Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severe Infection Please Help Diagnost


  • This topic is locked This topic is locked
19 replies to this topic

#1 Blastedw0lf4

Blastedw0lf4

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 03 September 2009 - 12:07 PM

im gonna try to keep this short as simple as my machine is Blue Screening me out everytime i try to post.

I am unable to scan HJT Logs, DDS logs, and RootRepeal logs..

i started my first there here

i can name you at least 2 of the malware/spywares installed which r

1. Total Security

2. PC_antispyware2010

please someone help me....

here is a Win32Diag log
------------------------------------------------------------------------------------------------------------------------------------
Log file is located at: C:Documents and SettingsOwnerDesktopWin32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:WINDOWS'...



Found mount point : C:WINDOWS$hf_mig$KB936357KB936357

Mount point destination : Device__max++>^

Found mount point : C:WINDOWS$hf_mig$KB967715KB967715

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSaddinsaddins

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP747.tmpZAP747.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP7F2.tmpZAP7F2.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP8D4.tmpZAP8D4.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP925.tmpZAP925.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblytemptemp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblytmptmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCacheCache

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSConfigConfig

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSConnection WizardConnection Wizard

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSDebugUserModeUserMode

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimechsimeappletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeCHTIMEAppletsApplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimejpappletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimejp98imejp98

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimjp8_1appletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimkr6_1appletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimkr6_1dictsdicts

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimesharedresres

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109411090400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109440090400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109511090400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109711090400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109910090400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109B10090400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109F100A0C00000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed00002109F100C0400000000000F01FEC12.0.451812.0.4518

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed0DC1503A46F231838AD88BCDDC8E8F7C3.2.307293.2.30729

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$ManagedDC3BF90CC0D3D2F398A9A6D1762F70F32.2.307292.2.30729

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSjavaclassesclasses

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSjavatrustlibtrustlib

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET FilesTemporary ASP.NET Files

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSmsappsmsinfomsinfo

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSmsdownld.tmpmsdownld.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSmuimui

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthERRORREPQHEADLESQHEADLES

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthERRORREPQSIGNOFFQSIGNOFF

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrbatchbatch

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrConfigNewsNews

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrHelpFilesHelpFiles

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrInstalledSKUsInstalledSKUs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrSystemDFSDFS

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSpchealthhelpctrTempTemp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSRegistrationCRMLogCRMLog

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionAuthCabsDownloadedDownloaded

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownload9b9c80e2f055ce97c0f0b65924ea9f29backupbackup

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9ebackupasms1010

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9ebackupasms52msftmsft

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9ebackupasms60msftmsft

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9ebackupasms7070

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSunJavaDeploymentDeployment

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210251025

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210281028

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210311031

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210371037

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210411041

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210421042

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210541054

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3220522052

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3230763076

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem323com_dmi3com_dmi

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32Adobeupdateupdate

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32CatRoot_bakCatRoot_bak

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftIdentityCRLPRODUCTIONPRODUCTION

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftMedia PlayerMedia Player

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCertificatesCertificates

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCRLsCRLs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCTLsCTLs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftWLTB Custom Buttonsmicrosoft.windowslive.addbtn.btnmicrosoft.windowslive.addbtn.btn

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileDesktopDesktop

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileFavoritesFavorites

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataMicrosoftOfficeGrooveSystemSystem

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataMicrosoftOfficeGrooveUserUser

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileMy DocumentsMy Documents

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileNetHoodNetHood

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofilePrintHoodPrintHood

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileRecentRecent

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32dhcpdhcp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32driversdisdndisdn

Mount point destination : Device__max++>^

Cannot access: C:WINDOWSsystem32dumprep.exe

[1] 2008-04-13 20:12:18 10752 C:WINDOWSSoftwareDistributionDownloaddd9ab5193501484cf5e6884fa1d22f9edumprep.exe (Microsoft Corporation)

Merged posts. ~ OB

Edited by Orange Blossom, 03 September 2009 - 10:06 PM.


BC AdBot (Login to Remove)

 


#2 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 07 September 2009 - 09:05 AM

hi all just wondering if my topic has possibly been overlooked???

#3 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 09 September 2009 - 12:22 PM

well, i had my machine disconnected for a couple of days because of some remodling going on around my home and i just plugged her back in, still severely infected but i was able to scan the 1st tab in RootRepeals...my machine locked me out from doing further scans. Hopefully someone can take a look at them and see exactly what i have on my machine. Again, would like to thank anyone that can take the time out and take a look at this log


------------------------------------------------------------------------------------------------------------------------------------------

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/09 13:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00000035
Image Path: \Driver\00000035
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF9009000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xF93E0000 Size: 17920 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF0607000 Size: 138368 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF8FC1000 Size: 98304 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF9767000 Size: 3072 File Visible: - Signed: -
Status: -

Name: axrqwc33.SYS
Image Path: C:\WINDOWS\System32\Drivers\axrqwc33.SYS
Address: 0xF892C000 Size: 303104 File Visible: No Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF9268000 Size: 45056 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF9548000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF92B8000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF9398000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF9178000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF9168000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF91C8000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF046C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF966A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF8889000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF97E4000 Size: 4096 File Visible: - Signed: -
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xF8AA1000 Size: 154112 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF9478000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF9288000 Size: 34944 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF8FA1000 Size: 128896 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF9664000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF8FD9000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xF91A8000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000 Size: 131968 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF92C8000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF9528000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF88A1000 Size: 9600 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xEF55E000 Size: 262784 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF9378000 Size: 52736 File Visible: - Signed: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA3A000 Size: 925696 File Visible: - Signed: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBFA05000 Size: 217088 File Visible: - Signed: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9E3000 Size: 139264 File Visible: - Signed: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xF8CDD000 Size: 1302208 File Visible: - Signed: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9D5000 Size: 57344 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF91B8000 Size: 41856 File Visible: - Signed: -
Status: -

Name: IntelC51.sys
Image Path: C:\WINDOWS\system32\DRIVERS\IntelC51.sys
Address: 0xF8B5C000 Size: 1205920 File Visible: - Signed: -
Status: -

Name: IntelC52.sys
Image Path: C:\WINDOWS\system32\DRIVERS\IntelC52.sys
Address: 0xF8AC7000 Size: 609120 File Visible: - Signed: -
Status: -

Name: IntelC53.sys
Image Path: C:\WINDOWS\system32\DRIVERS\IntelC53.sys
Address: 0xF9368000 Size: 57888 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF963C000 Size: 5504 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF9358000 Size: 36096 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF0524000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF06A9000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF9138000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF9480000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF9638000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xEF37B000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF8C83000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF8F71000 Size: 92032 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF9666000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF9470000 Size: 30080 File Visible: - Signed: -
Status: -

Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xF9608000 Size: 16128 File Visible: - Signed: -
Status: -

Name: mohfilt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mohfilt.sys
Address: 0xF9468000 Size: 23520 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF94E8000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF889D000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF9148000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF0545000 Size: 453632 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF9510000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF9208000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF8E37000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF8E9C000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF8EB7000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF8E47000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xF0358000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF88B6000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF9228000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF9278000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF0629000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF9518000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF8EE4000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF9739000 Size: 2944 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF8A8D000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF93C0000 Size: 18688 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF96FC000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF8FF8000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCIIde.sys
Image Path: PCIIde.sys
Address: 0xF9700000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\Drivers\PCIIDEX.SYS
Address: 0xF93B8000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF8A29000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF88A5000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF94D8000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF9188000 Size: 36320 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF9618000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF91D8000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF91E8000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF91F8000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF94E0000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF05DC000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF9668000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF93A8000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF82F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF8914000 Size: 98304 File Visible: - Signed: -
Status: -

Name: senfilt.sys
Image Path: C:\WINDOWS\system32\drivers\senfilt.sys
Address: 0xF8976000 Size: 732928 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF962C000 Size: 15488 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF9388000 Size: 64896 File Visible: - Signed: -
Status: -

Name: smwdm.sys
Image Path: C:\WINDOWS\system32\drivers\smwdm.sys
Address: 0xF8A4D000 Size: 260224 File Visible: - Signed: -
Status: -

Name: sptd.sys
Image Path: sptd.sys
Address: 0xF904F000 Size: 819200 File Visible: - Signed: -
Status: -

Name: SPTDDRV1.SYS
Image Path: C:\WINDOWS\System32\Drivers\SPTDDRV1.SYS
Address: 0xF9037000 Size: 98304 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xEFA4F000 Size: 333184 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF965C000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xEFF84000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF0651000 Size: 360320 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF94D0000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF9218000 Size: 40704 File Visible: - Signed: -
Status: -

Name: TPkd.sys
Image Path: TPkd.sys
Address: 0xF8F88000 Size: 102400 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF8784000 Size: 364160 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF9662000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF9460000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF9248000 Size: 57600 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF8CA6000 Size: 143360 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF9458000 Size: 20480 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF9508000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF8CC9000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF9158000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF9298000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF9530000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEFE67000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF9538000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF881D000 Size: 61440 File Visible: No Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF963A000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: wpsnuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wpsnuio.sys
Address: 0xF0354000 Size: 12416 File Visible: - Signed: -
Status: -

#4 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 19 September 2009 - 05:17 PM

Hello and :( to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


Posted Image
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE




****If you can not scan with DDS, just respond to this so we know that you are there and still need help.

Kind regards
Net_Surfer

:(

#5 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 21 September 2009 - 06:43 PM

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 19:19:38.28 on Mon 09/21/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.223 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe, explorer.exe
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [Orb] "c:\program files\orb networks\orb\bin\OrbTray.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [braviax] c:\windows\system32\braviax.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Barsaka] explorer.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunt autobackup.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586-jc.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-13 24652]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-9-19 28672]
S2 gupdate1c9d66a8caf18a6;Google Update Service (gupdate1c9d66a8caf18a6);c:\program files\google\update\GoogleUpdate.exe [2009-5-16 133104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\56.tmp --> c:\windows\system32\56.tmp [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-09-21 18:48 <DIR> -cd-h--- c:\windows\ie8
2009-09-21 10:02 <DIR> --d----- C:\294750e1303ee45971e2
2009-09-19 19:39 <DIR> --d----- c:\program files\iPod
2009-09-19 19:38 <DIR> --d----- c:\program files\iTunes
2009-09-19 19:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-19 19:18 43,520 a------- c:\windows\system32\libusb0.dll
2009-09-19 19:18 28,672 a------- c:\windows\system32\drivers\libusb0.sys
2009-09-19 19:18 <DIR> --d----- c:\program files\LibUSB-Win32
2009-09-16 19:23 9,728 ---shr-- c:\windows\system32\explorer.exe
2009-09-15 22:19 17,594 a------- c:\docume~1\alluse~1\applic~1\udihamuhig.exe
2009-09-15 22:19 15,718 a------- c:\docume~1\alluse~1\applic~1\idav.exe
2009-09-15 22:19 15,342 a------- c:\program files\common files\unexihip.bin
2009-09-15 22:19 13,132 a------- c:\program files\common files\etiqopypow.reg
2009-09-15 22:19 12,310 a------- c:\windows\wajyqi.bat
2009-09-15 22:19 11,378 a------- c:\windows\axag.sys
2009-09-15 22:19 10,721 a------- c:\docume~1\owner\applic~1\namonip.scr
2009-09-15 22:19 16,147 a------- c:\docume~1\owner\applic~1\ajuzyha.scr
2009-09-15 22:19 15,356 a------- c:\docume~1\owner\applic~1\qelirilo.bat
2009-09-15 22:19 14,919 a------- c:\windows\system32\ruvyvical.dat
2009-09-15 22:19 14,151 a------- c:\windows\sifojuna.dll
2009-09-10 10:46 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 10:46 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-10 10:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-09 16:49 15,926 a------- c:\program files\common files\azywifigin.pif
2009-09-09 16:49 11,652 a------- c:\docume~1\owner\applic~1\ebyfexi.dll
2009-09-09 15:50 <DIR> --d----- c:\program files\Sophos
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts
2009-09-01 19:37 19,896 a------- c:\program files\common files\zuvo.bin
2009-09-01 19:37 19,773 a------- c:\windows\awogenywor.ban
2009-09-01 19:37 17,425 a------- c:\windows\edufe.com
2009-09-01 19:37 13,104 a------- c:\windows\system32\zawix.pif
2009-09-01 19:37 13,100 a------- c:\program files\common files\waniha.scr
2009-09-01 19:37 12,070 a------- c:\windows\system32\rygufedab.dll
2009-08-31 20:49 6,489 ---sh--- c:\windows\system32\piseraho.dll
2009-08-30 23:36 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-30 23:36 <DIR> --d----- c:\program files\Avira
2009-08-30 16:36 19,709 a------- c:\windows\kilyzyvane.exe
2009-08-30 16:36 18,912 a------- c:\windows\fyxevoj._dl
2009-08-30 16:36 17,340 a------- c:\windows\system32\nules.exe
2009-08-30 16:36 17,056 a------- c:\docume~1\alluse~1\applic~1\ozoquruwa.bat
2009-08-30 16:36 15,938 a------- c:\program files\common files\qody.vbs
2009-08-30 16:36 14,910 a------- c:\windows\system32\isisutazaq.ban
2009-08-30 16:36 14,061 a------- c:\docume~1\alluse~1\applic~1\avuxumale.bin
2009-08-30 16:36 13,932 a------- c:\windows\muhasecuq._dl
2009-08-30 16:36 13,734 a------- c:\windows\wediwido._sy
2009-08-30 16:36 11,621 a------- c:\program files\common files\uhixefal.bin
2009-08-30 16:36 10,238 a------- c:\docume~1\alluse~1\applic~1\akexila.com
2009-08-30 14:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\14215314
2009-08-30 13:59 0 a------- C:\-1744262428
2009-08-30 13:58 21,504 a------- C:\emxtqjit.exe
2009-08-30 13:57 17,920 a------- C:\osps.exe

==================== Find3M ====================

2009-09-15 22:19 13,727 a------- c:\program files\common files\mufotoluv._dl
2009-09-10 00:48 38,400 a--sh--- c:\windows\system32\wubezazu.dll
2009-09-09 16:49 19,602 a------- c:\windows\zamili.vbs
2009-09-09 16:49 18,500 a------- c:\program files\common files\ekyka._sy
2009-09-09 16:49 17,650 a------- c:\windows\system32\jaled.com
2009-09-09 16:49 15,853 a------- c:\windows\system32\joxaju.bin
2009-09-09 16:49 12,895 a------- c:\windows\system32\gucafujuv.bat
2009-09-09 16:49 11,786 a------- c:\windows\defezyzo.bin
2009-09-09 16:49 11,004 a------- c:\windows\exyhojyla.dat
2009-09-09 16:49 10,433 a------- c:\program files\common files\faxo.db
2009-09-09 12:49 831,524 a--sh--- c:\windows\system32\tikufozi.exe
2009-09-09 12:49 88,576 a--sh--- c:\windows\system32\famavebe.dll
2009-09-09 12:49 37,888 a--sh--- c:\windows\system32\numonuji.dll
2009-09-09 12:49 24,490 a--sh--- c:\windows\system32\helileve.exe
2009-09-06 16:08 831,524 a--sh--- c:\windows\system32\ramobugu.exe
2009-09-06 16:08 88,576 a--sh--- c:\windows\system32\vuverisa.dll
2009-09-06 16:08 24,490 a--sh--- c:\windows\system32\kizosewa.exe
2009-09-04 20:36 831,524 a--sh--- c:\windows\system32\pufuyada.exe
2009-09-04 20:36 88,576 a--sh--- c:\windows\system32\wenihubi.dll
2009-09-03 13:26 88,576 a--sh--- c:\windows\system32\jezosudo.dll
2009-09-03 13:26 37,376 a--sh--- c:\windows\system32\yuniyuzi.dll
2009-09-01 20:49 831,012 a--sh--- c:\windows\system32\ravufuge.exe
2009-09-01 20:49 88,064 a--sh--- c:\windows\system32\lisepeyo.dll
2009-09-01 20:49 37,888 a--sh--- c:\windows\system32\gimujewa.dll
2009-09-01 19:37 19,338 a------- c:\program files\common files\femagojiby._dl
2009-09-01 19:37 14,992 a------- c:\program files\common files\wytynoqife.inf
2009-09-01 08:49 831,012 a--sh--- c:\windows\system32\pusekudu.exe
2009-09-01 08:49 84,480 a--sh--- c:\windows\system32\yikapoya.dll
2009-09-01 08:49 37,376 a--sh--- c:\windows\system32\gahejeyu.dll
2009-08-31 20:49 831,012 a--sh--- c:\windows\system32\liborazo.exe
2009-08-31 20:49 37,376 a--sh--- c:\windows\system32\sutojude.dll
2009-08-31 02:12 209,408 a--sh--- c:\windows\system32\nojuvuva.dll
2009-08-31 02:12 831,012 a--sh--- c:\windows\system32\mulirowo.exe
2009-08-31 02:12 209,408 a--sh--- c:\windows\system32\togemobo.dll
2009-08-30 14:10 829,988 a--sh--- c:\windows\system32\rimolodo.exe
2009-08-30 14:10 209,408 a--sh--- c:\windows\system32\rodusano.dll
2009-08-30 14:10 209,408 a--sh--- c:\windows\system32\kubuyula.dll
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 00:35 35,188 a------- c:\windows\DIIUnin.dat
2009-08-04 00:34 21,840 a------- c:\windows\system32\SIntfNT.dll
2009-08-04 00:34 17,212 a------- c:\windows\system32\SIntf32.dll
2009-08-04 00:34 12,067 a------- c:\windows\system32\SIntf16.dll
2009-08-03 21:50 94,208 a------- c:\windows\DIIUnin.exe
2009-08-03 21:50 2,829 a------- c:\windows\DIIUnin.pif
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 19:22 388,608 a------- c:\windows\system32\CF17794.exe
2009-07-13 05:48 219,648 a------- c:\windows\PEV.exe
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
2006-11-08 02:15 17,144 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 19:19:58.43 ===============

Attached Files


Edited by Blastedw0lf4, 21 September 2009 - 07:06 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:33 PM

Posted 24 September 2009 - 08:48 PM

Hi Blastedw0lf4,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

The first log shows signs of a rootkit.

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in peek.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad.

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0

Locate the peek.bat icon on your desktop and double click it. Then copy and paste the resulting log in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 25 September 2009 - 01:18 PM

peek.bat results

Volume in drive C has no label.
Volume Serial Number is 9808-AAE4

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:33 PM

Posted 25 September 2009 - 02:15 PM

It didn't like that.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
Posted Image
m0le is a proud member of UNITE

#9 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 26 September 2009 - 12:16 AM

ok heres the last log you requested


Running from: C:\Documents and Settings\Owner\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357

Found mount point : C:\WINDOWS\$hf_mig$\KB967715\KB967715

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB967715\KB967715

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP747.tmp\ZAP747.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP747.tmp\ZAP747.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7F2.tmp\ZAP7F2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7F2.tmp\ZAP7F2.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8D4.tmp\ZAP8D4.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8D4.tmp\ZAP8D4.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP925.tmp\ZAP925.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP925.tmp\ZAP925.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Cache\Cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cache\Cache

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9b9c80e2f055ce97c0f0b65924ea9f29\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9b9c80e2f055ce97c0f0b65924ea9f29\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Adobe\update\update

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\IdentityCRL\PRODUCTION\PRODUCTION

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\IdentityCRL\PRODUCTION\PRODUCTION

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\WLTB Custom Buttons\microsoft.windowslive.addbtn.btn\microsoft.windowslive.addbtn.btn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\WLTB Custom Buttons\microsoft.windowslive.addbtn.btn\microsoft.windowslive.addbtn.btn

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\Groove\System\System

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\Groove\System\System

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\Groove\User\User

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\Groove\User\User

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\temp\WLTB0000\WLTB0000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\WLTB0000\WLTB0000

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:33 PM

Posted 26 September 2009 - 03:01 PM

Yes, that's a rootkit.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#11 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 28 September 2009 - 11:26 AM

ok im not sure what happened...combofix was running its thing and it got all the way up to level 48 or so but than it froze...so i manually restarted my machine.....no log was ever made....but at least i must say my machine is alot more responsive now than it was before so I think the combo fix did something...let me know if there r any other scans or logs you need..

Thanks

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:33 PM

Posted 28 September 2009 - 12:48 PM

Please check for the log by following the instructions below.

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 28 September 2009 - 05:02 PM

2009-05-29 05:23:04 . 2009-05-29 14:31:47 1,541 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-05-29 14:28:55 . 2009-05-29 14:28:55 0 ----a-w C:\Qoobox\Quarantine\catchme.txt
2009-04-14 21:11:47 . 2009-04-14 21:11:47 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\profiles.ini.vir
2009-04-14 21:11:48 . 2009-04-14 21:13:13 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\cert8.db.vir
2009-04-14 21:11:47 . 2009-04-14 21:11:47 207 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\compatibility.ini.vir
2009-04-14 21:11:47 . 2009-04-14 21:11:48 127,820 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\compreg.dat.vir
2009-04-14 21:11:48 . 2009-04-14 21:13:13 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\cookies.sqlite.vir
2009-04-14 21:11:49 . 2009-04-14 21:11:49 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\formhistory.sqlite.vir
2009-04-14 21:11:48 . 2009-04-14 21:11:48 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\key3.db.vir
2009-04-14 21:12:02 . 2009-04-14 21:12:02 569 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\localstore.rdf.vir
2009-04-14 21:11:48 . 2009-04-14 21:11:48 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\permissions.sqlite.vir
2009-04-14 21:11:48 . 2009-04-14 21:12:49 0 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\places.sqlite-journal.vir
2009-04-14 21:11:48 . 2009-04-14 21:11:54 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\places.sqlite.vir
2009-04-14 21:11:51 . 2009-04-14 21:11:51 10,184 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\pluginreg.dat.vir
2009-04-14 21:11:48 . 2009-04-14 21:11:48 367 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\prefs.js.vir
2009-04-14 21:11:48 . 2009-04-14 21:11:48 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\secmod.db.vir
2009-04-14 21:11:50 . 2009-04-14 21:11:50 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\webappsstore.sqlite.vir
2009-04-14 21:11:47 . 2009-04-14 21:11:47 96,173 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\ljjhguei\Profiles\mqphxvnk.default\xpti.dat.vir
2009-04-14 21:15:52 . 2009-04-14 21:15:52 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\profiles.ini.vir
2009-04-14 21:15:53 . 2009-04-14 21:16:56 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\cert8.db.vir
2009-04-14 21:15:52 . 2009-04-14 22:38:42 207 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\compatibility.ini.vir
2009-04-14 21:15:52 . 2009-04-14 22:38:42 127,885 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\compreg.dat.vir
2009-04-14 21:15:53 . 2009-04-14 22:58:45 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\cookies.sqlite.vir
2009-04-14 21:15:54 . 2009-04-14 21:15:54 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\formhistory.sqlite.vir
2009-04-14 21:15:53 . 2009-04-14 21:15:53 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\key3.db.vir
2009-04-14 21:16:07 . 2009-04-14 21:16:07 569 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\localstore.rdf.vir
2009-04-14 21:15:52 . 2009-04-14 21:15:52 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\permissions.sqlite.vir
2009-04-14 21:15:53 . 2009-04-14 22:58:43 0 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\places.sqlite-journal.vir
2009-04-14 21:15:53 . 2009-04-14 22:38:47 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\places.sqlite.vir
2009-04-14 21:15:55 . 2009-04-14 21:15:55 10,184 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\pluginreg.dat.vir
2009-04-14 22:38:42 . 2009-04-14 22:38:42 367 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\prefs.js.vir
2009-04-14 21:15:53 . 2009-04-14 21:15:53 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\secmod.db.vir
2009-04-14 21:15:54 . 2009-04-14 22:38:43 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\webappsstore.sqlite.vir
2009-04-14 21:15:52 . 2009-04-14 22:38:42 96,173 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\ljjhguei\Profiles\r0jhpx22.default\xpti.dat.vir
2008-11-01 14:33:53 . 2008-11-01 14:33:53 289 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Favorites\Videos.url.vir
2004-08-12 13:57:20 . 2007-06-13 10:23:07 1,033,216 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir
2004-08-12 14:08:06 . 2007-03-08 15:36:28 158,720 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\onarikom.dll.vir
2009-04-14 23:38:51 . 2009-04-16 16:28:40 408 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Wnevuyo.dat.vir
2004-08-12 14:02:43 . 2004-08-12 14:02:43 103,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\rvfflpt.dll.vir
2004-08-12 14:02:43 . 2004-08-12 14:02:43 103,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\sgrtolc.dll.vir
2009-05-29 05:27:22 . 2009-05-29 05:27:22 97,646 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_rvfflpt_.dll.zip
2009-05-29 05:27:23 . 2009-05-29 05:27:23 100,313 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_sgrtolc_.dll.zip
2004-08-12 14:02:43 . 2004-08-12 14:02:43 23,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\dncislck.sys.vir
2004-08-12 14:02:43 . 2004-08-12 14:02:43 23,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\drwtvpsh.sys.vir
2009-05-29 05:27:20 . 2009-05-29 05:27:20 11,439 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_dncislck_.sys.zip
2009-05-29 05:27:21 . 2009-05-29 05:27:21 17,207 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_drwtvpsh_.sys.zip
2009-04-14 19:06:24 . 2009-05-29 04:26:05 434 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At1.job.vir
2009-05-29 05:36:57 . 2009-05-29 05:36:57 393 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{a56557e5-788c-e78e-2c2d-c596e8fac583}.reg.dat
2009-05-29 05:36:59 . 2009-05-29 05:36:59 91 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Aim6.reg.dat
2009-05-29 14:37:59 . 2009-05-29 14:37:59 144 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-EZ Smileys.reg.dat
2009-05-29 05:36:59 . 2009-05-29 05:36:59 176 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-iPhone PC Suite.reg.dat
2009-05-29 05:36:59 . 2009-05-29 05:36:59 173 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-PhoneDaemon.reg.dat
2009-05-29 05:36:59 . 2009-05-29 05:36:59 158 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Picasa Media Detector.reg.dat
2009-05-29 05:36:59 . 2009-05-29 05:36:59 102 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-PlayNC Launcher.reg.dat
2009-05-29 05:27:54 . 2009-05-29 14:31:32 806 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_DNCISLCK.reg.dat
2009-05-29 05:37:08 . 2009-05-29 05:37:08 562 ----a-w C:\Qoobox\Quarantine\Registry_backups\SafeBoot-procexp90.Sys.reg.dat
2009-05-29 05:27:54 . 2009-05-29 05:27:54 6,874 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_dncislck.reg.dat
2009-05-29 05:27:42 . 2009-05-29 14:31:26 11,359 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:33 PM

Posted 28 September 2009 - 05:12 PM

Nothing helpful there but let's assume that Combofix did loosen the grip and see if you can run MBAM.

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Please also run Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#15 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 29 September 2009 - 12:15 AM

Anti Malware log

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

9/28/2009 11:20:17 PM
mbam-log-2009-09-28 (23-20-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 205716
Time elapsed: 2 hour(s), 16 minute(s), 59 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\WINDOWS\system32\explorer.exe (Backdoor.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Barsaka (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\explorer.exe (Trojan.Downloader) -> Delete on reboot.

Gmer log

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-29 00:48:43
Windows 5.1.2600 Service Pack 2
Running: y18jmuck.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT spzl.sys ZwCreateKey [0xF90170E0]
SSDT spzl.sys ZwEnumerateKey [0xF9035DA4]
SSDT spzl.sys ZwEnumerateValueKey [0xF9036132]
SSDT spzl.sys ZwOpenKey [0xF90170C0]
SSDT spzl.sys ZwQueryKey [0xF903620A]
SSDT spzl.sys ZwQueryValueKey [0xF903608A]
SSDT spzl.sys ZwSetValueKey [0xF903629C]

INT 0x62 ? 82F72BF8
INT 0x63 ? 82D18BF8
INT 0x82 ? 82F72BF8
INT 0x83 ? 82D18BF8
INT 0x83 ? 82D18BF8
INT 0xB4 ? 82D18BF8

---- Kernel code sections - GMER 1.0.15 ----

? cipaownt.sys The system cannot find the file specified. !
? spzl.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F8CAD62C 5 Bytes JMP 82D181D8
? System32\Drivers\azzn2cqe.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Motive\McciCMService.exe[404] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 00D228E0
.text C:\Program Files\Common Files\Motive\McciCMService.exe[404] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00D22890
.text C:\Program Files\Common Files\Motive\McciCMService.exe[404] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00D22854
.text C:\Program Files\Common Files\Motive\McciCMService.exe[404] WS2_32.dll!send 71AB428A 5 Bytes JMP 00D226C5
.text C:\Program Files\Common Files\Motive\McciCMService.exe[404] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00D227B7
.text C:\Program Files\Common Files\Motive\McciCMService.exe[404] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00D226FD
.text C:\Program Files\Common Files\Motive\McciCMService.exe[404] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00D22735
.text C:\Program Files\Common Files\Motive\McciCMService.exe[404] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00D22839
.text C:\Program Files\Google\Update\GoogleUpdate.exe[520] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 010428E0
.text C:\Program Files\Google\Update\GoogleUpdate.exe[520] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 01042890
.text C:\Program Files\Google\Update\GoogleUpdate.exe[520] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 01042854
.text C:\Program Files\Google\Update\GoogleUpdate.exe[520] WS2_32.dll!send 71AB428A 5 Bytes JMP 010426C5
.text C:\Program Files\Google\Update\GoogleUpdate.exe[520] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 010427B7
.text C:\Program Files\Google\Update\GoogleUpdate.exe[520] WS2_32.dll!recv 71AB615A 5 Bytes JMP 010426FD
.text C:\Program Files\Google\Update\GoogleUpdate.exe[520] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01042735
.text C:\Program Files\Google\Update\GoogleUpdate.exe[520] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01042839
.text C:\WINDOWS\system32\wdfmgr.exe[1044] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 008928E0
.text C:\WINDOWS\system32\wdfmgr.exe[1044] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00892890
.text C:\WINDOWS\system32\wdfmgr.exe[1044] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00892854
.text C:\WINDOWS\system32\wdfmgr.exe[1044] WS2_32.dll!send 71AB428A 5 Bytes JMP 008926C5
.text C:\WINDOWS\system32\wdfmgr.exe[1044] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 008927B7
.text C:\WINDOWS\system32\wdfmgr.exe[1044] WS2_32.dll!recv 71AB615A 5 Bytes JMP 008926FD
.text C:\WINDOWS\system32\wdfmgr.exe[1044] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00892735
.text C:\WINDOWS\system32\wdfmgr.exe[1044] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00892839
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1932] WS2_32.dll!send 71AB428A 5 Bytes JMP 01FE26C5
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1932] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01FE27B7
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1932] WS2_32.dll!recv 71AB615A 5 Bytes JMP 01FE26FD
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1932] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01FE2735
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1932] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01FE2839
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1932] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 01FE28E0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1932] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 01FE2890
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1932] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 01FE2854
.text C:\Program Files\Bonjour\mDNSResponder.exe[1948] WS2_32.dll!send 71AB428A 5 Bytes JMP 007C26C5
.text C:\Program Files\Bonjour\mDNSResponder.exe[1948] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 007C27B7
.text C:\Program Files\Bonjour\mDNSResponder.exe[1948] WS2_32.dll!recv 71AB615A 5 Bytes JMP 007C26FD
.text C:\Program Files\Bonjour\mDNSResponder.exe[1948] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 007C2735
.text C:\Program Files\Bonjour\mDNSResponder.exe[1948] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 007C2839
.text C:\Program Files\Bonjour\mDNSResponder.exe[1948] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 007C28E0
.text C:\Program Files\Bonjour\mDNSResponder.exe[1948] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 007C2890
.text C:\Program Files\Bonjour\mDNSResponder.exe[1948] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 007C2854
.text C:\WINDOWS\system32\dllhost.exe[1976] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 00C028E0
.text C:\WINDOWS\system32\dllhost.exe[1976] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00C02890
.text C:\WINDOWS\system32\dllhost.exe[1976] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00C02854
.text C:\WINDOWS\system32\dllhost.exe[1976] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C026C5
.text C:\WINDOWS\system32\dllhost.exe[1976] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00C027B7
.text C:\WINDOWS\system32\dllhost.exe[1976] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00C026FD
.text C:\WINDOWS\system32\dllhost.exe[1976] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00C02735
.text C:\WINDOWS\system32\dllhost.exe[1976] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C02839
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 00E728E0
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00E72890
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00E72854
.text C:\WINDOWS\Explorer.EXE[2044] WS2_32.dll!send 71AB428A 5 Bytes JMP 00E726C5
.text C:\WINDOWS\Explorer.EXE[2044] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00E727B7
.text C:\WINDOWS\Explorer.EXE[2044] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00E726FD
.text C:\WINDOWS\Explorer.EXE[2044] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00E72735
.text C:\WINDOWS\Explorer.EXE[2044] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00E72839
.text C:\Program Files\iPod\bin\iPodService.exe[2272] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 00B128E0
.text C:\Program Files\iPod\bin\iPodService.exe[2272] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00B12890
.text C:\Program Files\iPod\bin\iPodService.exe[2272] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00B12854
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[2276] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 00BF28E0
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[2276] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00BF2890
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[2276] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00BF2854
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[2276] WS2_32.dll!send 71AB428A 5 Bytes JMP 00BF26C5
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[2276] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00BF27B7
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[2276] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00BF26FD
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[2276] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00BF2735
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[2276] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00BF2839
.text C:\WINDOWS\System32\alg.exe[2588] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 008428E0
.text C:\WINDOWS\System32\alg.exe[2588] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00842890
.text C:\WINDOWS\System32\alg.exe[2588] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00842854
.text C:\WINDOWS\System32\alg.exe[2588] WS2_32.dll!send 71AB428A 5 Bytes JMP 008426C5
.text C:\WINDOWS\System32\alg.exe[2588] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 008427B7
.text C:\WINDOWS\System32\alg.exe[2588] WS2_32.dll!recv 71AB615A 5 Bytes JMP 008426FD
.text C:\WINDOWS\System32\alg.exe[2588] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00842735
.text C:\WINDOWS\System32\alg.exe[2588] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00842839
.text C:\WINDOWS\system32\hkcmd.exe[2916] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 00A428E0
.text C:\WINDOWS\system32\hkcmd.exe[2916] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00A42890
.text C:\WINDOWS\system32\hkcmd.exe[2916] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00A42854
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[2948] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 00AF28E0
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[2948] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00AF2890
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[2948] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00AF2854
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[2948] WS2_32.dll!send 71AB428A 5 Bytes JMP 00AF26C5
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[2948] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00AF27B7
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[2948] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00AF26FD
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[2948] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00AF2735
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe[2948] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00AF2839
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2956] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 00D828E0
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2956] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00D82890
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2956] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00D82854
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2956] WS2_32.dll!send 71AB428A 5 Bytes JMP 00D826C5
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2956] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00D827B7
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2956] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00D826FD
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2956] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00D82735
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2956] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00D82839
.text C:\Program Files\Verizon\McciTrayApp.exe[3000] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 00F928E0
.text C:\Program Files\Verizon\McciTrayApp.exe[3000] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00F92890
.text C:\Program Files\Verizon\McciTrayApp.exe[3000] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00F92854
.text C:\Program Files\Verizon\McciTrayApp.exe[3000] WS2_32.dll!send 71AB428A 5 Bytes JMP 00F926C5
.text C:\Program Files\Verizon\McciTrayApp.exe[3000] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00F927B7
.text C:\Program Files\Verizon\McciTrayApp.exe[3000] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00F926FD
.text C:\Program Files\Verizon\McciTrayApp.exe[3000] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00F92735
.text C:\Program Files\Verizon\McciTrayApp.exe[3000] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00F92839
.text C:\Program Files\iTunes\iTunesHelper.exe[3084] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 00C328E0
.text C:\Program Files\iTunes\iTunesHelper.exe[3084] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 00C32890
.text C:\Program Files\iTunes\iTunesHelper.exe[3084] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 00C32854
.text C:\Program Files\iTunes\iTunesHelper.exe[3084] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C326C5
.text C:\Program Files\iTunes\iTunesHelper.exe[3084] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00C327B7
.text C:\Program Files\iTunes\iTunesHelper.exe[3084] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00C326FD
.text C:\Program Files\iTunes\iTunesHelper.exe[3084] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00C32735
.text C:\Program Files\iTunes\iTunesHelper.exe[3084] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C32839
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3184] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 010F28E0
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3184] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 010F2890
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3184] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 010F2854
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3184] WS2_32.dll!send 71AB428A 5 Bytes JMP 010F26C5
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3184] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 010F27B7
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3184] WS2_32.dll!recv 71AB615A 5 Bytes JMP 010F26FD
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3184] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 010F2735
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3184] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 010F2839
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3340] ADVAPI32.dll!CryptDestroyKey 77DEA064 7 Bytes JMP 014128E0
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3340] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 01412890
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3340] ADVAPI32.dll!CryptEncrypt 77DF0900 7 Bytes JMP 01412854
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3340] WS2_32.dll!send 71AB428A 5 Bytes JMP 014126C5
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3340] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 014127B7
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3340] WS2_32.dll!recv 71AB615A 5 Bytes JMP 014126FD
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3340] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01412735
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3340] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01412839

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82F742D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F9048D4C] spzl.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F9048DA0] spzl.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F9018042] spzl.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F901813E] spzl.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F90180C0] spzl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F9018800] spzl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F90186D6] spzl.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82D182D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F9027E9C] spzl.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82F711F8
Device \Driver\PCI_PNP0470 \Device\00000040 spzl.sys
Device \Driver\sptd \Device\2649732970 spzl.sys
Device \Driver\usbuhci \Device\USBPDO-0 82DC71F8
Device \Driver\usbuhci \Device\USBPDO-1 82DC71F8
Device \Driver\usbuhci \Device\USBPDO-2 82DC71F8
Device \Driver\usbehci \Device\USBPDO-3 82D6F1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 82FDF1F8
Device \Driver\Cdrom \Device\CdRom0 82C46500
Device \Driver\Cdrom \Device\CdRom1 82C46500
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 82F721F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 827E9EA0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82F721F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 827E9EA0
Device \Driver\atapi \Device\Ide\IdePort0 82F721F8
Device \Driver\atapi \Device\Ide\IdePort0 827E9EA0
Device \Driver\atapi \Device\Ide\IdePort1 82F721F8
Device \Driver\atapi \Device\Ide\IdePort1 827E9EA0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 82F721F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 827E9EA0
Device \Driver\Cdrom \Device\CdRom2 82C46500
Device \Driver\NetBT \Device\NetBt_Wins_Export 82C7F500
Device \Driver\NetBT \Device\NetbiosSmb 82C7F500
Device \Driver\usbuhci \Device\USBFDO-0 82DC71F8
Device \Driver\usbuhci \Device\USBFDO-1 82DC71F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82D65500
Device \Driver\usbuhci \Device\USBFDO-2 82DC71F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82D65500
Device \Driver\usbehci \Device\USBFDO-3 82D6F1F8
Device \Driver\Ftdisk \Device\FtControl 82FDF1F8
Device \Driver\azzn2cqe \Device\Scsi\azzn2cqe1Port2Path0Target0Lun0 82C55500
Device \Driver\azzn2cqe \Device\Scsi\azzn2cqe1 82C55500
Device \FileSystem\Fastfat \Fat 82C73500
Device \FileSystem\Fastfat \Fat EEEB41F9

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 82CA8500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1467609509
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1789554872
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0xB3 0x45 0x8E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBA 0x30 0x9D 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x85 0xE5 0x0D 0x41 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0xB3 0x45 0x8E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBA 0x30 0x9D 0xDA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x85 0xE5 0x0D 0x41 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users