Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty backdoor trojan, SAS doesn't run, registry issues


  • Please log in to reply
19 replies to this topic

#1 snkzato1

snkzato1

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 13 July 2009 - 01:40 PM

This the continuation of a thread here
http://www.bleepingcomputer.com/forums/t/239350/strange-computer-problems-potentially-a-trojan/
DaChewey helped as much as he could with just normal means but he directed me here, and I really hope the problem can be fixed. Every detail I can think of is in that thread, but the brief is...

-Was infected last Monday (the 6th)
-After much rooting and fixing I got most anti virus programs to work except SAS which keeps telling me I don't have administrative rights
-when I turn my PC on in normal mode I get this winloginui.exe error message over and over.
-if I connect to the internet in normal I get spam and pop ups, a total mess.

So it seems the normal collection of rootrepeal MBAM and others weren't doing the trick. I prepared the logs as requested
DDS log

DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 11:45:54.12 on Mon 07/13/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1632 [GMT -5:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [nah_Shell] c:\windows\system32\config\systemprofile\nah_qpfj.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\sslaunch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-5-16 85248]
S2 ckrcww;ckrcww;c:\windows\system32\drivers\gpjfkvu.sys --> c:\windows\system32\drivers\gpjfkvu.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]

=============== Created Last 30 ================

2009-07-13 10:53

--d----- c:\program files\sFX
2009-07-09 07:38 359,040 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-08 22:03 --d-h--- c:\windows\system32\GroupPolicy
2009-07-08 16:49 --d----- C:\Root Repeal
2009-07-08 10:29 2,612 a------- c:\windows\system32\tmp.reg
2009-07-08 10:21 --d----- c:\windows\system32\PreInstall
2009-07-07 10:32 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 10:32 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-07 10:32 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 11:41 --d----- c:\windows\system32\appmgmt
2009-07-06 11:22 --d----- c:\windows\system32\NtmsData
2009-07-06 09:49 740,864 a------- c:\windows\system32\wscsvc32.exe
2009-07-06 09:49 257,536 a------- c:\windows\system32\resdll.dll
2009-07-06 09:46 40 a------- c:\windows\system32\BD.tmp
2009-07-06 09:46 88,566 a------- c:\windows\system32\nvapps.xml
2009-07-06 09:46 229,376 a------- c:\windows\system32\nvudisp.exe
2009-07-06 09:46 17,056 a------- c:\windows\system32\nvdisp.nvu
2009-07-06 09:46 229,376 a------- c:\windows\system32\NVUNINST.EXE
2009-07-06 09:38 135,168 a------- c:\windows\system32\igfxres.dll
2009-07-06 09:37 77,824 a------- c:\windows\system32\igfxcpl.cpl
2009-07-06 09:36 90,112 a------- c:\windows\DUMP69e5.tmp
2009-07-06 09:35 1,858 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_PX721AA-ABA M7160N_YC_0Pavi_QMXK521_E53NAsyEPC1_47_ILIMESTONE_SASUSTek Computer INC._V1.04_B3.03_T050519_WXP2_L409_M2047_J250_7Intel_8Pentium D_92.8_#050706_N808627DC_Z11C1048C_G10DE0092.MRK
2009-07-06 09:34 --d----- c:\docume~1\hp_adm~1\applic~1\Symantec
2009-07-06 09:34 --d----- c:\documents and settings\hp_administrator\WINDOWS
2009-07-06 09:34 --d----- c:\documents and settings\HP_Administrator
2009-07-06 09:29 --d----- c:\windows\system32\SoftwareDistribution
2009-07-06 09:15 --dshr-- c:\windows\system32\dllcache
2009-07-05 23:33 54 a------- C:\xcrashdump.dat
2009-07-05 23:31 --d----- c:\program files\drv
2009-07-05 23:31 --dsh--- c:\windows\System Volume Information
2009-07-05 23:30 2 a------- C:\1747517641

==================== Find3M ====================

2009-07-13 10:53 359,040 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-07-13 10:53 359,040 a------- c:\windows\system32\dllcache\TCPIP.SYS
2009-07-06 17:34 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-07-06 17:34 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-06-02 11:17 99,328 a------- c:\windows\system32\WS2Fix.exe
2009-05-22 20:07 107,626 ac------ c:\windows\War3Unin.dat
2007-06-18 17:48 40 a------- c:\documents and settings\hp_administrator\language.dat
2006-10-29 20:22 109,568 a------- c:\docume~1\hp_adm~1\applic~1\GDIPFONTCACHEV1.DAT
2006-03-15 16:00 13,142 ac------ c:\documents and settings\hp_administrator\ZGUICFGW.DAT
2005-07-26 22:37 0 ac------ c:\docume~1\hp_adm~1\applic~1\wklnhst.dat

============= FINISH: 11:46:28.28 ===============



Thaks so much in advance,
SNK

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:21 PM

Posted 24 July 2009 - 04:28 PM

Hello snkzato1

Welcome to Welcome to BleepingComputer :thumbup2:
=====================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 24 July 2009 - 09:36 PM

OTL keeps saying some file involved with firefox can't be scanned then gets stuck.
Is this normal?

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:21 PM

Posted 25 July 2009 - 06:16 AM

No try this one:
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 25 July 2009 - 11:01 AM

Here is the GMR "This file" Log

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-25 10:55:36
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 89C17C08 ZwEnumerateKey
Code 89C10A58 ZwFlushInstructionCache
Code 89C605DE IofCallDriver
Code 89C4957E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EEEB8 5 Bytes JMP 89C605E3
.text ntkrnlpa.exe!IofCompleteRequest 804EEF48 5 Bytes JMP 89C49583
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B51CE 5 Bytes JMP 89C10A5C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622888 5 Bytes JMP 89C17C0C
.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x89D70200, 0x32BAA, 0xE0000060]

---- User code sections - GMER 1.0.15 ----

.text C:\t9jdojpc.exe[244] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\t9jdojpc.exe[244] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\t9jdojpc.exe[244] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\t9jdojpc.exe[244] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\t9jdojpc.exe[244] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\ehome\ehtray.exe[488] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\ehome\ehtray.exe[488] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\ehome\ehtray.exe[488] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\ehome\ehtray.exe[488] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\ehome\ehtray.exe[488] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\dllhost.exe[560] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\dllhost.exe[560] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\dllhost.exe[560] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\dllhost.exe[560] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\dllhost.exe[560] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\dllhost.exe[560] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\dllhost.exe[560] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF9484E
.text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF948DD
.text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF948EA
.text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF948D3
.text C:\WINDOWS\system32\winlogon.exe[704] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9492B
.text C:\WINDOWS\system32\winlogon.exe[704] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\winlogon.exe[704] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\services.exe[748] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF9484E
.text C:\WINDOWS\system32\services.exe[748] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF948DD
.text C:\WINDOWS\system32\services.exe[748] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF948EA
.text C:\WINDOWS\system32\services.exe[748] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF948D3
.text C:\WINDOWS\system32\services.exe[748] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9492B
.text C:\WINDOWS\system32\services.exe[748] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\services.exe[748] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF9484E
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF948DD
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF948EA
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF948D3
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9492B
.text C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\lsass.exe[764] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\svchost.exe[916] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[916] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[916] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[916] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[916] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[916] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\RTHDCPL.EXE[932] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\RTHDCPL.EXE[932] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\RTHDCPL.EXE[932] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\RTHDCPL.EXE[932] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\RTHDCPL.EXE[932] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1036] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF9484E
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF948DD
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF948EA
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF948D3
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9492B
.text C:\WINDOWS\System32\svchost.exe[1084] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[1084] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1092] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1092] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1092] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1092] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1092] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1092] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1092] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\eHome\ehmsas.exe[1124] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\eHome\ehmsas.exe[1124] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\eHome\ehmsas.exe[1124] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\eHome\ehmsas.exe[1124] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\eHome\ehmsas.exe[1124] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[1188] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1188] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\svchost.exe[1220] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1220] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1292] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\RUNDLL32.EXE[1292] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\RUNDLL32.EXE[1292] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\RUNDLL32.EXE[1292] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\RUNDLL32.EXE[1292] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\ctfmon.exe[1476] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\ctfmon.exe[1476] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\ctfmon.exe[1476] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\ctfmon.exe[1476] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\ctfmon.exe[1476] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.reloc C:\WINDOWS\Explorer.EXE[1552] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040]
.reloc C:\WINDOWS\Explorer.EXE[1552] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x011034E7]
.text C:\WINDOWS\Explorer.EXE[1552] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\Explorer.EXE[1552] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\Explorer.EXE[1552] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\Explorer.EXE[1552] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\Explorer.EXE[1552] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\Explorer.EXE[1552] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\Explorer.EXE[1552] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\eHome\ehRecvr.exe[1736] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\eHome\ehRecvr.exe[1736] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\eHome\ehRecvr.exe[1736] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\eHome\ehRecvr.exe[1736] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\eHome\ehRecvr.exe[1736] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\eHome\ehRecvr.exe[1736] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\eHome\ehRecvr.exe[1736] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\eHome\ehSched.exe[1776] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\eHome\ehSched.exe[1776] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\eHome\ehSched.exe[1776] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\eHome\ehSched.exe[1776] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\eHome\ehSched.exe[1776] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[1804] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[1804] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[1804] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[1804] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[1804] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1832] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1832] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1832] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1832] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1832] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\nvsvc32.exe[1860] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\nvsvc32.exe[1860] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\nvsvc32.exe[1860] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\nvsvc32.exe[1860] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\nvsvc32.exe[1860] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\nvsvc32.exe[1860] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\nvsvc32.exe[1860] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\HPZipm12.exe[1872] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\HPZipm12.exe[1872] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\HPZipm12.exe[1872] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\HPZipm12.exe[1872] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\HPZipm12.exe[1872] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\HPZipm12.exe[1872] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\HPZipm12.exe[1872] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe[2076] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe[2076] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe[2076] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe[2076] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe[2076] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe[2076] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe[2076] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\dwwin.exe[2248] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\dwwin.exe[2248] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\dwwin.exe[2248] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\dwwin.exe[2248] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\dwwin.exe[2248] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\dwwin.exe[2248] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\dwwin.exe[2248] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\igfxsrvc.exe[2596] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\igfxsrvc.exe[2596] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\igfxsrvc.exe[2596] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\igfxsrvc.exe[2596] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\igfxsrvc.exe[2596] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\HP\KBD\KBD.EXE[2684] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\HP\KBD\KBD.EXE[2684] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\HP\KBD\KBD.EXE[2684] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\HP\KBD\KBD.EXE[2684] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\HP\KBD\KBD.EXE[2684] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\ALCMTR.EXE[2768] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\ALCMTR.EXE[2768] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\ALCMTR.EXE[2768] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\ALCMTR.EXE[2768] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\ALCMTR.EXE[2768] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\AGRSMMSG.exe[2856] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\AGRSMMSG.exe[2856] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\AGRSMMSG.exe[2856] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\AGRSMMSG.exe[2856] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\AGRSMMSG.exe[2856] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\InterMute\SpySubtract\SpySub.exe[3064] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\InterMute\SpySubtract\SpySub.exe[3064] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\InterMute\SpySubtract\SpySub.exe[3064] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\InterMute\SpySubtract\SpySub.exe[3064] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\InterMute\SpySubtract\SpySub.exe[3064] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\InterMute\SpySubtract\SpySub.exe[3064] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\InterMute\SpySubtract\SpySub.exe[3064] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\wuauclt.exe[3168] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\wuauclt.exe[3168] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\wuauclt.exe[3168] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\wuauclt.exe[3168] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\wuauclt.exe[3168] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text c:\windows\system\hpsysdrv.exe[3240] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text c:\windows\system\hpsysdrv.exe[3240] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text c:\windows\system\hpsysdrv.exe[3240] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text c:\windows\system\hpsysdrv.exe[3240] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text c:\windows\system\hpsysdrv.exe[3240] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\hphmon06.exe[3252] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\WINDOWS\system32\hphmon06.exe[3252] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\WINDOWS\system32\hphmon06.exe[3252] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\WINDOWS\system32\hphmon06.exe[3252] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\WINDOWS\system32\hphmon06.exe[3252] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\WINDOWS\system32\hphmon06.exe[3252] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\hphmon06.exe[3252] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Java\jre1.5.0\bin\jusched.exe[3328] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\Java\jre1.5.0\bin\jusched.exe[3328] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Java\jre1.5.0\bin\jusched.exe[3328] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Java\jre1.5.0\bin\jusched.exe[3328] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Java\jre1.5.0\bin\jusched.exe[3328] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\iTunes\iTunesHelper.exe[3488] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\iTunes\iTunesHelper.exe[3488] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\iTunes\iTunesHelper.exe[3488] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\iTunes\iTunesHelper.exe[3488] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\iTunes\iTunesHelper.exe[3488] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B
.text C:\Program Files\iPod\bin\iPodService.exe[3516] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA484E
.text C:\Program Files\iPod\bin\iPodService.exe[3516] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA48DD
.text C:\Program Files\iPod\bin\iPodService.exe[3516] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA48EA
.text C:\Program Files\iPod\bin\iPodService.exe[3516] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA48D3
.text C:\Program Files\iPod\bin\iPodService.exe[3516] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA492B

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [89D77982] NDIS.sys[.reloc]

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACftiqoqolwosswmblr.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACftiqoqolwosswmblr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACftiqoqolwosswmblr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACajtllxfaordgmtalq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACppuyciqdkdrbavvhx.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACetmnobrrndrisobpk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACftiqoqolwosswmblr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACftiqoqolwosswmblr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACajtllxfaordgmtalq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACppuyciqdkdrbavvhx.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACetmnobrrndrisobpk.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyr19.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyr09.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyr29.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyr39.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyr49.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyr59.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyr69.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyr79.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyr89.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyr99.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrn0.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrn1.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrn2.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrn3.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrn4.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrn5.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrn6.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrn7.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrn8.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrn9.dll 30208 bytes
File C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\UACpbpnqxtgpkobgyrnf.dll 30208 bytes
File C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys (size mismatch) 182656/182912 bytes executable
File C:\WINDOWS\system32\dllcache\ndis.sys (size mismatch) 212480/182912 bytes executable
File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 212480/182912 bytes executable
File C:\WINDOWS\system32\drivers\UACftiqoqolwosswmblr.sys 54272 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\UACajtllxfaordgmtalq.dll 26624 bytes executable
File C:\WINDOWS\system32\UACemnevppopacvritvp.dat 310 bytes
File C:\WINDOWS\system32\UACetmnobrrndrisobpk.dll 69120 bytes executable
File C:\WINDOWS\system32\uacinit.dll 6615 bytes
File C:\WINDOWS\system32\UACppuyciqdkdrbavvhx.dat 310 bytes
File C:\WINDOWS\system32\uactmp.db 3976714 bytes
File C:\WINDOWS\system32\UACtoerfduxjvmwftlyk.db 1110399 bytes
File C:\WINDOWS\temp\UAC51a9.tmp 343040 bytes executable

---- EOF - GMER 1.0.15 ----



#6 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 25 July 2009 - 12:42 PM

I found a backdoor way of opening SuperAntiSpyware. Anytime I run a scan the computer reboots, but the program will turn on. Would any of the repair options help?
Here are the RSIT logs

info.txt logfile of random's system information tool 1.06 2009-07-25 11:05:10

======Uninstall list======

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"

=====HijackThis Backups=====

O1 - Hosts: 82.98.231.89 url.adtrgt.com [2009-04-22]
O4 - HKLM\..\Run: [wopelalipu] Rundll32.exe "C:\WINDOWS\system32\kohisiva.dll",s [2009-04-22]
O4 - HKLM\..\Run: [CPM6b1a33fa] Rundll32.exe "c:\windows\system32\radiguyo.dll",a [2009-04-22]
O4 - HKLM\..\Run: [CPM6b1a33fa] Rundll32.exe "c:\windows\system32\radiguyo.dll",a [2009-04-22]
O4 - HKLM\..\Run: [CPM6b1a33fa] Rundll32.exe "c:\windows\system32\radiguyo.dll",a [2009-04-22]
O4 - HKLM\..\Run: [wopelalipu] Rundll32.exe "C:\WINDOWS\system32\kohisiva.dll",s [2009-04-22]
O15 - Trusted Zone: *.antimalwareguard.com [2009-04-22]
O4 - HKLM\..\Run: [CPM6b1a33fa] Rundll32.exe "c:\windows\system32\radiguyo.dll",a [2009-04-22]
O4 - HKLM\..\Run: [wopelalipu] Rundll32.exe "C:\WINDOWS\system32\kohisiva.dll",s [2009-04-22]
O4 - HKLM\..\Run: [CPM6b1a33fa] Rundll32.exe "c:\windows\system32\radiguyo.dll",a [2009-04-22]
O4 - HKLM\..\Run: [wopelalipu] Rundll32.exe "C:\WINDOWS\system32\kohisiva.dll",s [2009-04-22]
O4 - HKLM\..\Run: [68290066] rundll32.exe "C:\WINDOWS\system32\lawopuni.dll",b [2009-04-22]

======Hosts File======

127.0.0.1 jL.chura.pl

======Security center information======

AV: Protection System (outdated)

======System event log======

Computer Name: ALEX
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Record Number: 79
Source Name: DCOM
Time Written: 20090706100101.000000-300
Event Type: error
User: ALEX\Administrator

Computer Name: ALEX
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Record Number: 78
Source Name: DCOM
Time Written: 20090706100052.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: ALEX
Event Code: 10010
Message: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Record Number: 74
Source Name: DCOM
Time Written: 20090706095119.000000-300
Event Type: error
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: ALEX
Event Code: 10010
Message: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Record Number: 72
Source Name: DCOM
Time Written: 20090706095045.000000-300
Event Type: error
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: ALEX
Event Code: 10010
Message: The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

Record Number: 70
Source Name: DCOM
Time Written: 20090706095010.000000-300
Event Type: error
User: NT AUTHORITY\NETWORK SERVICE

=====Application event log=====

Computer Name: ALEX
Event Code: 1000
Message: Faulting application wmiprvse.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x009d024d.

Record Number: 26
Source Name: Application Error
Time Written: 20090706095048.000000-300
Event Type: error
User:

Computer Name: ALEX
Event Code: 1000
Message: Faulting application wmiprvse.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x009c024d.

Record Number: 25
Source Name: Application Error
Time Written: 20090706095013.000000-300
Event Type: error
User:

Computer Name: ALEX
Event Code: 1000
Message: Faulting application wmiprvse.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x009c024d.

Record Number: 24
Source Name: Application Error
Time Written: 20090706094938.000000-300
Event Type: error
User:

Computer Name: ALEX
Event Code: 1000
Message: Faulting application userinit.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x008a024d.

Record Number: 23
Source Name: Application Error
Time Written: 20090706094850.000000-300
Event Type: error
User:

Computer Name: ALEX
Event Code: 1517
Message: Windows saved user ALEX\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 15
Source Name: Userenv
Time Written: 20090706094714.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Python22
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0404
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=c:\Program Files\Common Files\Sonic Shared\Sonic Central\

-----------------EOF-----------------


Logfile of random's system information tool 1.06 (written by random/random)
Run by HP_Administrator at 2009-07-25 11:05:02
Microsoft Windows XP Professional Service Pack 2
System drive C: has 36 GB (16%) free of 230 GB
Total RAM: 2046 MB (77% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:09 AM, on 7/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\t9jdojpc.exe
C:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\HP_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [nah_Shell] C:\WINDOWS\system32\config\systemprofile\nah_qpfj.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [nah_Shell] C:\WINDOWS\system32\config\systemprofile\nah_qpfj.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6740 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\GlaryInitialize.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP view - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll [2003-11-21 98304]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2004-08-10 79360]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-04-05 98304]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2005-04-05 135168]
"HPBootOp"=C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [2005-02-26 266240]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-04-13 14180352]
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe [2004-10-14 274432]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-10 35328]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\sslaunch.exe
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-04-05 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= []
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe:*:Enabled:BackWeb for Pavilion"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\iTunes\iTunes.exe"="%ProgramFiles%\iTunes\iTunes.exe:*:enabled:iTunes"

======List of files/folders created in the last 1 months======

2009-07-25 11:05:02 ----D---- C:\rsit
2009-07-24 21:31:59 ----A---- C:\t9jdojpc.exe
2009-07-13 10:53:43 ----D---- C:\Program Files\sFX
2009-07-09 20:37:53 ----A---- C:\WINDOWS\OEWABLog.txt
2009-07-09 16:53:30 ----A---- C:\RootRepeal report 07-09-09 (16-53-30).txt
2009-07-08 22:03:04 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-07-08 16:49:39 ----D---- C:\Root Repeal
2009-07-08 10:29:43 ----A---- C:\WINDOWS\system32\tmp.txt
2009-07-08 10:29:30 ----A---- C:\rapport.txt
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\WS2Fix.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\VACFix.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\swxcacls.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\swsc.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\o4Patch.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\IEDFix.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\dumphive.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2009-07-08 10:25:12 ----A---- C:\WINDOWS\system32\404Fix.exe
2009-07-08 10:25:11 ----A---- C:\WINDOWS\system32\swreg.exe
2009-07-08 10:25:11 ----A---- C:\WINDOWS\system32\Process.exe
2009-07-08 10:21:06 ----D---- C:\WINDOWS\system32\PreInstall
2009-07-08 10:17:20 ----A---- C:\Bug.txt
2009-07-07 10:32:48 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-06 21:54:26 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-06 18:17:42 ----SHD---- C:\WINDOWS\CSC
2009-07-06 11:41:21 ----D---- C:\WINDOWS\system32\appmgmt
2009-07-06 11:37:53 ----A---- C:\WINDOWS\system32\LuResult.txt
2009-07-06 11:22:26 ----D---- C:\WINDOWS\system32\NtmsData
2009-07-06 10:08:23 ----A---- C:\WINDOWS\imsins.BAK
2009-07-06 09:49:40 ----A---- C:\WINDOWS\system32\wscsvc32.exe
2009-07-06 09:49:40 ----A---- C:\WINDOWS\system32\resdll.dll
2009-07-06 09:46:44 ----A---- C:\WINDOWS\system32\BD.tmp
2009-07-06 09:46:36 ----A---- C:\WINDOWS\system32\nvudisp.exe
2009-07-06 09:46:25 ----A---- C:\WINDOWS\system32\NVUNINST.EXE
2009-07-06 09:41:07 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla
2009-07-06 09:38:54 ----A---- C:\WINDOWS\system32\igfxres.dll
2009-07-06 09:36:04 ----A---- C:\WINDOWS\DUMP69e5.tmp
2009-07-06 09:34:44 ----ASH---- C:\Documents and Settings\HP_Administrator\Application Data\desktop.ini
2009-07-06 09:34:34 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\InterMute
2009-07-06 09:34:34 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Identities
2009-07-06 09:34:34 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer
2009-07-06 09:34:28 ----SD---- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft
2009-07-06 09:34:28 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2009-07-06 09:34:28 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\SampleView
2009-07-06 09:34:28 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Real
2009-07-06 09:29:34 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2009-07-06 09:15:58 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-07-05 23:31:56 ----D---- C:\Program Files\drv
2009-07-05 23:31:03 ----SHD---- C:\WINDOWS\System Volume Information

======List of files/folders modified in the last 1 months======

2009-07-24 22:10:58 ----D---- C:\WINDOWS\Prefetch
2009-07-24 21:30:51 ----D---- C:\WINDOWS
2009-07-24 21:30:32 ----D---- C:\WINDOWS\system32\Lang
2009-07-24 21:30:24 ----D---- C:\WINDOWS\temp
2009-07-24 21:30:12 ----D---- C:\WINDOWS\Registration
2009-07-24 21:28:58 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-13 11:33:24 ----D---- C:\WINDOWS\system32
2009-07-13 11:32:41 ----D---- C:\WINDOWS\system32\drivers
2009-07-13 11:21:44 ----SHD---- C:\WINDOWS\Installer
2009-07-13 11:21:44 ----HD---- C:\Config.Msi
2009-07-13 11:21:44 ----D---- C:\Program Files\SUPERAntiSpyware
2009-07-13 11:03:12 ----SHD---- C:\System Volume Information
2009-07-13 11:03:12 ----D---- C:\WINDOWS\system32\Restore
2009-07-13 10:53:43 ----D---- C:\Program Files
2009-07-09 17:29:25 ----D---- C:\Program Files\Mozilla Firefox
2009-07-09 07:22:38 ----D---- C:\WINDOWS\security
2009-07-08 21:42:14 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-08 10:41:57 ----D---- C:\Program Files\Google
2009-07-08 10:21:32 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2009-07-08 10:21:15 ----HD---- C:\WINDOWS\inf
2009-07-08 10:20:42 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-08 09:13:18 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-06 15:13:28 ----D---- C:\Program Files\Symantec
2009-07-06 15:13:28 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-07-06 15:13:27 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-07-06 12:27:45 ----D---- C:\Program Files\Common Files\Real
2009-07-06 12:27:44 ----D---- C:\Program Files\Common Files
2009-07-06 12:02:49 ----HD---- C:\Program Files\InstallShield Installation Information
2009-07-06 12:02:49 ----D---- C:\Program Files\PC-Doctor for Windows
2009-07-06 11:41:06 ----SD---- C:\WINDOWS\Tasks
2009-07-06 11:18:45 ----D---- C:\USERDATA
2009-07-06 11:17:02 ----AH---- C:\boot.ini
2009-07-06 10:08:28 ----SHD---- C:\RECYCLER
2009-07-06 09:56:32 ----D---- C:\WINDOWS\Debug
2009-07-06 09:56:17 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-06 09:55:53 ----A---- C:\WINDOWS\system.ini
2009-07-06 09:48:21 ----D---- C:\WINDOWS\nview
2009-07-06 09:46:36 ----D---- C:\WINDOWS\Help
2009-07-06 09:39:19 ----A---- C:\WINDOWS\system32\ssmute.ini
2009-07-06 09:38:22 ----D---- C:\Program Files\Easy Internet signup
2009-07-06 09:37:32 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-06 09:34:50 ----D---- C:\WINDOWS\system
2009-07-06 09:34:35 ----D---- C:\WINDOWS\I386
2009-07-06 09:34:13 ----D---- C:\Documents and Settings
2009-07-06 09:33:13 ----D---- C:\Program Files\Windows NT
2009-07-06 09:33:11 ----D---- C:\Program Files\Windows Media Player
2009-07-06 09:33:10 ----D---- C:\Program Files\Outlook Express
2009-07-06 09:33:08 ----D---- C:\Program Files\NetMeeting
2009-07-06 09:33:08 ----D---- C:\Program Files\Movie Maker
2009-07-06 09:33:07 ----D---- C:\Program Files\Messenger
2009-07-06 09:33:02 ----D---- C:\Program Files\Internet Explorer
2009-07-06 09:33:01 ----D---- C:\Program Files\Common Files\System
2009-07-06 09:33:00 ----D---- C:\Program Files\Common Files\Services
2009-07-06 09:32:54 ----D---- C:\WINDOWS\system32\wbem
2009-07-06 09:32:47 ----D---- C:\WINDOWS\system32\usmt
2009-07-06 09:32:41 ----D---- C:\WINDOWS\system32\ras
2009-07-06 09:32:40 ----D---- C:\WINDOWS\system32\oobe
2009-07-06 09:32:25 ----D---- C:\WINDOWS\system32\npp
2009-07-06 09:32:19 ----D---- C:\sysprep
2009-07-06 09:32:13 ----HD---- C:\hp
2009-07-06 09:32:12 ----D---- C:\WINDOWS\system32\icsxml
2009-07-06 09:32:11 ----D---- C:\WINDOWS\system32\ias
2009-07-06 09:31:33 ----D---- C:\WINDOWS\system32\RTCOM
2009-07-06 09:30:44 ----D---- C:\WINDOWS\system32\Setup
2009-07-06 09:30:41 ----D---- C:\WINDOWS\system32\Com
2009-07-06 09:30:40 ----D---- C:\WINDOWS\srchasst
2009-07-06 09:30:36 ----D---- C:\WINDOWS\mui
2009-07-06 09:30:36 ----D---- C:\WINDOWS\msagent
2009-07-06 09:30:33 ----RD---- C:\WINDOWS\Web
2009-07-06 09:30:33 ----D---- C:\WINDOWS\ime
2009-07-06 09:30:33 ----D---- C:\WINDOWS\ehome
2009-07-06 09:30:33 ----D---- C:\WINDOWS\addins
2009-07-06 09:30:32 ----D---- C:\WINDOWS\PeerNet
2009-07-06 09:30:31 ----D---- C:\WINDOWS\Media
2009-07-06 09:30:23 ----RSD---- C:\WINDOWS\Fonts
2009-07-06 09:30:19 ----D---- C:\WINDOWS\Cursors
2009-07-06 09:30:18 ----D---- C:\WINDOWS\AppPatch
2009-07-06 09:30:18 ----AHDC---- C:\WINDOWS\$NtUninstallMC05Upd1$
2009-07-06 09:30:17 ----AHDC---- C:\WINDOWS\$NtUninstallKB891781$
2009-07-06 09:30:17 ----AHDC---- C:\WINDOWS\$NtUninstallKB890175$
2009-07-06 09:30:16 ----AHDC---- C:\WINDOWS\$NtUninstallKB889858$
2009-07-06 09:30:16 ----AHDC---- C:\WINDOWS\$NtUninstallKB888113$
2009-07-06 09:30:16 ----AHDC---- C:\WINDOWS\$NtUninstallKB887742$
2009-07-06 09:30:16 ----AHDC---- C:\WINDOWS\$NtUninstallKB885836$
2009-07-06 09:30:16 ----AHDC---- C:\WINDOWS\$NtUninstallKB885835$
2009-07-06 09:30:16 ----AHDC---- C:\WINDOWS\$NtUninstallKB885354$
2009-07-06 09:30:16 ----AHDC---- C:\WINDOWS\$NtUninstallKB885250$
2009-07-06 09:30:16 ----AHDC---- C:\WINDOWS\$NtUninstallKB883667$
2009-07-06 09:30:16 ----AHDC---- C:\WINDOWS\$NtUninstallKB873339$
2009-07-06 09:30:16 ----AHDC---- C:\WINDOWS\$NtUninstallKB867282$
2009-07-06 09:30:05 ----RHD---- C:\MSOCache
2009-07-06 09:29:53 ----D---- C:\WINDOWS\SoftwareDistribution
2009-07-06 09:29:47 ----RSD---- C:\WINDOWS\assembly
2009-07-06 09:29:47 ----RD---- C:\WINDOWS\Offline Web Pages
2009-07-01 17:23:08 ----D---- C:\Program Files\Warcraft III
2009-06-29 09:21:08 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\BitTorrent
2009-06-28 20:47:18 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\dvdcss
2009-06-26 16:04:26 ----A---- C:\WINDOWS\BlendSettings.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-10 36096]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2004-06-29 1268204]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-10 60800]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture; C:\WINDOWS\system32\drivers\cxfalcon.sys [2005-04-11 85248]
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2004-09-14 13872]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-08 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-04-15 2564032]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-10 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-10 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-10 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-10 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-10 20480]
S2 ckrcww;ckrcww; C:\WINDOWS\system32\drivers\gpjfkvu.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-04-05 830684]
S3 imaolcoa;imaolcoa; \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\imaolcoa.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-10 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-10 15360]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 dwshd;dwshd; C:\WINDOWS\System32\drivers\dwshd.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2004-08-10 5504]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-10 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2004-09-28 215552]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2004-08-10 122880]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-03-17 58880]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 180290]
R3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2005-02-14 348160]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 90112]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 53248]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-10 287744]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 94208]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2004-08-10 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-10 58880]

-----------------EOF-----------------



#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:21 PM

Posted 25 July 2009 - 02:16 PM

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.


Link 1
Link 2

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 25 July 2009 - 04:22 PM

Here is the combofix log. It seems progress is being made, but I think whatever this virus is getting angry. Combofix told me upon trying to run it a 2nd time that its security had been compromised likely by the virus "virut". Also when I try to open certain windows I get this odd countdown screen that states windows will be turning off as it has been issued by "authority NT/system" this happened when trying to open mozilla and when trying to enter the system32 folder. The internet was on both times.

ComboFix 09-07-24.01 - HP_Administrator 07/25/2009 14:53.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1720 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\nah_log.dat
c:\program files\sFX
c:\recycler\S-1-5-21-1036145044-1327424390-1996882761-1008
c:\recycler\S-1-5-21-3242396556-8666204494-465481960-5647
c:\recycler\S-1-5-21-3805503672-1571473380-770131209-6012
c:\windows\Installer\12ddbb.msi
c:\windows\Installer\135c4c.msi
c:\windows\Installer\14395404.msi
c:\windows\Installer\1456382.msi
c:\windows\Installer\14a3141.msi
c:\windows\Installer\14a3147.msi
c:\windows\Installer\152b06d2.msp
c:\windows\Installer\15d232d.msp
c:\windows\Installer\180c55d.msi
c:\windows\Installer\19a4b016.msi
c:\windows\Installer\1a6c993.msi
c:\windows\Installer\1bc85be.msi
c:\windows\Installer\1fd2d.msi
c:\windows\Installer\1fd33.msi
c:\windows\Installer\1fd3a.msi
c:\windows\Installer\1ff10f0.msi
c:\windows\Installer\1ff10f1.msp
c:\windows\Installer\1ff10f2.msp
c:\windows\Installer\1ff10f3.msp
c:\windows\Installer\1ff10f4.msp
c:\windows\Installer\1ff10f5.msp
c:\windows\Installer\1ff10f6.msp
c:\windows\Installer\1ff10f7.msp
c:\windows\Installer\1ff10f8.msp
c:\windows\Installer\1ff10f9.msp
c:\windows\Installer\21f0cfe4.msi
c:\windows\Installer\22af7d.msp
c:\windows\Installer\22af91.msp
c:\windows\Installer\22c20b31.msi
c:\windows\Installer\22c20b39.msp
c:\windows\Installer\2373647c.msi
c:\windows\Installer\242ccdd3.msi
c:\windows\Installer\255fb27.msi
c:\windows\Installer\255fb39.msi
c:\windows\Installer\261a64f.msi
c:\windows\Installer\261a650.msp
c:\windows\Installer\261a651.msp
c:\windows\Installer\261a652.msp
c:\windows\Installer\261a653.msp
c:\windows\Installer\261a654.msp
c:\windows\Installer\261a655.msp
c:\windows\Installer\261a656.msp
c:\windows\Installer\261a657.msp
c:\windows\Installer\261a658.msp
c:\windows\Installer\261a659.msp
c:\windows\Installer\262d525.msi
c:\windows\Installer\2968aa.msi
c:\windows\Installer\2968f2.msi
c:\windows\Installer\29690a.msi
c:\windows\Installer\296917.msi
c:\windows\Installer\296923.msi
c:\windows\Installer\29692d.msi
c:\windows\Installer\29693e.msi
c:\windows\Installer\29694a.msi
c:\windows\Installer\296954.msi
c:\windows\Installer\29695a.msi
c:\windows\Installer\296990.msi
c:\windows\Installer\296a57.msi
c:\windows\Installer\296a70.msi
c:\windows\Installer\296a74.msi
c:\windows\Installer\296a7a.msi
c:\windows\Installer\296a84.msi
c:\windows\Installer\296a8d.msi
c:\windows\Installer\296aaf.msi
c:\windows\Installer\296abc.msi
c:\windows\Installer\296ac2.msi
c:\windows\Installer\296acf.msi
c:\windows\Installer\2a536313.msp
c:\windows\Installer\2a53631c.msp
c:\windows\Installer\2add274.msi
c:\windows\Installer\2b23284.msi
c:\windows\Installer\2ec29156.msp
c:\windows\Installer\3224df3.msi
c:\windows\Installer\3423b620.msi
c:\windows\Installer\37d027f.msp
c:\windows\Installer\43bbc3a.msi
c:\windows\Installer\50a066d.msi
c:\windows\Installer\541df.msp
c:\windows\Installer\555eae.msp
c:\windows\Installer\5b68521.msp
c:\windows\Installer\5b68535.msp
c:\windows\Installer\5b68549.msp
c:\windows\Installer\5b6855c.msp
c:\windows\Installer\5b6856f.msp
c:\windows\Installer\5b68582.msp
c:\windows\Installer\5b6859d.msp
c:\windows\Installer\5b685b1.msp
c:\windows\Installer\5b685c5.msp
c:\windows\Installer\5b685d9.msp
c:\windows\Installer\5b685ed.msp
c:\windows\Installer\5b68605.msp
c:\windows\Installer\603570.msi
c:\windows\Installer\6b5db71.msi
c:\windows\Installer\7bc40.msi
c:\windows\Installer\87aa9e0d.msi
c:\windows\Installer\8ea2f.msi
c:\windows\Installer\8ff687.msp
c:\windows\Installer\8ff691.msp
c:\windows\Installer\8ff6a7.msp
c:\windows\Installer\8ff7ee.msp
c:\windows\Installer\8ff7f8.msp
c:\windows\Installer\8ff800.msi
c:\windows\Installer\8ff809.msp
c:\windows\Installer\8ff814.msp
c:\windows\Installer\8ff81e.msp
c:\windows\Installer\8ff832.msp
c:\windows\Installer\8ff847.msp
c:\windows\Installer\8ff851.msp
c:\windows\Installer\92385c.msp
c:\windows\Installer\92386c.msp
c:\windows\Installer\9238b1.msp
c:\windows\Installer\9238c4.msp
c:\windows\Installer\9238d4.msp
c:\windows\Installer\9238e4.msp
c:\windows\Installer\9238f6.msp
c:\windows\Installer\923907.msp
c:\windows\Installer\923917.msp
c:\windows\Installer\923926.msp
c:\windows\Installer\923935.msp
c:\windows\Installer\923945.msp
c:\windows\Installer\a5948f1.msi
c:\windows\Installer\a5948f8.msi
c:\windows\Installer\cca1e44.msi
c:\windows\Installer\cd2e1aa.msp
c:\windows\Installer\cfd0832.msp
c:\windows\Installer\cfd0842.msp
c:\windows\Installer\cfd0855.msp
c:\windows\Installer\cfd0860.msp
c:\windows\Installer\cfd0873.msp
c:\windows\Installer\cfd087d.msp
c:\windows\Installer\cfd088c.msp
c:\windows\Installer\e8bd1d0.msi
c:\windows\Installer\e8bd464.msi
c:\windows\Installer\e8bd799.msi
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\config\systemprofile\nah_qpfj.exe
c:\windows\system32\drivers\UACftiqoqolwosswmblr.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\resdll.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\UACajtllxfaordgmtalq.dll
c:\windows\system32\UACemnevppopacvritvp.dat
c:\windows\system32\UACetmnobrrndrisobpk.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACppuyciqdkdrbavvhx.dat
c:\windows\system32\uactmp.db
c:\windows\system32\UACtoerfduxjvmwftlyk.db
c:\windows\system32\UACtrrtuotxucdfkctdj.dll
c:\windows\system32\UACuuknjtkqgwkndvlxd.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\wscsvc32.exe
C:\xcrashdump.dat





c:\windows\system32\grpconv.exe . . . is missing!!

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :thumbup2:
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PROTECT
-------\Legacy_SFX
-------\Legacy_SFXDRV
-------\Service_SfX
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-25 20:04 . 2009-07-25 20:04 -------- d-----w- c:\windows\LastGood
2009-07-25 16:05 . 2009-07-25 16:05 -------- d-----w- C:\rsit
2009-07-25 02:31 . 2009-07-25 03:20 309248 ----a-w- C:\t9jdojpc.exe
2009-07-10 20:40 . 2009-07-10 20:40 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-10 20:40 . 2009-07-10 20:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-10 14:23 . 2009-07-10 14:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-07-10 01:38 . 2009-07-10 01:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LightScribe
2009-07-09 03:03 . 2009-07-09 03:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-08 21:49 . 2009-07-08 21:51 -------- d-----w- C:\Root Repeal
2009-07-08 01:01 . 2009-07-08 01:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-07 15:32 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 15:32 . 2009-07-13 16:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-07 15:32 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 02:20 . 2009-07-07 02:22 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-06 16:22 . 2009-07-06 16:47 -------- d-----w- c:\windows\system32\NtmsData
2009-07-06 16:06 . 2009-07-06 16:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\GlarySoft
2009-07-06 15:04 . 2009-07-06 15:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-07-06 15:02 . 2009-07-06 15:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-06 14:46 . 2006-10-22 18:22 229376 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-06 14:46 . 2006-10-22 20:06 229376 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-06 14:41 . 2009-07-06 14:41 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Mozilla
2009-07-06 14:38 . 2005-04-05 21:18 135168 ----a-w- c:\windows\system32\igfxres.dll
2009-07-06 14:37 . 2009-07-06 14:37 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\LightScribe
2009-07-06 14:32 . 2005-05-17 00:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-07-06 14:32 . 2005-05-17 00:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InterMute
2009-07-06 14:32 . 2005-05-17 00:50 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-07-06 14:32 . 2005-05-17 00:48 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-07-06 14:32 . 2005-05-17 00:36 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2009-07-06 14:32 . 2005-05-17 00:35 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple Computer
2009-07-06 14:32 . 2005-05-17 00:35 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2009-07-06 14:32 . 2005-05-17 00:27 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory
2009-07-06 14:32 . 2005-05-17 00:27 136 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat
2009-07-06 14:32 . 2005-05-16 23:56 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150000}
2009-07-06 14:31 . 2009-07-06 14:31 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\LightScribe
2009-07-06 14:15 . 2009-07-25 20:00 -------- d-sh--r- c:\windows\system32\dllcache
2009-07-06 04:31 . 2009-07-07 12:08 -------- d-----w- c:\program files\drv
2009-07-06 04:31 . 2009-07-06 04:31 -------- d-sh--w- c:\windows\System Volume Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 19:52 . 2004-08-10 12:00 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-25 17:34 . 2009-07-06 14:36 90112 ----a-w- c:\windows\DUMP4b32.tmp
2009-07-25 17:21 . 2005-10-28 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 16:21 . 2009-05-13 17:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-13 15:53 . 2004-08-10 12:00 359040 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-07-09 12:38 . 2009-07-09 12:38 359040 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-09 02:26 . 2009-07-06 14:36 90112 ----a-w- c:\windows\DUMP69e5.tmp
2009-07-08 15:41 . 2005-05-17 00:48 -------- d-----w- c:\program files\Google
2009-07-08 14:13 . 2009-01-19 00:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-06 20:13 . 2005-05-17 00:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-06 20:13 . 2005-05-17 00:58 -------- d-----w- c:\program files\Symantec
2009-07-06 20:13 . 2005-05-17 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-06 17:27 . 2005-05-17 00:24 -------- d-----w- c:\program files\Common Files\Real
2009-07-06 17:02 . 2005-05-17 00:43 -------- d-----w- c:\program files\PC-Doctor for Windows
2009-07-06 17:02 . 2005-05-17 00:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 16:18 . 2009-07-06 14:34 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Symantec
2009-07-06 16:18 . 2009-07-06 14:34 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2009-07-06 14:46 . 2009-07-06 14:46 40 ----a-w- c:\windows\system32\BD.tmp
2009-07-06 14:38 . 2005-05-17 00:45 -------- d-----w- c:\program files\Easy Internet signup
2009-07-06 14:35 . 2009-07-06 14:35 1858 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_PX721AA-ABA M7160N_YC_0Pavi_QMXK521_E53NAsyEPC1_47_ILIMESTONE_SASUSTek Computer INC._V1.04_B3.03_T050519_WXP2_L409_M2047_J250_7Intel_8Pentium D_92.8_#050706_N808627DC_Z11C1048C_G10DE0092.MRK
2009-07-01 22:23 . 2005-07-30 13:41 -------- d-----w- c:\program files\Warcraft III
2009-06-29 14:21 . 2005-12-11 17:10 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\BitTorrent
2009-06-29 01:47 . 2006-10-16 16:34 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\dvdcss
2009-06-11 12:30 . 2007-07-02 06:03 -------- d-----w- c:\program files\Common Files\Apple
2009-06-11 12:22 . 2009-06-11 12:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-23 01:07 . 2005-07-30 13:44 107626 -c--a-w- c:\windows\War3Unin.dat
2009-05-08 16:42 . 2005-07-06 05:03 114536 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-15 12:20 . 2008-08-27 18:41 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-05-06 16:42 . 2006-10-16 02:38 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 35328]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\08d8b644-20d1-41c0-9458-ad81bba9398c.exe" [2009-04-28 1850608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 79360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 98304]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 135168]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 266240]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 274432]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-04-13 14180352]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1642496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 278528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SpySubtract.lnk - c:\program files\InterMute\SpySubtract\sslaunch.exe [2005-5-16 94208]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2005-5-16 65536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"services"=c:\windows\services.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [5/16/2005 7:07 PM 85248]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S2 ckrcww;ckrcww;c:\windows\system32\drivers\gpjfkvu.sys --> c:\windows\system32\drivers\gpjfkvu.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-07-06 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-04 01:04]

2009-07-25 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-11-13 23:58]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 15:06
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2352)
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\InterMute\SpySubtract\SpySub.exe
c:\hp\KBD\KBD.exe
.
**************************************************************************
.
Completion time: 2009-07-25 15:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-25 20:14
ComboFix2.txt 2009-05-08 23:03
ComboFix3.txt 2009-05-08 22:56
ComboFix4.txt 2009-05-08 20:03

Pre-Run: 37,429,690,368 bytes free
Post-Run: 37,278,978,048 bytes free

364 --- E O F --- 2009-07-08 15:21

Combofix told me to make note of multiple files with UAC in them, which GMR also said were bad.

SAS was able to get through a quick scan. Neither SAS nor MBAM found anything during their quick scans though.

Hopefully we're getting close to nuking this bastard.

Should I try downloading a fresh combofix and running it again?
again thanks for the help, I've been pulling my hair out over this.

Edited by snkzato1, 25 July 2009 - 05:06 PM.


#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:21 PM

Posted 26 July 2009 - 08:07 AM

If combofix said that Virut was present then there would be no recovery.

Just to double check some system files to see if you have Virut do the following:
If the NT authority shutdown occurs then go to Start > run > then type in this shutdown -a then hit ok this will stop the shutdown process.

Then do the following:
Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

C:\Windows\system32\explorer.exe
C:\Windows\system32\userinit.exe
C:\Windows\system32\svchost.exe
Jotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.

Edited by kahdah, 26 July 2009 - 08:08 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 26 July 2009 - 11:54 AM

can this be done in safe mode or must it be done in normal mode

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:21 PM

Posted 26 July 2009 - 11:55 AM

Either one whatever is easier.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 26 July 2009 - 12:14 PM

posting the results will be difficult as firefox just won't open and IE closes all the time, but the scans definitely said virut.

So it's a wipe then isn't it?

#13 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 26 July 2009 - 04:36 PM

So I've decided I'm just going to format, and I'm trying to transfer files to my externals, lucky me normal mode won't even boot now. Gives me a "services.exe" error then I get a black screen, and in safe mode it says I don't have permission to transfer or copy the files.

It is definitely Virut, and I'm pretty sure I lost this battle. Just need help trying to get some files to jump ship before I go hiroshima on my hard-drive.

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:21 PM

Posted 26 July 2009 - 06:22 PM

Yes Virut once launched spreads rapidly.
It would be better to use a Linux disk to boot into a live environment that is not Windows to get the non infectable files.
Here is a tutorial on how to do it.

http://www.howtogeek.com/howto/windows-vis...ndows-computer/

Here is a write up on Virut do not back up .exe or scr file's as they are infectable.
http://www.f-secure.com/v-descs/virus_w32_virut.shtml

Edited by kahdah, 26 July 2009 - 06:22 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 snkzato1

snkzato1
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 26 July 2009 - 06:59 PM

thanks! I'll let you know how it goes later!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users