Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects and some slowdown.


  • This topic is locked This topic is locked
19 replies to this topic

#1 snipersgethead

snipersgethead

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 29 June 2009 - 06:37 PM

Hello BC users and mods, I've run into a problem that isn't a major/serious conflict or anything but it is annoying. I knew I had a virus when some of my google search links would be redirected to another search site. I ran NOD32's full scan and it was able to find 3 objects and removed all but one. Ran MBAM and SAS, everything seemed clear on its scans but the problem persisted. The uncleaned object on NOD32 was a Win32/Rootkit.Agent.ODG trojan and its location was not stated in the scan log, just says it's in the operating memory. It is detected within seconds of me starting the scan. Then I downloaded AVG's Rootkit Remover (After installing NOD32 for it to run properly). Ran that twice, once in normal and again in safe mode (I also did all the scans again in safe mode) and it found a couple objects. Kept running AVG but it got to the point where the objects weren't going to be reduced any further. So I uninstalled AVG and reinstalled NOD32 and now I'm seeking and awaiting for professional advice. Thank you for listening to my problem.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:26 PM, on 6/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Mason\Desktop\Power Center\pwcenter.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "c:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Power Center] C:\Documents and Settings\Mason\Desktop\Power Center\pwcenter.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 9312 bytes

BC AdBot (Login to Remove)

 


m

#2 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:18 AM

Posted 03 July 2009 - 10:37 AM

Hi snipersgethead,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

#3 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:18 AM

Posted 05 July 2009 - 05:39 AM

Hi snipersgethead,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

*******************************************

Please download GooredFix and save it to your Desktop.
Double-click Goored.exe to run it. Select 1.
Find Goored (no fix)
by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.

*******************************************

Please Download GMER application: (gmer.zip)( 450kB ) from here :- http://www.gmer.net

1. Save it to your desktop ... it's a zip file ...
2. unzip it to your desktop to reveal a GMER.exe file
3. Double click the GMER.exe file
4. Click the Rootkit tab and then click the Scan button.
5. IMPORTANT: Do NOT use the computer while the scan is in progress.
6. Please, do not select the "Show all" checkbox during the scan.
7. Once done, click the Copy button. This will copy the results to your clipboard.
8. Paste the results in your next reply.

#4 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 July 2009 - 02:07 PM

Thank you for adhering to my problem, I really appreciate it. Sorry for my late response because I've been out of town. Just an FYI, I used GooredFix but it didn't give me any options at all. It just told me it would find and delete malicious items on my computer.

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
ESETNOD32Antivirus
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

AOL Spyware Protection
SUPERAntiSpyware Free Edition
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 14
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

ESET ESET NOD32 Antivirus ekrn.exe
ESET ESET NOD32 Antivirus egui.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````


Scan took 18 seconds.
`````````End of Log```````````



GooredFix by jpshortstuff (03.07.09)
Log created at 19:59 on 05/07/2009 (Mason)
Firefox version 3.0.11 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:40 28/04/2009]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [21:47 29/04/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [22:26 30/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [02:08 30/06/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [22:26 30/04/2009]

-=E.O.F=-



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-07 14:06:00
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8532B630 ZwAssignProcessToJobObject
SSDT sphu.sys ZwCreateKey [0xF76C30E0]
SSDT sphu.sys ZwEnumerateKey [0xF76E1CA4]
SSDT sphu.sys ZwEnumerateValueKey [0xF76E2032]
SSDT sphu.sys ZwOpenKey [0xF76C30C0]
SSDT 8532AA60 ZwOpenProcess
SSDT 8532AE80 ZwOpenThread
SSDT sphu.sys ZwQueryKey [0xF76E210A]
SSDT sphu.sys ZwQueryValueKey [0xF76E1F8A]
SSDT sphu.sys ZwSetValueKey [0xF76E219C]
SSDT 8532B460 ZwSuspendProcess
SSDT 8532B280 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE4F5DF0]
SSDT 8532B0B0 ZwTerminateThread

INT 0x63 ? 85B70BF8
INT 0x82 ? 85B6DBF8
INT 0x83 ? 85B6DBF8
INT 0x94 ? 85A60E98
INT 0x94 ? 85A60E98
INT 0x94 ? 85A60E98
INT 0x94 ? 85A60E98

---- Kernel code sections - GMER 1.0.15 ----

? sphu.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6ED68AC 5 Bytes JMP 85A60478
.text a9vcok5i.SYS F6DC8384 1 Byte [20]
.text a9vcok5i.SYS F6DC8384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text a9vcok5i.SYS F6DC83AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text a9vcok5i.SYS F6DC83C4 3 Bytes [00, 00, 00]
.text a9vcok5i.SYS F6DC83C9 1 Byte [00]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1944] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 85B702D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F76F4C4C] sphu.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76F4CA0] sphu.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F76C4042] sphu.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F76C413E] sphu.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F76C40C0] sphu.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F76C4800] sphu.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F76C46D6] sphu.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 85A60578
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F76D3E9C] sphu.sys
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlInitUnicodeString] 0000004C
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!swprintf] 00000095
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeSetEvent] 0000000B
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 00000042
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 000000FA
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 000000C3
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmFreeMappingAddress] 0000004E
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 00000008
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 0000002E
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmUnmapIoSpace] 000000A1
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 00000066
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IofCompleteRequest] 00000028
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 000000D9
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IofCallDriver] 00000024
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 000000B2
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 00000076
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoConnectInterrupt] 0000005B
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoDetachDevice] 000000A2
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeWaitForSingleObject] 00000049
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeInitializeEvent] 0000006D
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeCancelTimer] 0000008B
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 000000D1
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlInitAnsiString] 00000025
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 00000072
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoQueueWorkItem] 000000F8
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmMapIoSpace] 000000F6
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 00000064
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoReportDetectedDevice] 00000086
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoReportResourceForDetection] 00000068
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 00000098
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!NlsMbCodePageTag] 00000016
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!PoRequestPowerIrp] 000000D4
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 000000A4
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 0000005C
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!sprintf] 000000CC
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 0000005D
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!ObfDereferenceObject] 00000065
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 000000B6
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 00000092
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!ZwClose] 0000006C
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 00000070
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 00000048
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 00000050
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 000000FD
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoCreateDevice] 000000ED
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 000000B9
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 000000DA
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 0000005E
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!ZwOpenKey] 00000015
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 00000046
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoStartTimer] 00000057
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeInitializeTimer] 000000A7
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoInitializeTimer] 0000008D
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeInitializeDpc] 0000009D
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeInitializeSpinLock] 00000084
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoInitializeIrp] 00000090
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!ZwCreateKey] 000000D8
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 000000AB
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 00000000
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!ZwSetValueKey] 0000008C
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000BC
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 000000D3
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoStartPacket] 0000000A
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 000000F7
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 000000E4
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoFreeMdl] 00000058
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmUnlockPages] 00000005
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 000000B8
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 000000B3
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 00000045
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 00000006
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeSynchronizeExecution] 000000D0
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoStartNextPacket] 0000002C
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeBugCheckEx] 0000001E
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 0000008F
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeSetTimer] 000000CA
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!_allmul] 0000003F
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmProbeAndLockPages] 0000000F
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!_except_handler3] 00000002
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!PoSetPowerState] 000000C1
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000AF
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000BD
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 00000003
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!_aulldiv] 00000001
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!strstr] 00000013
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!_strupr] 0000008A
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeQuerySystemTime] 0000006B
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 0000003A
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!KeTickCount] 00000091
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 00000011
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoDeleteDevice] 00000041
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 0000004F
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000067
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoAllocateIrp] 000000DC
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoAllocateMdl] 000000EA
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 00000097
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmLockPagableDataSection] 000000F2
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 000000CF
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 000000CE
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!ExFreePoolWithTag] 000000F0
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoFreeIrp] 000000B4
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!IoFreeWorkItem] 000000E6
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!InitSafeBootMode] 00000073
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!RtlCompareMemory] 00000096
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!PoCallDriver] 000000AC
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!memmove] 00000074
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[ntoskrnl.exe!MmHighestUserAddress] 00000022
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!KfAcquireSpinLock] 00000034
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!READ_PORT_UCHAR] 0000008E
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!KeGetCurrentIrql] 00000043
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!KfRaiseIrql] 00000044
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!KfLowerIrql] 000000C4
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!HalGetInterruptVector] 000000DE
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!HalTranslateBusAddress] 000000E9
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!KeStallExecutionProcessor] 000000CB
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!KfReleaseSpinLock] 00000054
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0000007B
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!READ_PORT_USHORT] 00000094
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000032
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[HAL.dll!WRITE_PORT_UCHAR] 000000A6
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[WMILIB.SYS!WmiSystemControl] 00000023
IAT \SystemRoot\System32\Drivers\a9vcok5i.SYS[WMILIB.SYS!WmiCompleteRequest] 0000003D

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00BE7D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1784] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [00BE7CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85B6C1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Udfs \UdfsCdRom 851021F8
Device \FileSystem\Udfs \UdfsDisk 851021F8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbohci \Device\USBPDO-0 85A001F8
Device \Driver\usbohci \Device\USBPDO-1 85A001F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 85BDA1F8
Device \Driver\dmio \Device\DmControl\DmConfig 85BDA1F8
Device \Driver\dmio \Device\DmControl\DmPnP 85BDA1F8
Device \Driver\dmio \Device\DmControl\DmInfo 85BDA1F8
Device \Driver\usbehci \Device\USBPDO-2 859D91F8
Device \Driver\PCI_PNP0618 \Device\00000053 sphu.sys
Device \Driver\PCI_PNP0618 \Device\00000053 sphu.sys

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\NetBT \Device\NetBT_Tcpip_{CA6A038E-D080-4FE7-A9B6-20C35A9C92CD} 8538B1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 85B6E1F8
Device \Driver\Cdrom \Device\CdRom0 859AA1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 85B6E1F8
Device \Driver\Cdrom \Device\CdRom1 859AA1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8538B1F8
Device \Driver\NetBT \Device\NetbiosSmb 8538B1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{446203C9-E593-4F9C-837B-960AF17881CE} 8538B1F8
Device \Driver\usbohci \Device\USBFDO-0 85A001F8
Device \Driver\usbohci \Device\USBFDO-1 85A001F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8531A1F8
Device \Driver\usbehci \Device\USBFDO-2 859D91F8
Device \Driver\sptd \Device\3699099368 sphu.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8531A1F8
Device \Driver\Ftdisk \Device\FtControl 85B6E1F8
Device \Driver\a9vcok5i \Device\Scsi\a9vcok5i1Port4Path0Target0Lun0 859711F8
Device \Driver\a9vcok5i \Device\Scsi\a9vcok5i1 859711F8
Device \FileSystem\Cdfs \Cdfs 85717500

---- Threads - GMER 1.0.15 ----

Thread System [4:376] 85329790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD8 0x69 0x37 0x95 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0x0A 0xA0 0x17 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA2 0x29 0x65 0x58 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD8 0x69 0x37 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0x0A 0xA0 0x17 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x88 0x88 0x97 0x35 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD8 0x69 0x37 0x95 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0x0A 0xA0 0x17 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x88 0x88 0x97 0x35 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

---- EOF - GMER 1.0.15 ----

#5 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:18 AM

Posted 11 July 2009 - 02:29 PM

Hi snipersgethead,

You have an outdated version of java installed. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the following older version of Java:
    Java 6 Update 7
  • Click the Remove or Change/Remove button.
  • Reboot your computer once all Java components are removed.
*******************************************

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\System32\Drivers\a9vcok5i.SYS

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\System32\Drivers\sphu.SYS (Note: Might not exist)

Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

*******************************************

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.

#6 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:18 AM

Posted 16 July 2009 - 05:04 AM

Hi snipersgethead,

Are you still following this thread?

#7 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 July 2009 - 08:51 PM

Yes I am so sorry, I'm in the middle of remodeling my kitchen and I've been helping out the guy I hired with the labor. I will try to go through the steps you gave me tomorrow because right now I'm extremely exhausted. Again, I'm truly sorry for hindering your time and effort.

#8 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 July 2009 - 03:20 PM

I unhid all the hidden files and extensions but both were non-existent when I browsed and typed them into Virus Total.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 18, 2009 18:24:18
Records in database: 2489520
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 85665
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:31:30


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir Infected: Hoax.Win32.Renos.vcev 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hjgruiwgrhnkea.sys.vir Infected: Rootkit.Win32.Agent.mdu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiswgrujsk.dll.vir Infected: Rootkit.Win32.Agent.mdt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruivphvwult.dll.vir Infected: Trojan.Win32.Monder.cqbi 1

The selected area was scanned.

#9 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:18 AM

Posted 20 July 2009 - 08:21 AM

Hi snipersgethead,

We need to disable Nod32.
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.

* click it -> click on the "quit" button.
* a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.

You successfully disabled the NOD32 Guard.

*******************************************

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

#10 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 21 July 2009 - 08:13 AM

I think you're talking about either an older or newer version of NOD32 because this one doesn't have the "Quit" option. I have NOD32 4.0, there is the option to Disable Real-Time Protection and Disable Antivirus and antispyware protection, but I believe the core NOD32 program is still running just without those processes.

Also, I just want this to be specified but should I run ComboFix in safe mode or normal mode?

#11 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:18 AM

Posted 21 July 2009 - 08:17 AM

Hi snipersgethead,

Please disable NOD32.

Then run Combofix in normal mode.

#12 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 22 July 2009 - 06:22 PM

ComboFix 09-07-22.01 - Mason 07/22/2009 17:24.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.502 [GMT -5:00]
Running from: c:\documents and settings\Mason\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

.
((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-22 19:42 . 2009-07-22 19:42 -------- d-----w- c:\windows\LastGood
2009-07-22 19:41 . 2003-03-19 06:20 1060864 ----a-w- c:\windows\system32\mfc71.dll
2009-07-22 19:41 . 2006-04-29 19:25 40960 ----a-w- c:\windows\system32\psfind.dll
2009-07-22 19:34 . 2009-07-22 19:34 -------- d-----w- c:\program files\THQ
2009-07-15 21:17 . 2009-07-15 21:17 -------- d-----w- c:\documents and settings\Mason\DesktoLA
2009-07-14 20:02 . 2005-03-10 01:50 19456 ----a-w- c:\windows\system32\libusbd-9x.exe
2009-07-14 20:02 . 2005-03-10 01:50 18944 ----a-w- c:\windows\system32\libusbd-nt.exe
2009-07-14 20:02 . 2005-03-10 01:50 33792 ----a-w- c:\windows\system32\drivers\libusb0.sys
2009-07-14 20:02 . 2005-03-10 01:50 46592 ----a-w- c:\windows\system32\libusb0.dll
2009-07-14 20:02 . 2009-07-14 20:02 -------- d-----w- c:\program files\LibUSB-Win32-0.1.10.1
2009-07-11 18:56 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-08 03:44 . 2009-07-08 03:45 -------- d-----w- c:\program files\Unlocker
2009-07-01 05:42 . 2009-07-01 05:45 -------- d-----w- C:\Restoration
2009-06-30 02:06 . 2009-06-30 02:06 152576 ----a-w- c:\documents and settings\Mason\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-29 18:32 . 2009-06-29 21:03 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-29 18:11 . 2009-06-29 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-06-29 18:08 . 2009-06-29 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-29 05:19 . 2009-06-29 05:19 -------- d-----w- c:\documents and settings\Mason\DoctorWeb
2009-06-27 16:06 . 2009-06-27 16:06 -------- d-----w- c:\documents and settings\Mason\Local Settings\Application Data\Wide Angle Software
2009-06-27 16:05 . 2009-06-27 16:05 -------- d-----w- c:\program files\Wide Angle Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 19:34 . 2006-07-18 03:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-20 00:27 . 2006-07-18 03:46 43592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 03:23 . 2009-05-02 01:01 -------- d-----w- c:\documents and settings\Mason\Application Data\FrostWire
2009-07-15 03:02 . 2009-04-28 20:30 117760 ----a-w- c:\documents and settings\Mason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-14 22:02 . 2009-06-15 05:10 -------- d--h--w- c:\program files\lilith
2009-07-13 20:50 . 2009-05-30 03:37 -------- d-----w- c:\program files\SWAT 4
2009-07-12 23:28 . 2009-06-15 01:23 29926 ----a-r- c:\documents and settings\Mason\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_18be6784.exe
2009-07-12 23:28 . 2009-06-15 01:23 29422 ----a-r- c:\documents and settings\Mason\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_294823.exe
2009-07-12 06:47 . 2006-07-18 05:06 -------- d-----w- c:\program files\Java
2009-07-01 05:40 . 2009-05-01 00:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-16 23:55 . 2006-07-18 03:04 87931 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-16 23:06 . 2009-04-28 20:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-16 14:36 . 2006-07-18 02:36 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-07-18 02:35 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 22:16 . 2009-06-14 22:16 -------- d-----w- c:\program files\Intelore
2009-06-03 19:09 . 2006-07-18 02:36 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 01:42 . 2009-06-03 01:42 -------- d-----w- c:\program files\7-Zip
2009-06-01 22:19 . 2009-06-01 22:19 -------- d-----w- c:\program files\EA GAMES
2009-06-01 03:07 . 2009-06-01 03:07 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-05-30 03:36 . 2009-05-30 03:16 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-05-30 03:35 . 2009-05-30 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-05-30 03:30 . 2009-05-30 03:10 -------- d-----w- c:\documents and settings\Mason\Application Data\DAEMON Tools Pro
2009-05-30 03:27 . 2009-04-30 22:31 -------- d-----w- c:\documents and settings\Mason\Application Data\uTorrent
2009-05-30 03:10 . 2009-05-30 03:10 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-29 01:36 . 2009-05-24 22:14 -------- d-----w- c:\documents and settings\Mason\Application Data\vlc
2009-05-26 01:48 . 2009-05-26 01:48 -------- d-----w- c:\documents and settings\Mason\Application Data\Red Kawa
2009-05-25 13:59 . 2009-05-25 13:59 -------- d-----w- c:\program files\Red Kawa
2009-05-24 22:13 . 2009-05-24 22:13 -------- d-----w- c:\program files\VideoLAN
2009-05-21 16:33 . 2009-04-30 22:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-09 02:31 . 2009-05-09 02:31 207872 ----a-w- c:\documents and settings\Mason\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-05-09 02:31 . 2009-05-09 02:31 207872 ----a-w- c:\documents and settings\Mason\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-05-09 02:31 . 2009-05-09 02:31 207872 ----a-w- c:\documents and settings\Mason\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-05-09 02:31 . 2009-05-09 02:31 207872 ----a-w- c:\documents and settings\Mason\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-05-07 15:32 . 2006-07-18 02:36 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 01:15 . 2009-05-02 01:15 0 ----a-w- c:\documents and settings\Mason\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-04-30 22:25 . 2009-04-30 22:25 152576 ----a-w- c:\documents and settings\Mason\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-29 04:46 . 2006-07-18 02:36 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2006-07-18 02:36 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 06:30 . 2009-04-28 06:28 128 ----a-w- c:\documents and settings\Mason\Local Settings\Application Data\fusioncache.dat
2009-04-28 06:26 . 2009-04-28 06:26 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-04-28 05:02 . 2009-04-28 04:44 31616000 ----a-w- C:\eav_nt32_enu.msi
2009-06-15 01:55 . 2009-04-28 04:40 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_23.00.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 07:19 . 2009-07-12 07:19 16384 c:\windows\temp\Perflib_Perfdata_7e4.dat
- 2009-05-16 04:06 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2009-05-16 04:06 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
- 2006-07-18 03:08 . 2009-06-29 22:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-07-18 03:08 . 2009-07-01 03:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-07-18 03:08 . 2009-06-29 22:33 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-07-18 03:08 . 2009-07-01 03:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-07-18 17:10 . 2006-07-18 17:10 82944 c:\windows\Installer\54233.msi
+ 2006-07-18 02:40 . 2004-08-10 12:00 66048 c:\windows\I386\WINNT32.MSI
+ 2006-07-18 02:41 . 2004-08-04 12:00 185856 c:\windows\VALUEADD\MSFT\MGMT\WBEMODBC\WBEMODBC.MSI
+ 2009-07-01 03:44 . 2009-07-01 03:45 190412 c:\windows\system32\Restore\rstrlog.dat
- 2009-04-30 22:26 . 2009-04-30 22:26 148888 c:\windows\system32\javaws.exe
+ 2009-06-30 02:08 . 2009-05-21 16:34 148888 c:\windows\system32\javaws.exe
- 2009-04-30 22:26 . 2009-04-30 22:26 144792 c:\windows\system32\javaw.exe
+ 2009-06-30 02:08 . 2009-05-21 16:34 144792 c:\windows\system32\javaw.exe
- 2009-04-30 22:26 . 2009-04-30 22:26 144792 c:\windows\system32\java.exe
+ 2009-06-30 02:08 . 2009-05-21 16:34 144792 c:\windows\system32\java.exe
- 2006-07-17 19:55 . 2009-06-24 18:01 165912 c:\windows\system32\FNTCACHE.DAT
+ 2006-07-17 19:55 . 2009-07-15 00:31 165912 c:\windows\system32\FNTCACHE.DAT
+ 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
- 2009-04-28 06:27 . 2009-04-28 06:21 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-04-28 06:27 . 2009-06-30 02:08 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2006-07-18 02:41 . 2004-08-04 12:00 219648 c:\windows\SUPPORT\TOOLS\SUPTOOLS.MSI
+ 2009-05-01 01:31 . 2004-08-10 12:00 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2009-05-01 01:31 . 2004-08-10 12:00 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2009-06-15 01:23 . 2009-06-15 01:23 409600 c:\windows\Installer\c7e2cfb.msi
+ 2006-08-17 17:08 . 2006-08-17 17:08 246784 c:\windows\Installer\7d4c4.msi
+ 2009-04-30 22:26 . 2009-04-30 22:26 598016 c:\windows\Installer\6e688d.msi
+ 2006-07-18 04:42 . 2006-07-18 04:42 333824 c:\windows\Installer\3a9a4.msi
+ 2006-08-10 21:15 . 2006-08-10 21:15 200704 c:\windows\Installer\37e54.msi
+ 2006-07-18 05:06 . 2006-07-18 05:06 221184 c:\windows\Installer\350fa.msi
+ 2009-05-01 11:38 . 2009-05-01 11:38 432640 c:\windows\Installer\34348f7.msi
+ 2006-08-10 21:22 . 2006-08-10 21:22 955904 c:\windows\Installer\231d8.msi
+ 2009-06-29 07:56 . 2009-06-29 07:56 337408 c:\windows\Installer\16445c21.msi
+ 2006-07-18 03:10 . 2006-07-18 03:10 264704 c:\windows\Installer\1348c.msi
+ 2006-07-18 02:36 . 2004-08-10 12:00 1326080 c:\windows\system32\webfldrs.msi
+ 2008-12-20 22:14 . 2009-06-03 19:09 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2009-07-22 19:42 . 2005-07-23 00:59 2319568 c:\windows\system32\d3dx9_27.dll
+ 2009-05-01 01:34 . 2004-08-10 12:00 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2009-05-01 01:32 . 2004-08-10 12:00 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2007-05-25 17:08 . 2007-05-25 17:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2009-06-27 16:06 . 2009-06-27 16:06 1756672 c:\windows\Installer\db787cb.msi
+ 2009-05-13 11:50 . 2009-05-13 11:50 1129472 c:\windows\Installer\91738.msi
+ 2006-07-19 17:19 . 2006-07-19 17:19 1670656 c:\windows\Installer\75b12.msi
+ 2006-07-18 17:09 . 2006-07-18 17:09 4716032 c:\windows\Installer\5422c.msi
+ 2006-07-18 17:07 . 2006-07-18 17:07 4537344 c:\windows\Installer\54220.msi
+ 2009-05-16 06:15 . 2009-05-16 06:15 3966976 c:\windows\Installer\4da51.msi
+ 2009-05-16 06:13 . 2009-05-16 06:13 8992256 c:\windows\Installer\4da4d.msi
+ 2009-05-16 06:12 . 2009-05-16 06:12 1549312 c:\windows\Installer\4da48.msi
+ 2009-05-16 06:12 . 2009-05-16 06:12 3293696 c:\windows\Installer\4da43.msi
+ 2006-07-18 04:49 . 2006-07-18 04:49 2135552 c:\windows\Installer\3a9ae.msi
+ 2009-04-28 20:25 . 2009-04-28 20:25 1516544 c:\windows\Installer\36c36fc.msi
+ 2006-07-18 05:08 . 2006-07-18 05:08 1048576 c:\windows\Installer\35101.msi
+ 2006-07-18 05:05 . 2006-07-18 05:05 2727936 c:\windows\Installer\350f3.msi
+ 2006-07-18 03:13 . 2006-07-18 03:13 3443712 c:\windows\Installer\304ba.msi
+ 2006-07-18 04:23 . 2006-07-18 04:23 2109440 c:\windows\Installer\1bc65.msi
+ 2009-05-07 00:25 . 2009-05-07 00:25 1659392 c:\windows\Installer\198297aa.msi
+ 2006-07-18 03:12 . 2006-07-18 03:12 1703936 c:\windows\Installer\13493.msi
+ 2006-07-18 03:21 . 2006-07-18 03:21 5864960 c:\windows\Installer\133c3.msp
+ 2006-08-17 17:12 . 2006-06-22 22:49 16865792 c:\windows\Wild\mce_console_toshiba.msi
+ 2009-05-15 00:01 . 2009-07-07 15:10 24539592 c:\windows\system32\MRT.exe
+ 2009-04-28 06:27 . 2006-07-18 05:05 12125696 c:\windows\system32\config\systemprofile\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}\J2SE Runtime Environment 5.0 Update 6.msi
+ 2005-09-23 14:48 . 2005-09-23 14:48 24863744 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\netfx.msi
+ 2009-04-30 12:54 . 2009-04-30 12:54 15256576 c:\windows\Installer\5219705.msp
+ 2006-07-18 03:13 . 2006-07-18 03:13 19204096 c:\windows\Installer\407a7.msp
+ 2006-08-10 18:17 . 2006-08-10 18:17 13135872 c:\windows\Installer\21a40.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-16 1830128]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-07-25 364544]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-26 299008]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"Power Center"="c:\documents and settings\Mason\Desktop\Power Center\pwcenter.EXE" [2001-07-27 126976]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"NDSTray.exe"="NDSTray.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-08-24 16050688]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\Mason\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-9-3 114688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-7-17 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1153241354\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/11/2009 6:44 AM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/11/2009 6:44 AM 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [7/14/2009 3:02 PM 33792]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\Mason\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Mason\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
yapnnnxo
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mason\Application Data\Mozilla\Firefox\Profiles\fgwyl9au.default\
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4102350338-3734851036-1402777801-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\000\[T_000^m*n0qgN00000^]
"Order"=hex:08,00,00,00,02,00,00,00,16,01,00,00,01,00,00,00,02,00,00,00,7c,00,
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,32,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-22 17:31
ComboFix-quarantined-files.txt 2009-07-22 22:31
ComboFix2.txt 2009-07-11 18:58
ComboFix3.txt 2009-07-01 03:43
ComboFix4.txt 2009-06-29 23:04

Pre-Run: 27,370,434,560 bytes free
Post-Run: 28,007,567,360 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
287 --- E O F --- 2009-07-15 00:50

#13 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:18 AM

Posted 27 July 2009 - 02:14 AM

Hi snipersgethead,

We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
yapnnnxo

NetSvc::
yapnnnxo


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#14 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 02 August 2009 - 01:54 PM

ComboFix 09-07-31.02 - Mason 07/31/2009 19:05.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.579 [GMT -5:00]
Running from: c:\documents and settings\Mason\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mason\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\run.log

.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-26 13:16 . 2009-07-26 13:16 -------- d--h--w- C:\asiopdhpioashfp
2009-07-22 19:41 . 2003-03-19 06:20 1060864 ----a-w- c:\windows\system32\mfc71.dll
2009-07-22 19:41 . 2006-04-29 19:25 40960 ----a-w- c:\windows\system32\psfind.dll
2009-07-22 19:34 . 2009-07-22 19:34 -------- d-----w- c:\program files\THQ
2009-07-15 21:17 . 2009-07-15 21:17 -------- d-----w- c:\documents and settings\Mason\DesktoLA
2009-07-14 20:02 . 2005-03-10 01:50 19456 ----a-w- c:\windows\system32\libusbd-9x.exe
2009-07-14 20:02 . 2005-03-10 01:50 18944 ----a-w- c:\windows\system32\libusbd-nt.exe
2009-07-14 20:02 . 2005-03-10 01:50 33792 ----a-w- c:\windows\system32\drivers\libusb0.sys
2009-07-14 20:02 . 2005-03-10 01:50 46592 ----a-w- c:\windows\system32\libusb0.dll
2009-07-14 20:02 . 2009-07-14 20:02 -------- d-----w- c:\program files\LibUSB-Win32-0.1.10.1
2009-07-11 18:56 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-08 03:44 . 2009-07-24 05:44 -------- d-----w- c:\program files\Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 23:31 . 2009-07-31 23:31 1198215 ----a-w- c:\windows\system32\xa.tmp
2009-07-31 14:59 . 2009-05-02 01:01 -------- d-----w- c:\documents and settings\Mason\Application Data\FrostWire
2009-07-31 14:51 . 2009-04-28 20:30 117760 ----a-w- c:\documents and settings\Mason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-26 02:50 . 2009-06-15 01:23 29926 ----a-r- c:\documents and settings\Mason\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_18be6784.exe
2009-07-26 02:50 . 2009-06-15 01:23 29422 ----a-r- c:\documents and settings\Mason\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_294823.exe
2009-07-22 19:34 . 2006-07-18 03:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-20 00:27 . 2006-07-18 03:46 43592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-14 22:02 . 2009-06-15 05:10 -------- d--h--w- c:\program files\lilith
2009-07-13 20:50 . 2009-05-30 03:37 -------- d-----w- c:\program files\SWAT 4
2009-07-12 06:47 . 2006-07-18 05:06 -------- d-----w- c:\program files\Java
2009-07-01 05:40 . 2009-05-01 00:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-30 02:06 . 2009-06-30 02:06 152576 ----a-w- c:\documents and settings\Mason\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-29 22:32 . 2009-06-29 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-29 18:11 . 2009-06-29 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-06-27 16:05 . 2009-06-27 16:05 -------- d-----w- c:\program files\Wide Angle Software
2009-06-26 16:50 . 2006-07-18 02:36 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2006-07-18 02:36 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 23:55 . 2006-07-18 03:04 87931 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-16 23:06 . 2009-04-28 20:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-16 14:36 . 2006-07-18 02:36 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-07-18 02:35 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 22:16 . 2009-06-14 22:16 -------- d-----w- c:\program files\Intelore
2009-06-03 19:09 . 2006-07-18 02:36 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 01:42 . 2009-06-03 01:42 -------- d-----w- c:\program files\7-Zip
2009-05-30 03:10 . 2009-05-30 03:10 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-21 16:33 . 2009-04-30 22:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-09 02:31 . 2009-05-09 02:31 207872 ----a-w- c:\documents and settings\Mason\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-05-09 02:31 . 2009-05-09 02:31 207872 ----a-w- c:\documents and settings\Mason\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-05-09 02:31 . 2009-05-09 02:31 207872 ----a-w- c:\documents and settings\Mason\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-05-09 02:31 . 2009-05-09 02:31 207872 ----a-w- c:\documents and settings\Mason\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-05-07 15:32 . 2006-07-18 02:36 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-24 03:53 . 2009-04-28 04:40 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-07-22_22.30.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-31 14:50 . 2009-07-31 14:50 16384 c:\windows\temp\Perflib_Perfdata_bc.dat
+ 2009-05-16 04:06 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2009-05-16 04:06 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2009-02-20 08:10 . 2009-06-26 16:50 81920 c:\windows\system32\dllcache\ieencode.dll
- 2009-02-20 08:10 . 2009-04-29 04:46 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2006-07-18 02:36 . 2009-06-26 16:50 620032 c:\windows\system32\urlmon.dll
- 2006-07-18 02:36 . 2009-04-29 04:46 620032 c:\windows\system32\urlmon.dll
+ 2006-07-17 19:55 . 2009-07-31 14:49 166712 c:\windows\system32\FNTCACHE.DAT
+ 2009-02-20 08:10 . 2009-06-26 16:50 666624 c:\windows\system32\dllcache\wininet.dll
- 2009-02-20 08:10 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\wininet.dll
- 2009-02-20 08:10 . 2009-04-29 04:46 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2009-02-20 08:10 . 2009-06-26 16:50 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2006-07-18 02:36 . 2009-07-18 16:05 1509888 c:\windows\system32\shdocvw.dll
+ 2006-07-18 02:36 . 2009-07-18 16:05 3069440 c:\windows\system32\mshtml.dll
+ 2009-03-02 23:04 . 2009-07-18 16:05 1509888 c:\windows\system32\dllcache\shdocvw.dll
+ 2009-02-20 08:11 . 2009-07-18 16:05 3069440 c:\windows\system32\dllcache\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-16 1830128]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-07-25 364544]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-26 299008]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"Power Center"="c:\documents and settings\Mason\Desktop\Power Center\pwcenter.EXE" [2001-07-27 126976]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"NDSTray.exe"="NDSTray.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-08-24 16050688]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\Mason\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-9-3 114688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-7-17 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1153241354\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/11/2009 6:44 AM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/11/2009 6:44 AM 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [7/14/2009 3:02 PM 33792]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\Mason\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Mason\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mason\Application Data\Mozilla\Firefox\Profiles\fgwyl9au.default\
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 19:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4102350338-3734851036-1402777801-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\000\[T_000^m*n0qgN00000^]
"Order"=hex:08,00,00,00,02,00,00,00,16,01,00,00,01,00,00,00,02,00,00,00,7c,00,
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,32,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-01 19:13
ComboFix-quarantined-files.txt 2009-08-01 00:13
ComboFix2.txt 2009-07-22 22:31
ComboFix3.txt 2009-07-11 18:58
ComboFix4.txt 2009-07-01 03:43
ComboFix5.txt 2009-08-01 00:03

Pre-Run: 24,304,123,904 bytes free
Post-Run: 25,877,295,104 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
217 --- E O F --- 2009-07-30 13:04

#15 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:18 AM

Posted 05 August 2009 - 02:20 AM

Hi snipersgethead,

We need to run another CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\xa.tmp


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users