll
2004-08-04 20:00 16384 --a------ c:\program files\Common Files\System\Ole DB\msdasqlr.dll
2004-08-04 20:00 16384 --a------ c:\program files\Common Files\System\Ole DB\msdaorar.dll
2004-08-04 20:00 16384 --a------ c:\program files\Common Files\System\msadc\msdaremr.dll
2004-08-04 20:00 16384 --a------ c:\program files\Common Files\System\msadc\msdaprsr.dll
2004-08-04 20:00 16384 --a------ c:\program files\Common Files\System\msadc\msadcor.dll
2004-08-04 20:00 16384 --a------ c:\program files\Common Files\System\msadc\msadcfr.dll
2004-08-04 20:00 155648 --a------ c:\program files\Common Files\System\msadc\msadds.dll
2004-08-04 20:00 14951 --a------ c:\program files\Common Files\System\ado\adovbs.inc
2004-08-04 20:00 14610 --a------ c:\program files\Common Files\System\ado\adojavas.inc
2004-08-04 20:00 143360 --a------ c:\program files\Common Files\System\msadc\msadco.dll
2004-08-04 20:00 118784 --a------ c:\program files\Common Files\System\msadc\msdarem.dll
2004-08-04 20:00 102400 --a------ c:\program files\Common Files\System\ado\msjro.dll
2003-07-11 02:25 842816 --a------ c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
2003-07-11 02:25 160320 --a------ c:\program files\Common Files\System\Ole DB\MSDAPML.DLL
2002-12-17 19:09 224416 --a------ c:\program files\Common Files\System\Ole DB\MSMDCB80.DLL
2002-12-17 19:09 219832 --a------ c:\program files\Common Files\System\Ole DB\resources\1033\MSOLAP80.RLL
2002-12-17 19:09 2071752 --a------ c:\program files\Common Files\System\Ole DB\MSOLAP80.DLL
2002-12-17 19:09 1031336 --a------ c:\program files\Common Files\System\Ole DB\MSMDGD80.DLL
2002-12-17 19:08 56000 --a------ c:\program files\Common Files\System\Ole DB\resources\1033\MSDMINE.RLL
2002-12-17 19:08 359600 --a------ c:\program files\Common Files\System\Ole DB\MSDMENG.DLL
2002-12-17 19:08 1383592 --a------ c:\program files\Common Files\System\Ole DB\MSDMINE.DLL
2002-04-09 20:14 187560 --a------ c:\program files\Common Files\System\Ole DB\MSMDUN80.DLL
2001-11-19 15:25 228016 --a------ c:\program files\Common Files\System\Ole DB\MSOLUI80.DLL
2001-04-18 01:41 23216 --a------ c:\program files\Common Files\System\Ole DB\resources\1033\OLAPUIR.RLL


------- Sigcheck -------

2004-08-04 20:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe
2004-08-04 20:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\dllcache\svchost.exe
2008-04-13 18:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\svchost.exe

2004-08-04 20:00 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\system32\user32.dll
2008-04-13 18:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\user32.dll

2004-08-04 20:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\ws2_32.dll
2008-04-13 18:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ws2_32.dll

2004-08-04 20:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\system32\drivers\tcpip.sys
2008-04-13 13:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\tcpip.sys

2004-08-04 20:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\winlogon.exe

2004-08-04 20:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys
2008-04-13 13:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ndis.sys

2004-08-04 20:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys
2008-04-13 12:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ip6fw.sys

2004-08-04 20:00 1032192 a0732187050030ae399b241436565e64 c:\windows\explorer.exe
2008-04-13 18:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe

2004-08-04 20:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe
2008-04-13 18:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\services.exe

2004-08-04 20:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe
2008-04-13 18:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\lsass.exe

2004-08-04 20:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\ctfmon.exe
2008-04-13 18:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ctfmon.exe

2004-08-04 20:00 57856 7435b108b935e42ea92ca94f59c8e717 c:\windows\system32\spoolsv.exe
2008-04-13 18:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\spoolsv.exe

2004-08-04 20:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\userinit.exe
2008-04-13 18:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\userinit.exe

2004-08-04 20:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\termsrv.dll
.
((((((((((((((((((((((((((((( snapshot@2008-12-31_ 7.59.30.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-04 14:05:26 39,424 ------w c:\windows\AppPatch\acadproc.dll
+ 2008-06-13 13:10:50 272,128 ------w c:\windows\Driver Cache\i386\bthport.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-08-14 09:58:28 2,136,064 ------w c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:22:14 2,057,728 ------w c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:22:14 2,015,744 ------w c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 10:00:46 2,180,352 ------w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-01-17 23:09:06 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2001-12-07 15:32:04 1,081,344 ------w c:\windows\Help\SBSI\Training\orun32.exe
+ 2006-08-21 21:57:14 1,077,321 ------w c:\windows\Help\SBSI\Training\orun32.exe
- 2004-08-05 02:00:00 208,896 ----a-w c:\windows\inf\unregmp2.exe
+ 2006-11-02 00:31:34 315,904 ----a-w c:\windows\inf\unregmp2.exe
+ 2008-12-31 14:12:48 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2007-12-12 21:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2004-08-05 02:00:00 8,192 ----a-w c:\windows\system32\asferror.dll
+ 2006-10-19 03:47:08 7,168 ----a-w c:\windows\system32\asferror.dll
+ 2006-10-19 03:47:08 276,992 ------w c:\windows\system32\audiodev.dll
- 2004-08-05 02:00:00 286,208 ----a-w c:\windows\system32\blackbox.dll
+ 2006-10-19 03:47:10 542,720 ----a-w c:\windows\system32\blackbox.dll
- 2004-08-05 02:00:00 1,016,832 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 ----a-w c:\windows\system32\browseui.dll
- 2004-08-05 02:00:00 150,528 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:37:02 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2004-08-05 02:00:00 159,232 ----a-w c:\windows\system32\cewmdm.dll
+ 2006-10-19 03:47:10 229,376 ----a-w c:\windows\system32\cewmdm.dll
- 2008-12-30 18:15:10 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-01 04:36:18 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 18:15:10 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-01 04:36:18 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-30 18:15:10 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-01 04:36:18 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-05 02:00:00 1,053,696 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:37:02 1,054,208 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:37:04 1,023,488 ------w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:37:02 151,040 ------w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:37:02 1,054,208 ------w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:37:02 357,888 ------w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:37:02 205,312 ------w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-07-07 20:32:22 253,952 ------w c:\windows\system32\dllcache\es.dll
+ 2008-10-16 10:37:02 55,808 ------w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-15 09:45:02 18,432 ------w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-16 10:37:02 251,392 ------w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:37:02 96,256 ------w c:\windows\system32\dllcache\inseng.dll
+ 2007-12-18 14:40:58 450,560 ------w c:\windows\system32\dllcache\jscript.dll
+ 2008-10-16 10:37:04 16,384 ------w c:\windows\system32\dllcache\jsproxy.dll
+ 2006-10-19 02:03:58 100,864 ------w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-24 16:23:06 74,240 ------w c:\windows\system32\dllcache\mscms.dll
+ 2008-10-16 10:37:04 449,024 ------w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:37:02 146,432 ------w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:37:02 532,480 ------w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:37:02 39,424 ------w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-05-07 05:18:48 1,287,680 ------w c:\windows\system32\dllcache\quartz.dll
+ 2008-10-16 10:37:04 1,494,528 ------w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:37:04 474,112 ------w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-08-28 10:04:18 333,056 ------w c:\windows\system32\dllcache\srv.sys
+ 2008-10-16 10:37:04 615,936 ------w c:\windows\system32\dllcache\urlmon.dll
+ 2007-12-18 14:40:58 417,792 ------w c:\windows\system32\dllcache\vbscript.dll
+ 2008-10-16 10:37:04 659,456 ------w c:\windows\system32\dllcache\wininet.dll
+ 2006-10-19 03:47:20 937,984 ------w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2006-10-19 03:47:22 2,450,944 ----a-w c:\windows\system32\dllcache\wmvcore.dll
- 2004-08-05 02:00:00 138,496 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:44 138,368 ----a-w c:\windows\system32\drivers\afd.sys
+ 2009-01-17 23:09:06 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2004-08-05 02:00:00 451,456 ----a-w c:\windows\system32\drivers\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
- 2004-08-05 02:00:00 200,064 ----a-w c:\windows\system32\drivers\RMCast.sys
+ 2008-05-08 12:28:50 202,752 ----a-w c:\windows\system32\drivers\RMCast.sys
- 2004-08-05 02:00:00 336,256 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-08-28 10:04:18 333,056 ----a-w c:\windows\system32\drivers\srv.sys
+ 2006-10-19 03:47:22 671,232 ------w c:\windows\system32\drivers\UMDF\wpdmtpdr.dll
+ 2006-10-19 02:00:00 38,528 ------w c:\windows\system32\drivers\wpdusb.sys
+ 2006-09-29 00:55:50 77,568 ------w c:\windows\system32\drivers\WudfPf.sys
+ 2006-09-29 01:00:34 82,944 ------w c:\windows\system32\drivers\WudfRd.sys
+ 2006-10-19 02:00:46 249,856 ------w c:\windows\system32\drmupgds.exe
- 2004-08-05 02:00:00 695,296 ----a-w c:\windows\system32\drmv2clt.dll
+ 2006-10-19 03:47:10 991,744 ----a-w c:\windows\system32\drmv2clt.dll
- 2004-08-05 02:00:00 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2004-08-05 02:00:00 201,728 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2004-08-05 02:00:00 243,200 ----a-w c:\windows\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es.dll
- 2004-08-05 02:00:00 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:37:02 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2008-10-26 11:32:14 206,512 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-31 17:58:46 206,512 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2004-08-05 02:00:00 249,344 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:37:02 251,392 ----a-w c:\windows\system32\iepeers.dll
- 2004-08-05 02:00:00 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:37:02 96,256 ----a-w c:\windows\system32\inseng.dll
- 2004-08-05 02:00:00 450,560 ----a-w c:\windows\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w c:\windows\system32\jscript.dll
- 2004-08-05 02:00:00 15,872 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:37:04 16,384 ----a-w c:\windows\system32\jsproxy.dll
- 2004-08-05 02:00:00 6,656 ----a-w c:\windows\system32\laprxy.dll
+ 2006-10-19 03:47:14 11,264 ----a-w c:\windows\system32\LAPRXY.dll
- 2004-08-05 02:00:00 103,936 ----a-w c:\windows\system32\logagent.exe
+ 2006-10-19 02:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10a.exe
- 2008-07-05 05:54:00 74,137 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-01-14 12:54:50 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2006-10-19 03:47:14 212,992 ------w c:\windows\system32\MFPLAT.dll
+ 2006-10-19 03:47:14 259,072 ------w c:\windows\system32\MP43DECD.dll
- 2004-08-05 02:00:00 310,272 ----a-w c:\windows\system32\mp43dmod.dll
+ 2006-10-19 03:47:14 4,096 ----a-w c:\windows\system32\MP43DMOD.dll
+ 2006-10-19 03:47:14 317,440 ------w c:\windows\system32\MP4SDECD.dll
- 2004-08-05 02:00:00 384,512 ----a-w c:\windows\system32\mp4sdmod.dll
+ 2006-10-19 03:47:14 4,096 ----a-w c:\windows\system32\MP4SDMOD.dll
+ 2006-10-19 03:47:14 259,072 ------w c:\windows\system32\MPG4DECD.dll
- 2004-08-05 02:00:00 240,640 ----a-w c:\windows\system32\mpg4dmod.dll
+ 2006-10-19 03:47:14 4,096 ----a-w c:\windows\system32\MPG4DMOD.dll
- 2004-08-05 02:00:00 73,728 ----a-w c:\windows\system32\mscms.dll
+ 2008-06-24 16:23:06 74,240 ----a-w c:\windows\system32\mscms.dll
+ 2006-10-02 21:28:42 312,128 ------w c:\windows\system32\msdelta.dll
- 2004-08-05 02:00:00 3,003,392 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:33:24 3,060,224 ----a-w c:\windows\system32\mshtml.dll
- 2004-08-05 02:00:00 448,512 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:37:04 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2004-08-05 02:00:00 259,072 ----a-w c:\windows\system32\msnetobj.dll
+ 2006-10-19 03:47:16 179,712 ----a-w c:\windows\system32\msnetobj.dll
- 2004-08-05 02:00:00 52,224 ----a-w c:\windows\system32\mspmsnsv.dll
+ 2006-10-19 03:47:16 27,136 ----a-w c:\windows\system32\mspmsnsv.dll
- 2004-08-05 02:00:00 201,728 ----a-w c:\windows\system32\mspmsp.dll
+ 2006-10-19 03:47:16 175,616 ----a-w c:\windows\system32\mspmsp.dll
- 2004-08-05 02:00:00 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:37:02 146,432 ----a-w c:\windows\system32\msrating.dll
- 2004-08-05 02:00:00 356,352 ----a-w c:\windows\system32\msscp.dll
+ 2006-10-19 03:47:16 414,208 ----a-w c:\windows\system32\msscp.dll
- 2004-08-05 02:00:00 530,432 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:37:02 532,480 ----a-w c:\windows\system32\mstime.dll
- 2004-08-05 02:00:00 245,760 ----a-w c:\windows\system32\mswmdm.dll
+ 2006-10-19 03:47:16 321,536 ----a-w c:\windows\system32\mswmdm.dll
- 2004-08-05 02:00:00 1,236,480 ------w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2003-04-18 22:46:22 1,233,920 ----a-w c:\windows\system32\msxml4.dll
+ 2008-09-30 22:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2004-08-05 02:00:00 332,288 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:56 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2004-08-05 02:00:00 2,056,832 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:22:14 2,057,728 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2004-08-05 02:00:00 2,180,992 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 10:00:46 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
- 2004-08-05 02:00:00 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2006-10-19 03:47:18 284,160 ------w c:\windows\system32\PortableDeviceApi.dll
+ 2006-10-19 03:47:18 101,888 ------w c:\windows\system32\PortableDeviceClassExtension.dll
+ 2006-10-19 03:47:18 166,912 ------w c:\windows\system32\PortableDeviceTypes.dll
+ 2006-10-19 03:47:18 132,096 ------w c:\windows\system32\PortableDeviceWiaCompat.dll
+ 2006-10-19 03:47:18 199,168 ------w c:\windows\system32\PortableDeviceWMDRM.dll
- 2004-08-05 02:00:00 237,568 ----a-w c:\windows\system32\qasf.dll
+ 2006-10-19 03:47:18 211,456 ----a-w c:\windows\system32\qasf.dll
- 2004-08-05 02:00:00 1,287,680 ----a-w c:\windows\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w c:\windows\system32\quartz.dll
- 2004-08-05 02:00:00 1,483,264 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:37:04 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
- 2004-08-05 02:00:00 473,600 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:37:04 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2005-05-04 20:45:26 13,536 ------w c:\windows\system32\spmsg.dll
+ 2006-09-25 23:58:48 14,640 ------w c:\windows\system32\spmsg.dll
- 2005-02-25 03:35:06 22,752 ----a-w c:\windows\system32\spupdsvc.exe
+ 2006-09-25 23:58:48 23,856 ----a-w c:\windows\system32\spupdsvc.exe
- 2004-08-05 02:00:00 246,302 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:48 247,326 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-22 09:47:08 62,976 ------w c:\windows\system32\tzchange.exe
- 2004-08-05 02:00:00 601,088 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:37:04 615,936 ----a-w c:\windows\system32\urlmon.dll
+ 2006-10-19 03:58:00 8,704 ------w c:\windows\system32\uwdf.exe
- 2004-08-05 02:00:00 417,792 ----a-w c:\windows\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w c:\windows\system32\vbscript.dll
+ 2006-10-19 03:47:18 4,096 ------w c:\windows\system32\wdfapi.dll
+ 2006-10-19 03:58:00 8,704 ------w c:\windows\system32\wdfmgr.exe
- 2004-08-05 02:00:00 1,835,904 ----a-w c:\windows\system32\win32k.sys
+ 2008-09-15 11:57:42 1,846,016 ----a-w c:\windows\system32\win32k.sys
- 2004-08-05 02:00:00 656,384 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 10:37:04 659,456 ----a-w c:\windows\system32\wininet.dll
- 2004-08-05 02:00:00 408,064 ----a-w c:\windows\system32\wmadmod.dll
+ 2006-10-19 03:47:18 757,248 ----a-w c:\windows\system32\WMADMOD.dll
- 2004-08-05 02:00:00 670,720 ----a-w c:\windows\system32\wmadmoe.dll
+ 2006-10-19 03:47:18 1,117,696 ----a-w c:\windows\system32\WMADMOE.dll
- 2004-08-05 02:00:00 230,400 ----a-w c:\windows\system32\wmasf.dll
+ 2006-10-19 03:47:18 222,208 ----a-w c:\windows\system32\wmasf.dll
- 2004-08-05 02:00:00 27,136 ----a-w c:\windows\system32\wmdmlog.dll
+ 2006-10-19 03:47:18 33,792 ----a-w c:\windows\system32\wmdmlog.dll
- 2004-08-05 02:00:00 23,552 ----a-w c:\windows\system32\wmdmps.dll
+ 2006-10-19 03:47:18 37,376 ----a-w c:\windows\system32\wmdmps.dll
+ 2006-10-19 03:47:18 429,056 ------w c:\windows\system32\wmdrmdev.dll
+ 2006-10-19 03:47:20 348,672 ------w c:\windows\system32\wmdrmnet.dll
+ 2006-10-19 03:47:20 535,040 ------w c:\windows\system32\wmdrmsdk.dll
- 2004-08-05 02:00:00 168,448 ----a-w c:\windows\system32\wmerror.dll
+ 2006-10-19 03:47:20 227,328 ----a-w c:\windows\system32\wmerror.dll
- 2004-08-05 02:00:00 151,552 ----a-w c:\windows\system32\wmidx.dll
+ 2006-10-19 03:47:20 157,184 ----a-w c:\windows\system32\wmidx.dll
- 2004-08-05 02:00:00 1,050,624 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2006-10-19 03:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
- 2004-08-05 02:00:00 4,874,240 ----a-w c:\windows\system32\wmp.dll
+ 2006-10-19 03:47:20 10,834,432 ----a-w c:\windows\system32\wmp.dll
- 2004-08-05 02:00:00 114,688 ----a-w c:\windows\system32\wmpasf.dll
+ 2006-10-19 03:47:20 242,688 ----a-w c:\windows\system32\wmpasf.dll
- 2004-08-05 02:00:00 233,472 ----a-w c:\windows\system32\wmpdxm.dll
+ 2006-10-19 03:47:20 314,880 ----a-w c:\windows\system32\wmpdxm.dll
+ 2006-10-19 03:47:20 295,936 ------w c:\windows\system32\wmpeffects.dll
+ 2006-10-19 03:47:20 1,661,440 ------w c:\windows\system32\wmpencen.dll
- 2004-08-05 02:00:00 2,940,928 ----a-w c:\windows\system32\wmploc.dll
+ 2006-10-19 03:47:20 8,231,936 ----a-w c:\windows\system32\wmploc.dll
+ 2006-10-19 03:47:20 613,376 ------w c:\windows\system32\wmpmde.dll
+ 2006-10-19 03:47:20 130,048 ------w c:\windows\system32\wmpps.dll
- 2004-08-05 02:00:00 102,400 ----a-w c:\windows\system32\wmpshell.dll
+ 2006-10-19 03:47:20 99,840 ----a-w c:\windows\system32\wmpshell.dll
+ 2006-10-19 03:47:20 204,288 ------w c:\windows\system32\wmpsrcwp.dll
- 2004-08-05 02:00:00 759,296 ----a-w c:\windows\system32\wmsdmod.dll
+ 2006-10-19 03:47:22 4,096 ----a-w c:\windows\system32\wmsdmod.dll
- 2004-08-05 02:00:00 1,119,744 ----a-w c:\windows\system32\wmsdmoe2.dll
+ 2006-10-19 03:47:22 4,096 ----a-w c:\windows\system32\wmsdmoe2.dll
- 2004-08-05 02:00:00 484,864 ----a-w c:\windows\system32\wmspdmod.dll
+ 2006-10-19 03:47:22 603,648 ----a-w c:\windows\system32\WMSPDMOD.dll
- 2004-08-05 02:00:00 896,512 ----a-w c:\windows\system32\wmspdmoe.dll
+ 2006-10-19 03:47:22 1,329,152 ----a-w c:\windows\system32\WMSPDMOE.dll
+ 2006-10-19 03:47:22 4,096 ------w c:\windows\system32\WMVADVD.dll
+ 2006-10-19 03:47:22 4,096 ------w c:\windows\system32\WMVADVE.DLL
- 2004-08-05 02:00:00 2,105,344 ----a-w c:\windows\system32\wmvcore.dll
+ 2006-10-19 03:47:22 2,450,944 ----a-w c:\windows\system32\WMVCore.dll
+ 2006-10-19 03:47:22 1,543,680 ------w c:\windows\system32\WMVDECOD.dll
- 2004-08-05 02:00:00 809,984 ----a-w c:\windows\system32\wmvdmod.dll
+ 2006-10-19 03:47:22 4,096 ----a-w c:\windows\system32\wmvdmod.dll
- 2004-08-05 02:00:00 1,001,472 ----a-w c:\windows\system32\wmvdmoe2.dll
+ 2006-10-19 03:47:22 4,096 ----a-w c:\windows\system32\wmvdmoe2.dll
+ 2006-10-19 03:47:22 1,574,912 ------w c:\windows\system32\WMVENCOD.dll
+ 2006-10-19 03:47:22 1,382,912 ------w c:\windows\system32\WMVSDECD.dll
+ 2006-10-19 03:47:22 767,488 ------w c:\windows\system32\WMVSENCD.dll
+ 2006-10-19 03:47:22 656,896 ------w c:\windows\system32\WMVXENCD.dll
+ 2006-10-19 03:47:22 629,760 ------w c:\windows\system32\wpd_ci.dll
+ 2006-10-19 03:47:22 35,840 ------w c:\windows\system32\wpdconns.dll
+ 2006-10-19 03:47:22 154,624 ------w c:\windows\system32\wpdmtp.dll
+ 2006-10-19 03:47:22 63,488 ------w c:\windows\system32\wpdmtpus.dll
+ 2006-10-19 03:47:22 2,603,008 ------w c:\windows\system32\WpdShext.dll
+ 2006-10-19 02:00:14 17,408 ------w c:\windows\system32\wpdshextautoplay.exe
+ 2006-10-19 03:47:22 38,400 ------w c:\windows\system32\wpdshextres.dll
+ 2006-10-19 03:47:22 133,632 ------w c:\windows\system32\WPDShServiceObj.dll
+ 2006-10-19 03:47:22 356,352 ------w c:\windows\system32\wpdsp.dll
+ 2006-09-29 02:13:26 95,344 ------w c:\windows\system32\WUDFCoinstaller.dll
+ 2006-09-29 00:56:38 146,432 ------w c:\windows\system32\WudfHost.exe
+ 2006-09-29 00:56:16 165,376 ------w c:\windows\system32\WudfPlatform.dll
+ 2006-09-29 00:56:14 55,808 ------w c:\windows\system32\WudfSvc.dll
+ 2006-09-29 00:56:38 316,416 ------w c:\windows\system32\WUDFx.dll
+ 2008-10-15 14:00:42 351,744 ------w c:\windows\system32\xpsp3res.dll
+ 2009-01-19 03:11:50 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_64c.dat
+ 2008-09-30 22:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 22:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2008-04-15 17:54:20 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2005-07-28 102400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-01 7118848]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2003-09-19 172032]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2005-06-16 86016]
"NB Probe"="c:\program files\ASUS\NB Probe\NBProbe.exe" [2005-07-27 765952]
"Wireless Console"="c:\program files\ASUS\Wireless Console\wcourier.exe" [2005-07-22 57344]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 688218]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-05-31 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-06-03 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-05-31 356352]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 618496]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-01-15 741376]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-11-17 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2005-07-01 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-06 c:\windows\RTHDCPL.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-05-31 22:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASUS ChkMail.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ASUS ChkMail.lnk
backup=c:\windows\pss\ASUS ChkMail.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GameFace Messenger]
--a------ 2005-08-10 19:39 1916928 c:\program files\GameFace Messenger\GameFace.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 R592;R592;c:\windows\system32\drivers\R592.sys [2004-10-15 57088]
R0 risdpntk;risdpntk;c:\windows\system32\drivers\risdpntk.sys [2004-10-15 27264]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-08-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-08-14 104328]
R4 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82696]
R4 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2008-06-17 100728]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [2006-08-01 5824]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-31 33752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{825f77f8-c243-11dd-8c46-001500316b98}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: www.gmail.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 21:11:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1196)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\BITDEFENDER\BITDEFENDER UPDATE SERVICE\LIVESRV.EXE
c:\program files\BITDEFENDER\BITDEFENDER 2009\VSSERV.EXE
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\INTEL\WIRELESS\BIN\1XCONFIG.EXE
c:\windows\ATKKBSERVICE.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\INTEL\WIRELESS\BIN\OPROTSVC.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\program files\ASUS\NB PROBE\SPM\SPMGR.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\SYSTEM32\CRYPTAINERSRV.EXE
c:\windows\SYSTEM32\TABLET.EXE
c:\windows\SYSTEM32\WTABLET\TABUSERW.EXE
c:\windows\SYSTEM32\TABLET.EXE
c:\windows\ATK0100\ATKOSD.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-18 21:15:06 - machine was rebooted [David Beck]
ComboFix-quarantined-files.txt 2009-01-19 03:15:02
ComboFix2.txt 2008-12-31 14:01:00

Pre-Run: 36,003,020,800 bytes free
Post-Run: 36,049,977,344 bytes free

594 --- E O F --- 2008-12-31 14:17:31

#10 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:26 PM

Posted 18 January 2009 - 10:28 PM

How is everything running??
Microsoft MVP Consumer Security--2007-2010

#11 fuqizi

fuqizi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 18 January 2009 - 10:30 PM

OK

I figured the link in the script was an accident so I did not use it
I deleted COMBOFIX old
Downloaded COMBOFIX new
I dropped CFScript on the icon

It ran.
Spybot freaked out when it was someone tried to disableCMD in the registry - I said NO WAY
COMBORFIX freaked out and said turn of BitDefender - Sure that is easy

It deleted that file as indicated in CFScript, and an entire folder called spyware cease

It rebooted the machine

It submitted that little bastard to whoever COMBOFIX sends it to.

It showed the log.txt

I submitted the log.
I tested Google - it works, GMAIL - it works.

I tested the Network - it still won't let me disable the connection. But that problem showed up on another day, and is probably unrelated. If you have an idea I would apreciate some advice. If it is beyond this forum, then unless there is something else I should do.


THANK YOU


#12 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:26 PM

Posted 18 January 2009 - 10:33 PM

The connection will probably need to be handled by a hardware person. We can cross that after i'm sure your clean.

Please run GMER again and post the log. Thanks
Microsoft MVP Consumer Security--2007-2010

#13 fuqizi

fuqizi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 18 January 2009 - 10:51 PM

GMER - Full Scan of all drives.

-----------------------
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-18 21:50:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xB40C4BCE]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xB40C4CBC]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xB40C4B32]

---- Kernel code sections - GMER 1.0.14 ----

? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [61119CC3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61118B2C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61118AB0] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61118AEE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61118BE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61118C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61118AEE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61118B2C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61119218] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61118BEF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61118AB0] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [61119C83] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [61119D11] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [61119CC3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [61119C43] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3616] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [61119601] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

#14 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:12:26 PM

Posted 18 January 2009 - 11:02 PM

Go ahead and delete GMER from your desktop

Go to Start ---> Run ---> Type ComboFix /u and press Enter.


Your clean.


Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:
  • Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
  • Here are two great Preventive programs
:
  • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
[*]Anti-Spyware Programs I Recommend:[/list]
  • Free Anti-Spyware Programs


Reboot your computer and let me know about not being able to disable your network adapter. Thanks
Microsoft MVP Consumer Security--2007-2010

#15 fuqizi

fuqizi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 18 January 2009 - 11:27 PM

COMBOFIX deleted
Restore Point Created
Old Restore Points Deleted

Malwarebytes already installed.
Will check out Blaster

THANK YOU VERY MUCH!!!!!

May the Creator watch over you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users