ComboFix 09-02-02.04 - Terey 2009-02-03 13:13:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2175 [GMT -6:00]
Running from: c:\documents and settings\Terey\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: Sygate Personal Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Terey\Application Data\inst.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\_003632_.tmp.dll
c:\windows\system32\_003633_.tmp.dll
c:\windows\system32\_003634_.tmp.dll
c:\windows\system32\_003635_.tmp.dll
c:\windows\system32\_003642_.tmp.dll
c:\windows\system32\_003643_.tmp.dll
c:\windows\system32\_003644_.tmp.dll
c:\windows\system32\_003646_.tmp.dll
c:\windows\system32\_003647_.tmp.dll
c:\windows\system32\_003650_.tmp.dll
c:\windows\system32\_003651_.tmp.dll
c:\windows\system32\_003653_.tmp.dll
c:\windows\system32\_003654_.tmp.dll
c:\windows\system32\_003655_.tmp.dll
c:\windows\system32\_003657_.tmp.dll
c:\windows\system32\_003660_.tmp.dll
c:\windows\system32\_003661_.tmp.dll
c:\windows\system32\_003665_.tmp.dll
c:\windows\system32\_003666_.tmp.dll
c:\windows\system32\_003668_.tmp.dll
c:\windows\system32\_003671_.tmp.dll
c:\windows\system32\_003673_.tmp.dll
c:\windows\system32\_003674_.tmp.dll
c:\windows\system32\_003675_.tmp.dll
c:\windows\system32\_003676_.tmp.dll
c:\windows\system32\_003679_.tmp.dll
c:\windows\system32\_003680_.tmp.dll
c:\windows\system32\_003681_.tmp.dll
c:\windows\system32\_003682_.tmp.dll
c:\windows\system32\_003683_.tmp.dll
c:\windows\system32\_003688_.tmp.dll
c:\windows\system32\_003690_.tmp.dll
c:\windows\system32\_003691_.tmp.dll
c:\windows\system32\_005948_.tmp.dll
c:\windows\system32\_005949_.tmp.dll
c:\windows\system32\_005950_.tmp.dll
c:\windows\system32\_005951_.tmp.dll
c:\windows\system32\_005958_.tmp.dll
c:\windows\system32\_005959_.tmp.dll
c:\windows\system32\_005960_.tmp.dll
c:\windows\system32\_005961_.tmp.dll
c:\windows\system32\_005963_.tmp.dll
c:\windows\system32\_005964_.tmp.dll
c:\windows\system32\_005967_.tmp.dll
c:\windows\system32\_005968_.tmp.dll
c:\windows\system32\_005970_.tmp.dll
c:\windows\system32\_005971_.tmp.dll
c:\windows\system32\_005972_.tmp.dll
c:\windows\system32\_005974_.tmp.dll
c:\windows\system32\_005977_.tmp.dll
c:\windows\system32\_005978_.tmp.dll
c:\windows\system32\_005982_.tmp.dll
c:\windows\system32\_005983_.tmp.dll
c:\windows\system32\_005985_.tmp.dll
c:\windows\system32\_005988_.tmp.dll
c:\windows\system32\_005990_.tmp.dll
c:\windows\system32\_005991_.tmp.dll
c:\windows\system32\_005992_.tmp.dll
c:\windows\system32\_005993_.tmp.dll
c:\windows\system32\_005994_.tmp.dll
c:\windows\system32\_005997_.tmp.dll
c:\windows\system32\_005998_.tmp.dll
c:\windows\system32\_005999_.tmp.dll
c:\windows\system32\_006000_.tmp.dll
c:\windows\system32\_006001_.tmp.dll
c:\windows\system32\_006006_.tmp.dll
c:\windows\system32\_006008_.tmp.dll
c:\windows\system32\_006009_.tmp.dll
c:\windows\system32\comife.dll
c:\windows\system32\sqlkk.dll
c:\windows\system32\tmp.reg
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ZESOFT
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.
2009-01-27 19:54 . 2009-01-27 19:54 815 --a------ C:\rtsr_eml_sr.dat
2009-01-27 19:54 . 2009-01-27 19:54 132 --a------ C:\httpdwl.dat
2009-01-27 19:54 . 2009-01-27 19:54 128 --a------ C:\dwl.dat
2009-01-27 19:24 . 2009-01-27 19:24 16 --a------ C:\asdict.dat
2009-01-25 23:24 . 2009-01-25 23:24 <DIR> d-------- c:\program files\Sygate
2009-01-25 23:24 . 2004-10-15 18:32 83,096 --a------ c:\windows\SYSTEM32\SSSensor.dll
2009-01-25 23:24 . 2004-10-15 18:17 60,496 --a------ c:\windows\SYSTEM32\DRIVERS\Teefer.sys
2009-01-25 23:24 . 2004-10-15 18:18 21,075 --a------ c:\windows\SYSTEM32\DRIVERS\wpsdrvnt.sys
2009-01-25 23:24 . 2004-10-15 18:32 14,568 --a------ c:\windows\SYSTEM32\DRIVERS\wg6n.sys
2009-01-25 23:24 . 2004-10-15 18:32 14,568 --a------ c:\windows\SYSTEM32\DRIVERS\wg5n.sys
2009-01-25 23:24 . 2004-10-15 18:32 14,568 --a------ c:\windows\SYSTEM32\DRIVERS\wg4n.sys
2009-01-25 23:24 . 2004-10-15 18:32 14,568 --a------ c:\windows\SYSTEM32\DRIVERS\wg3n.sys
2009-01-25 23:23 . 2009-01-25 23:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-21 14:28 . 2009-01-21 14:28 578,560 --a--c--- c:\windows\SYSTEM32\DLLCACHE\user32.dll
2009-01-21 14:25 . 2009-01-21 14:25 <DIR> d-------- c:\windows\ERUNT
2009-01-21 14:18 . 2009-01-21 15:02 <DIR> d-------- C:\SDFix
2009-01-16 15:16 . 2004-05-04 11:53 1,645,320 --a------ c:\windows\gdiplus.dll
2009-01-16 15:16 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\SYSTEM32\wvc1dmod.dll
2009-01-16 15:16 . 2006-05-11 19:21 626,688 --a------ c:\windows\SYSTEM32\vp7vfw.dll
2009-01-16 15:16 . 2007-03-18 20:37 65,602 --a------ c:\windows\SYSTEM32\cook3260.dll
2009-01-16 14:28 . 2009-01-16 14:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 14:28 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-16 14:28 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-15 08:41 . 2009-01-15 08:41 127 --a------ c:\windows\SYSTEM32\MRT.INI
2009-01-12 09:17 . 2009-01-28 20:03 642 --a------ c:\windows\SYSTEM32\BDUpdateV1.xml
2009-01-06 09:30 . 2009-01-31 04:09 <DIR> d-------- c:\program files\eMule
2009-01-04 23:05 . 2005-03-11 18:37 1,986,560 --a------ c:\windows\SYSTEM32\AudFile.dll
2009-01-04 23:05 . 2005-02-24 13:11 1,212,416 --a------ c:\windows\SYSTEM32\AudioInfos.dll
2009-01-04 23:05 . 2005-02-24 12:51 348,160 --a------ c:\windows\SYSTEM32\WMAFile.dll
2009-01-04 23:05 . 1998-07-12 22:00 141,312 --a------ c:\windows\SYSTEM32\MSCMCFR.DLL
2009-01-04 23:05 . 2000-10-01 18:00 119,568 --a------ c:\windows\SYSTEM32\VB6FR.DLL
2009-01-04 23:05 . 2005-01-10 13:54 116,296 --a------ c:\windows\SYSTEM32\NCTWMAProfiles.prx
2009-01-04 23:05 . 2003-04-18 15:29 44,544 --a------ c:\windows\SYSTEM32\msxml4a.dll
2009-01-04 23:05 . 2003-01-26 12:41 40,960 --a------ c:\windows\SYSTEM32\SSubTmr6.dll
2009-01-04 23:05 . 1998-07-12 18:00 32,768 --a------ c:\windows\SYSTEM32\CMDLGFR.DLL
2009-01-04 23:05 . 1998-07-12 22:00 15,360 --a------ c:\windows\SYSTEM32\inetfr.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 19:17 81,984 ----a-w c:\windows\SYSTEM32\bdod.bin
2009-02-02 03:33 --------- d-----w c:\documents and settings\Terey\Application Data\Azureus
2009-02-02 03:19 --------- d-----w c:\documents and settings\Terey\Application Data\Vso
2009-01-29 00:12 --------- d-----w c:\program files\Vuze
2009-01-26 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-01-22 20:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 21:17 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-01-16 21:17 47,360 ----a-w c:\documents and settings\Terey\Application Data\pcouffin.sys
2009-01-16 21:16 --------- d-----w c:\program files\VSO
2009-01-15 15:20 242,184 ----a-w c:\windows\system32\drivers\bdfsfltr.sys
2008-12-31 15:52 --------- d-----w c:\program files\AC3Filter
2008-12-31 01:54 --------- d-----w c:\program files\DivX
2008-12-27 16:12 --------- d-----w c:\documents and settings\Terey\Application Data\Uniblue
2008-12-27 16:12 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-26 18:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-24 03:10 --------- d-----w c:\program files\Realtek
2008-12-24 03:09 --------- d-----w c:\documents and settings\Terey\Application Data\InstallShield
2008-12-22 03:14 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-12-22 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2008-12-22 02:36 --------- d-----w c:\program files\Common Files\BitDefender
2008-12-22 02:36 --------- d-----w c:\documents and settings\Terey\Application Data\BitDefender
2008-12-22 02:35 --------- d-----w c:\program files\BitDefender
2008-12-19 02:28 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-19 02:28 --------- d-----w c:\program files\Windows Live
2008-12-19 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-19 02:18 --------- d-----w c:\program files\Citrix
2008-12-18 23:58 --------- d-----w c:\documents and settings\Terey\Application Data\MSN6
2008-12-18 22:18 66,360 ----a-w c:\documents and settings\Terey\g2ax_customer_downloadhelper_win32_x86.exe
2008-12-17 06:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-16 23:59 66,360 ----a-w c:\documents and settings\Administrator.ROBERT\g2ax_customer_downloadhelper_win32_x86.exe
2008-12-15 22:31 --------- d-----w c:\program files\Windows Live Safety Center
2008-12-15 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\Applications
2008-12-14 00:27 --------- d-----w c:\program files\Ahead
2008-12-14 00:26 --------- d-----w c:\program files\Common Files\Ahead
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 00:20 --------- d-----w c:\documents and settings\Terey\Application Data\Malwarebytes
2008-12-06 00:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-21 21:47 524,288 ----a-w c:\windows\SYSTEM32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\SYSTEM32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w c:\windows\SYSTEM32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\SYSTEM32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\SYSTEM32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\SYSTEM32\DivXWMPExtType.dll
2006-11-02 15:18 81,920 ----a-w c:\documents and settings\Terey\Application Data\ezpinst.exe
2009-01-15 15:20 61,440 ----a-w c:\program files\mozilla firefox\components\FFComm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-01-26 741376]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-10-17 69632]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\SYSTEM32\Ati2mdxx.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-04-10 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ugorty.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Terey^Start Menu^Programs^Startup^Folding@home 4.00.lnk]
backup=c:\windows\pss\Folding@home 4.00.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2234:TCP"= 2234:TCP:soulseek
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
R2 SVKP;SVKP;c:\windows\SYSTEM32\SVKP.sys [2007-03-16 2368]
R3 bdfm;BDFM;c:\windows\SYSTEM32\DRIVERS\bdfm.sys [2008-09-18 111112]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;c:\program files\Magix\samplitude7_pro\mxasio.sys [2004-04-21 4899]
S3 Perfdatr;Perfdatr;c:\windows\SYSTEM32\DRIVERS\ati2mtag.sys [2003-12-12 595456]
S3 ps_1394;ps_1394;c:\windows\SYSTEM32\DRIVERS\ps_1394.sys [2008-03-03 97152]
S3 ps_avs;ps_avs;c:\windows\SYSTEM32\DRIVERS\ps_avs.sys [2008-03-03 24576]
S4 SDTHOOK;SDTHOOK;c:\windows\SYSTEM32\DRIVERS\SDTHOOK.SYS [2007-12-27 44928]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
2009-02-03 c:\windows\Tasks\vvculsjg.job
- c:\windows\system32\hgGabBrR.dll []
.
- - - - ORPHANS REMOVED - - - -
BHO-{2D87E553-BFA4-4923-949D-3F98214EFAF0} - (no file)
BHO-{559FF676-9B38-4FCF-A8EC-1C3D11444895} - (no file)
BHO-{6B7E770D-A4DD-4F62-BB43-AD6992763BF8} - (no file)
BHO-{cd7ce864-2e76-4227-b0d6-7dc347f93bd7} - (no file)
BHO-{DDFDD282-5BD1-41D5-A02E-AF61A2109543} - (no file)
BHO-{F58E9862-A2E1-46D0-9F43-A29A4FCE12A1} - c:\windows\system32\fccyaATN.dll
HKCU-Run-Sonic RecordNow! - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Terey\Application Data\Mozilla\Firefox\Profiles\8dexcyyk.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-02-03 13:20:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3111455903-2278412001-43774650-1007\Software\Corel\WordPerfect\11\Power Bar\Power Bar Last Selected - \
* |*]
"0ZapfEllipt BT"=hex(80000006):30
"1GoudyOlSt BT"=hex(80000006):30
"2BankGothic Md BT"=hex(80000006):30
"3@DotumChe"=hex(80000006):30
"4Benguiat Bk BT"=hex(80000006):30
"5Batang"=hex(80000006):30
[HKEY_USERS\S-1-5-21-3111455903-2278412001-43774650-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,e6,09,fc,77,0d,
78,99,70,c8,28,51,af,b0,29,a3,98,c4,f2,ff,fd,55,1e,83,a3,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,3a,47,fe,11,6f,
1f,69,c3,71,3b,04,66,8b,46,0d,96,4e,4c,02,d3,a8,2e,62,b4,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,64,de,3e,db,1d,
95,a3,94,25,da,ec,7e,55,20,c9,26,a6,5c,d3,ba,d4,13,73,f2,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,0f,78,3e,3f,8e,
58,1b,8c,3e,1e,9e,e0,57,5a,93,61,6a,6f,a2,cb,91,3b,76,ff,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,96,77,7a,11,3d,
9a,3d,48,cd,44,cd,b9,a6,33,6c,cd,41,4c,15,1b,00,da,08,f1,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,36,a0,29,b8,63,
b5,1e,62,b0,18,ed,a7,3f,8d,37,a4,9b,58,42,e9,3b,73,6e,e0,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,48,ff,96,a9,56,
68,3b,02,31,77,e1,ba,b1,f8,68,02,95,df,30,5c,9e,d4,03,f7,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,76,8d,c8,03,63,
4a,a4,57,83,6c,56,8b,a0,85,96,ab,a1,5a,cf,0b,8c,ae,7e,cb,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,62,d3,73,e9,ed,
7a,c3,21,51,fa,6e,91,28,9e,14,cc,f4,41,3a,df,2a,e0,fe,d7,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,bd,8d,4f,df,ca,
9b,f4,e8,b1,cd,45,5a,a8,c4,f8,b9,3a,66,e1,08,17,ca,dd,a3,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,6d,b3,5f,e3,fe,
a1,f2,5e,e3,0e,66,d5,eb,bc,2f,6b,55,92,17,2b,a9,5e,af,41,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,37,2e,3c,3a,45,
6c,84,87,fa,ea,66,7f,d4,3b,6b,70,de,75,87,6a,ba,de,0c,10,6c,43,2d,1e,aa,22,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\savedump.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\Sygate\SPF\Smc.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2009-02-03 13:23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-03 19:23:30
Pre-Run: 51,713,478,656 bytes free
Post-Run: 51,771,502,592 bytes free
380 --- E O F --- 2009-01-15 14:44:26
======================================================================================================================
GMER 1.0.14.14536 -
http://www.gmer.netRootkit scan 2009-02-03 14:19:48
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xBAA3BB30]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xBAA3B6F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xBAA3B470]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xA8863BCE]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xA8863CBC]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xBAA3BC50]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xBAA3B990]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xA8863B32]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xBAA3BD60]
---- Kernel code sections - GMER 1.0.14 ----
PAGE CLASSPNP.SYS!ClassInitialize + F4 F765E42C 4 Bytes [ 56, 37, BA, 89 ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F765E437 4 Bytes [ AC, F1, B9, 89 ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F765E442 4 Bytes [ 68, 37, BA, 89 ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F765E449 4 Bytes [ 5C, 37, BA, 89 ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F765E450 4 Bytes [ 62, 37, BA, 89 ]
PAGE ...
.text tcpip.sys!IPTransmit + 10FC A9290D3A 6 Bytes CALL BAF1AE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 A9292690 6 Bytes CALL BAF1AE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 A92A8454 6 Bytes CALL BAF1AE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F750C3FD 7 Bytes CALL BAF1AFA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
---- User code sections - GMER 1.0.14 ----
.text C:\WINDOWS\Explorer.EXE[2544] ADVAPI32.dll!CryptDestroyKey 77DE9E9C 7 Bytes JMP 00FE2C73
.text C:\WINDOWS\Explorer.EXE[2544] ADVAPI32.dll!CryptDecrypt 77DEA109 7 Bytes JMP 00FE2C30
.text C:\WINDOWS\Explorer.EXE[2544] ADVAPI32.dll!CryptEncrypt 77DEE340 7 Bytes JMP 00FE2BF4
.text C:\WINDOWS\Explorer.EXE[2544] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FE2BD9
.text C:\WINDOWS\Explorer.EXE[2544] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FE2A65
.text C:\WINDOWS\Explorer.EXE[2544] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FE2B57
.text C:\WINDOWS\Explorer.EXE[2544] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FE2A9D
.text C:\WINDOWS\Explorer.EXE[2544] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FE2AD5
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3040] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BAF1BB10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BAF1B8E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BAF1BBD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BAF1BC70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
---- Devices - GMER 1.0.14 ----
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
Device \Driver\Cdrom \Device\CdRom0 89BA3756
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
Device \Driver\Disk \Device\Harddisk0\DR0 89BA3756
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \FileSystem\Fastfat \Fat kmixer.sys (Kernel Mode Audio Mixer/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Threads - GMER 1.0.14 ----
Thread 4:3392 89BE28D0
Thread 4:3396 89BCFBE0
Thread 4:3400 89C17D00
Thread 4:3324 89BB0110
---- Registry - GMER 1.0.14 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0xdf83cbd size 0x1fe
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.14 ----
========================================================================================================================
Stealth MBR rootkit detector 0.2.4 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0xdf83cbd size 0x1fe !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
===========================================================================================================================
DDS (Ver_09-01-19.01) - NTFSx86
Run by Terey at 14:42:16.14 on Tue 02/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2119 [GMT -6:00]
AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
FW: Sygate Personal Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Documents and Settings\Terey\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - No File
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15015/CTSUEng.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - hxxp://download.zonelabs.com/bin/free/cm/ICSCM.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120083082046
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129731338796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab31267.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15021/CTPID.cab
AppInit_DLLs: ugorty.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\terey\applic~1\mozilla\firefox\profiles\8dexcyyk.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
============= SERVICES / DRIVERS ===============
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-3-16 2368]
S3 a2free;a-squared Free Service;"c:\program files\a-squared free\a2service.exe" --> c:\program files\a-squared free\a2service.exe [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;c:\program files\magix\samplitude7_pro\mxasio.sys [2004-4-21 4899]
S3 Perfdatr;Perfdatr;c:\windows\system32\drivers\ati2mtag.sys [2003-12-12 595456]
S3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2008-3-3 97152]
S3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2008-3-3 24576]
S4 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2007-12-27 44928]
S4 vsdatant;vsdatant; [x]
=============== Created Last 30 ================
2009-02-03 13:58 345 a------- c:\windows\gmer.ini
2009-01-27 19:54 815 a------- C:\rtsr_eml_sr.dat
2009-01-27 19:54 132 a------- C:\httpdwl.dat
2009-01-27 19:54 128 a------- C:\dwl.dat
2009-01-27 19:24 16 a------- C:\asdict.dat
2009-01-25 23:24 14,568 a------- c:\windows\system32\drivers\wg6n.sys
2009-01-25 23:24 14,568 a------- c:\windows\system32\drivers\wg5n.sys
2009-01-25 23:24 14,568 a------- c:\windows\system32\drivers\wg4n.sys
2009-01-25 23:24 14,568 a------- c:\windows\system32\drivers\wg3n.sys
2009-01-25 23:24 60,496 a------- c:\windows\system32\drivers\Teefer.sys
2009-01-25 23:24 21,075 a------- c:\windows\system32\drivers\wpsdrvnt.sys
2009-01-25 23:24 83,096 a------- c:\windows\system32\SSSensor.dll
2009-01-25 23:24 <DIR> --d----- c:\program files\Sygate
2009-01-25 23:23 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-21 14:28 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-21 14:25 <DIR> --d----- c:\windows\ERUNT
2009-01-21 14:18 <DIR> --d----- C:\SDFix
2009-01-16 15:16 1,645,320 a------- c:\windows\gdiplus.dll
2009-01-16 15:16 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-01-16 15:16 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-01-16 15:16 65,602 a------- c:\windows\system32\cook3260.dll
2009-01-16 14:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 14:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 14:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-15 08:41 127 a------- c:\windows\system32\MRT.INI
2009-01-12 09:17 642 a------- c:\windows\system32\BDUpdateV1.xml
2009-01-06 09:30 <DIR> --d----- c:\program files\eMule
2009-01-04 23:05 1,212,416 a------- c:\windows\system32\AudioInfos.dll
2009-01-04 23:05 348,160 a------- c:\windows\system32\WMAFile.dll
2009-01-04 23:05 116,296 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-01-04 23:05 1,986,560 a------- c:\windows\system32\AudFile.dll
2009-01-04 23:05 119,568 a------- c:\windows\system32\VB6FR.DLL
2009-01-04 23:05 40,960 a------- c:\windows\system32\SSubTmr6.dll
2009-01-04 23:05 15,360 a------- c:\windows\system32\inetfr.DLL
2009-01-04 23:05 141,312 a------- c:\windows\system32\MSCMCFR.DLL
2009-01-04 23:05 32,768 a------- c:\windows\system32\CMDLGFR.DLL
2009-01-04 23:05 44,544 a------- c:\windows\system32\msxml4a.dll
==================== Find3M ====================
2009-02-03 14:40 81,984 a------- c:\windows\system32\bdod.bin
2009-01-25 23:01 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-16 15:17 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-01-16 15:17 47,360 a------- c:\docume~1\terey\applic~1\pcouffin.sys
2009-01-15 09:20 242,184 a------- c:\windows\system32\drivers\bdfsfltr.sys
2008-12-21 21:38 88,901 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-18 16:18 66,360 a------- c:\documents and settings\terey\g2ax_customer_downloadhelper_win32_x86.exe
2008-12-16 23:27 23,348 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-21 15:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 15:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 15:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 15:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2006-11-02 09:18 81,920 a------- c:\docume~1\terey\applic~1\ezpinst.exe
============= FINISH: 14:42:54.87 ===============