Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search redirected in IE due to rootkit infection?


  • This topic is locked This topic is locked
23 replies to this topic

#1 akramabed

akramabed

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 21 September 2009 - 09:25 PM

Hi,
I think my old laptop has rootkit infection. In internet explorer clicking google toolbar button or if google.com is entered in the address bar I am redirected to search nut while the msn goes somehwhere else. I already ran the combofix and it gave me names of a number of files infected( c:\winnt\(comres.exe, autochk.exe, chkdsc.exe, cmd.exe, fltmc.exe, fontview.exe,grpconv.exe, lsass.exe, mstask.exe,netdde.exe, ntdvm.exe, w32tm.exe, so quite few. My AV KL cannot find anything wrong!! As per the guidlines of the forum I am only providing below the results of DDS but Rootrepeal could not complete the report and stalled at stealth objects, so I excluded this from scan and posted the report together with warnning I got. If you wish me to post complete results of Combofix let me know please. Or if you think that I need only to fix those infected files then please advise how. Please note that after I rebooted the computer the googlebutton and msn are working normal but I am sure my computer is still infected as you can see below and may be the problem will return, amI right?
Thanks for your help.
akramabed


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 4:54:59.36 on Tue 22/09/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.127.39 [GMT 3:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\S3trayhp.exe
C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\ONE-TO~1\CDRomMnt.EXE
C:\PROGRA~1\ONE-TO~1\KBOSDCtl.EXE
C:\PROGRA~1\ONE-TO~1\CP32NKCC.EXE
C:\Program Files\Corinex\Wireless G USB Mini Adapter\ZDWlan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [S3Hotkey] s3hotkey.exe
mRun: [S3TRAYHP] S3trayhp.exe
mRun: [CP32NOT] c:\progra~1\one-to~1\CP32NBTN.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HTT] \"c:\htt-humaxgbox\htt-startup.bat\
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 6.0\avp.exe"
dRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wlanut~1.lnk - c:\program files\corinex\wireless g usb mini adapter\ZDWlan.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 6.0\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?237d0274c52146c4b93fa8f675165c26
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?237d0274c52146c4b93fa8f675165c26
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 6.0\scieplugin.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {3334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpeg4ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246553415895
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: klogon - c:\winnt\system32\klogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\v2aguhkq.default\

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\winnt\system32\drivers\kl1.sys [2007-1-25 109848]
R1 klif;Klif;c:\winnt\system32\drivers\klif.sys [2007-1-27 179984]
R2 AVP;Kaspersky Internet Security 6.0;c:\program files\kaspersky lab\kaspersky internet security 6.0\avp.exe -r --> c:\program files\kaspersky lab\kaspersky internet security 6.0\avp.exe -r [?]
R2 ioperm;ioperm support for Cygwin driver;c:\htt-humaxgbox\cygwin\bin\ioperm.sys [2006-7-11 12800]
R3 EN5251;Accton EN1207F/EN2220A/EN2242 Series PCI Fast Ethernet Adapter Win2000 Driver;c:\winnt\system32\drivers\EN5251N5.sys [2001-4-2 34272]
S3 ZD1211U(Corinex);Corinex Wireless LAN Driver (USB)(Corinex);c:\winnt\system32\drivers\ZD1211U.sys [2009-8-19 258560]

=============== Created Last 30 ================

2009-09-22 04:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_318.dat
2009-09-22 03:16 229,888 a------- c:\winnt\PEV.exe
2009-09-22 03:16 161,792 a------- c:\winnt\SWREG.exe
2009-09-22 03:16 98,816 a------- c:\winnt\sed.exe
2009-09-15 19:05 <DIR> a-d----- c:\program files\Fahess_Activation
2009-09-15 19:05 <DIR> a-d----- c:\program files\common files\Motive

==================== Find3M ====================

2009-09-22 04:55 8,770,080 a--sh--- c:\winnt\system32\drivers\fidbox.dat
2009-09-22 04:54 289,312 a--sh--- c:\winnt\system32\drivers\fidbox2.dat
2009-09-22 03:50 29,096 a--sh--- c:\winnt\system32\drivers\fidbox2.idx
2009-09-22 03:50 123,560 a--sh--- c:\winnt\system32\drivers\fidbox.idx
2009-08-19 10:44 57,344 a------- c:\winnt\uneng.exe
2009-08-19 10:44 58,000 a------- c:\winnt\system32\drivers\cdr4_2K.sys
2009-08-19 10:44 49,152 a------- c:\winnt\system32\cdrtc.dll
2009-08-19 10:44 45,056 a------- c:\winnt\system32\cdral.dll
2009-08-19 10:44 23,420 a------- c:\winnt\system32\drivers\cdralw2k.sys
2009-08-05 08:04 90,164 a------- c:\winnt\system32\atl.dll
2009-07-27 14:27 165,136 a------- c:\winnt\system32\t2embed.dll
2009-07-27 14:27 81,168 a------- c:\winnt\system32\fontsub.dll
2009-07-13 16:13 78,608 a------- c:\winnt\system32\avifil32.dll
2009-07-10 12:49 601,088 a------- c:\winnt\system32\INETCOMM.DLL
2009-07-10 12:49 47,616 a------- c:\winnt\system32\INETRES.DLL
2009-07-10 12:49 229,376 a------- c:\winnt\system32\MSOEACCT.DLL
2009-07-10 12:49 91,136 a------- c:\winnt\system32\MSOERT2.DLL
2009-07-10 12:47 44,032 a------- c:\winnt\system32\MSIDENT.DLL
2009-06-26 11:53 576,512 -------- c:\winnt\system32\WININET.DLL
2006-08-27 22:07 835,584 ac------ c:\documents and settings\administrator\setupHUMAXTerminator.exe
2006-08-27 22:00 2,024 ac------ c:\documents and settings\administrator\HT.dat
2000-01-07 11:53 696,320 ac------ c:\program files\common files\XCMHook.dll
2000-01-06 15:57 24,576 ac------ c:\program files\common files\XCPCMenu.exe
1999-12-07 15:00 32,528 ac------ c:\winnt\inf\wbfirdma.sys
1999-03-29 02:34 106,768 ac------ c:\program files\msscript.ocx
1997-05-24 02:16 70,780 ac---r-- c:\program files\msscript.hlp
1997-05-24 02:16 2,154 ac---r-- c:\program files\msscript.cnt
1988-01-15 15:54 21,952 -c--h--- c:\program files\folder.htt
1988-01-15 15:54 271 ----h--- c:\program files\desktop.ini

============= FINISH: 4:55:37.67 ===============

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/22 13:43
Program Version: Version 1.3.5.0
Windows Version: Windows 2000 SP4
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xBF9AE000 Size: 90112 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xF0A3A000 Size: 4096 File Visible: No Signed: -
Status: -

Name: rotrepel.sys
Image Path: C:\WINNT\system32\drivers\rotrepel.sys
Address: 0xF0630000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
ServiceTable Hooked [0x80480a20]!

#: 024 Function Name: NtClose
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e0c00

#: 035 Function Name: NtCreateKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3380

#: 041 Function Name: NtCreateProcess
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e0930

#: 043 Function Name: NtCreateSection
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e1540

#: 045 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e1190

#: 046 Function Name: NtCreateThread
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e1e20

#: 053 Function Name: NtDeleteKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3480

#: 055 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3500

#: 058 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e0d60

#: 060 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d35b0

#: 061 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3660

#: 067 Function Name: NtFlushKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3710

#: 081 Function Name: NtInitializeRegistry
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3790

#: 085 Function Name: NtLoadDriver
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9df2a0

#: 086 Function Name: NtLoadKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d41b0

#: 087 Function Name: NtLoadKey2
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d37b0

#: 095 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3890

#: 100 Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xbfe5bff0

#: 103 Function Name: NtOpenKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3970

#: 106 Function Name: NtOpenProcess
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e0720

#: 108 Function Name: NtOpenSection
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e1370

#: 139 Function Name: NtQueryKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3a50

#: 140 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3b00

#: 151 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e1ad0

#: 155 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3bb0

#: 169 Function Name: NtReplaceKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3c90

#: 180 Function Name: NtRestoreKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3d20

#: 181 Function Name: NtResumeThread
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e1dd0

#: 182 Function Name: NtSaveKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3f20

#: 194 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e2770

#: 196 Function Name: NtSetInformationKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d3fb0

#: 198 Function Name: NtSetInformationProcess
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e60a0

#: 206 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9ddec0

#: 215 Function Name: NtSetValueKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d4050

#: 221 Function Name: NtSuspendThread
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e1d80

#: 222 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9df600

#: 224 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e1970

#: 228 Function Name: NtUnloadKey
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9d4170

#: 240 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e0c20

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9df4d0

#: 368 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9dee70

#: 373 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9dde40

#: 405 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9dde80

#: 444 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9ded70

#: 459 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e2550

#: 460 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9dee20

#: 481 Function Name: NtUserSendInput
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9de300

#: 483 Function Name: NtUserSendNotifyMessage
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9dedd0

#: 530 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e2340

#: 533 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINNT\system32\drivers\klif.sys" at address 0xbf9e25a0

==EOF==

13:43:20: DeviceIoControl Error! Error Code = 0x0
13:43:20: Warning - the number of SSDT entries from the kernel and the number on-disk are different (261 and 248).

Attached Files


Edited by akramabed, 22 September 2009 - 05:53 AM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:59 PM

Posted 08 October 2009 - 11:48 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 akramabed

akramabed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 09 October 2009 - 03:04 AM

Thanks for your help. The problem of redirecting has stopped after running some tools I found on this forum. However I still see on combofix report the same infections I reported in my previous post. Here is the DDS reports requested. So Iam suspecting that problem may return.
rgds
Akram

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 10:55:26.23 on Fri 09/10/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.127.40 [GMT 3:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\S3trayhp.exe
C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ONE-TO~1\CDRomMnt.EXE
C:\PROGRA~1\ONE-TO~1\KBOSDCtl.EXE
C:\PROGRA~1\ONE-TO~1\CP32NKCC.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [S3Hotkey] s3hotkey.exe
mRun: [S3TRAYHP] S3trayhp.exe
mRun: [CP32NOT] c:\progra~1\one-to~1\CP32NBTN.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wlanut~1.lnk - c:\program files\corinex\wireless g usb mini adapter\ZDWlan.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?237d0274c52146c4b93fa8f675165c26
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?237d0274c52146c4b93fa8f675165c26
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {3334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpeg4ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246553415895
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: AutorunsDisabled\mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\v2aguhkq.default\

============= SERVICES / DRIVERS ===============

R3 EN5251;Accton EN1207F/EN2220A/EN2242 Series PCI Fast Ethernet Adapter Win2000 Driver;c:\winnt\system32\drivers\EN5251N5.sys [2001-4-2 34272]
S3 ZD1211U(Corinex);Corinex Wireless LAN Driver (USB)(Corinex);c:\winnt\system32\drivers\ZD1211U.sys [2009-8-19 258560]
S4 ioperm;ioperm support for Cygwin driver;\??\c:\htt-humaxgbox\cygwin\bin\ioperm.sys --> c:\htt-humaxgbox\cygwin\bin\ioperm.sys [?]

=============== Created Last 30 ================

2009-10-02 14:10 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2fc.dat
2009-09-28 00:12 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-28 00:12 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-23 15:37 16,384 a------t c:\winnt\system32\Perflib_Perfdata_328.dat
2009-09-23 05:42 54,156 a---h--- c:\winnt\QTFont.qfn
2009-09-23 05:42 1,409 a------- c:\winnt\QTFont.for
2009-09-22 03:16 229,888 a------- c:\winnt\PEV.exe
2009-09-22 03:16 161,792 a------- c:\winnt\SWREG.exe
2009-09-22 03:16 98,816 a------- c:\winnt\sed.exe
2009-09-15 19:05 <DIR> a-d----- c:\program files\Fahess_Activation
2009-09-15 19:05 <DIR> a-d----- c:\program files\common files\Motive

==================== Find3M ====================

2009-08-19 10:44 57,344 a------- c:\winnt\uneng.exe
2009-08-19 10:44 58,000 a------- c:\winnt\system32\drivers\cdr4_2K.sys
2009-08-19 10:44 49,152 a------- c:\winnt\system32\cdrtc.dll
2009-08-19 10:44 45,056 a------- c:\winnt\system32\cdral.dll
2009-08-19 10:44 23,420 a------- c:\winnt\system32\drivers\cdralw2k.sys
2009-08-05 08:04 90,164 a------- c:\winnt\system32\atl.dll
2009-07-27 14:27 165,136 a------- c:\winnt\system32\t2embed.dll
2009-07-27 14:27 81,168 a------- c:\winnt\system32\fontsub.dll
2009-07-13 16:13 78,608 a------- c:\winnt\system32\avifil32.dll
2006-08-27 22:07 835,584 ac------ c:\documents and settings\administrator\setupHUMAXTerminator.exe
2006-08-27 22:00 2,024 ac------ c:\documents and settings\administrator\HT.dat
2000-01-07 11:53 696,320 ac------ c:\program files\common files\XCMHook.dll
2000-01-06 15:57 24,576 ac------ c:\program files\common files\XCPCMenu.exe
1999-12-07 15:00 32,528 ac------ c:\winnt\inf\wbfirdma.sys
1999-03-29 02:34 106,768 ac------ c:\program files\msscript.ocx
1997-05-24 02:16 70,780 ac---r-- c:\program files\msscript.hlp
1997-05-24 02:16 2,154 ac---r-- c:\program files\msscript.cnt
1988-01-15 15:54 21,952 -c--h--- c:\program files\folder.htt
1988-01-15 15:54 271 ----h--- c:\program files\desktop.ini

============= FINISH: 10:56:19.01 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 19 October 2009 - 02:55 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 akramabed

akramabed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 20 October 2009 - 04:29 AM

Hi EB,
The logs requested are posted in my earlier 2 posts. The problem of re-directing is no longer there, but combofix is showing ( c:\winnt\(comres.exe, autochk.exe, chkdsc.exe, cmd.exe, fltmc.exe, fontview.exe,grpconv.exe, lsass.exe, mstask.exe,netdde.exe, ntdvm.exe, w32tm.exe, as infected. My antivirus program Kaspersky does not find anything wrong!
Thanks
AA

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 20 October 2009 - 03:02 PM

Who told you to run Combofix?

Please post the C:\Combofix.txt log then...

Also, please re-run DDS and Rootrepeal as requested so I can see the CURRENT condition of your system please.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 akramabed

akramabed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 22 October 2009 - 12:11 PM

Hi EB,
The information you requested are provided in my previous post and nothing has changed since as I am not using the laptop much. I ran combofix after reading solutions of similar problems shown in this forum. I hope I did not do something wrong , but the problem is not appearing anymore. Attached are the logs.
Thanks for your help.
AA

Attached Files


Edited by akramabed, 22 October 2009 - 12:15 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 23 October 2009 - 03:26 PM

Woah. Please do the following for me we need to see an update of the system.

Please delete the version of Combofix you have and download and run a new copy from one of the links below..

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

--Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Post back with both logs in your next reply please.

Thanks.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 akramabed

akramabed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 24 October 2009 - 04:01 PM

Hi EB,
Thanks for your help. If at any time you think it is too much of trouble to clean the malware and I am better off re-formatting the laptop just let me know. But I am curious to find what was this infection doing to my computer. Please find below the logs you requested. I noted that there were 2 errors when running Combofix. One error was reported after reboot as "Cannot import Creg.dat error accessing registry" . The other error appeared after I clicked ok on the first error window and it appeared inside the DOS find3M window as "Cannot find file Whitedirectory..." It disappeared before I note the full text.
Thanks again, AA


ComboFix 09-10-22.01 - Administrator 24/10/2009 20:32.5.1 - NTFSx86
Running from: E:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\AUTOCHK.EXE . . . is infected!!

c:\winnt\system32\CHKDSK.EXE . . . is infected!!

c:\winnt\system32\CMD.EXE . . . is infected!!

c:\winnt\system32\fltmc.exe . . . is infected!!

c:\winnt\system32\FONTVIEW.EXE . . . is infected!!

c:\winnt\system32\GRPCONV.EXE . . . is infected!!

c:\winnt\system32\LSASS.EXE . . . is infected!!

c:\winnt\system32\mstask.exe . . . is infected!!

c:\winnt\system32\NETDDE.EXE . . . is infected!!

c:\winnt\system32\NTVDM.EXE . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-16 13:41 . 2009-10-16 14:26 95259 ----a-w- c:\winnt\system32\drivers\klick.dat
2009-10-16 13:41 . 2009-10-16 14:26 108059 ----a-w- c:\winnt\system32\drivers\klin.dat
2009-10-16 13:39 . 2009-10-22 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-16 13:28 . 2009-10-16 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-10-09 17:00 . 2009-10-09 17:00 -------- d-----w- c:\program files\Free RM to MP3 Converter
2009-10-09 16:59 . 2009-10-09 16:59 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2009-09-27 21:12 . 2009-10-16 13:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-27 21:12 . 2009-10-16 13:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 14:26 . 2008-01-29 15:29 33808 ----a-w- c:\winnt\system32\drivers\klbg.sys
2009-10-16 13:39 . 2007-10-04 07:38 -------- d-----w- c:\program files\Kaspersky Lab
2009-09-26 19:22 . 2008-07-04 14:45 -------- d-----w- c:\program files\MPlayer for Windows
2009-09-21 23:11 . 2007-02-01 14:57 -------- d-----w- c:\program files\Windows Live Toolbar
2009-09-15 16:05 . 2009-09-15 16:05 -------- d---a-w- c:\program files\Fahess_Activation
2009-09-15 16:05 . 2009-09-15 16:05 -------- d---a-w- c:\program files\Common Files\Motive
2009-09-15 16:04 . 2009-09-15 16:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\Motive
2009-08-19 07:44 . 2009-08-19 07:44 57344 ----a-w- c:\winnt\uneng.exe
2009-08-19 07:44 . 2009-08-19 07:44 58000 ----a-w- c:\winnt\system32\drivers\cdr4_2K.sys
2009-08-19 07:44 . 2009-08-19 07:44 49152 ----a-w- c:\winnt\system32\cdrtc.dll
2009-08-19 07:44 . 2009-08-19 07:44 45056 ----a-w- c:\winnt\system32\cdral.dll
2009-08-19 07:44 . 2009-08-19 07:44 23420 ----a-w- c:\winnt\system32\drivers\cdralw2k.sys
2009-08-05 05:04 . 2009-08-05 05:04 90164 ----a-w- c:\winnt\system32\atl.dll
2009-07-27 11:27 . 1999-12-07 12:00 81168 ----a-w- c:\winnt\system32\fontsub.dll
2009-07-27 11:27 . 1999-12-07 12:00 165136 ----a-w- c:\winnt\system32\t2embed.dll
2000-01-07 08:53 . 2007-01-25 18:43 696320 -c--a-w- c:\program files\Common Files\XCMHook.dll
2000-01-06 12:57 . 2007-01-25 18:43 24576 -c--a-w- c:\program files\Common Files\XCPCMenu.exe
1999-03-28 23:34 . 1999-03-28 23:34 106768 -c--a-w- c:\program files\msscript.ocx
1997-05-23 23:16 . 2006-06-15 17:08 70780 -c--a-r- c:\program files\msscript.hlp
1997-05-23 23:16 . 2006-06-15 17:08 2154 -c--a-r- c:\program files\msscript.cnt
1988-01-15 12:54 . 1988-01-15 12:54 21952 -c-h--w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2003-06-19 09:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\asyncmac.sys
[-] 2003-06-19 09:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\system32\dllcache\asyncmac.sys
[-] 2003-06-19 09:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\asyncmac.sys

[-] 1999-12-07 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\dllcache\beep.sys
[-] 1999-12-07 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\drivers\beep.sys

[-] 2003-06-19 09:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\kbdclass.sys
[-] 2003-06-19 09:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\system32\dllcache\kbdclass.sys
[-] 2003-06-19 09:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\system32\drivers\kbdclass.sys

[-] 2003-06-19 09:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ndis.sys
[-] 2003-06-19 09:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\system32\dllcache\ndis.sys
[-] 2003-06-19 09:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\ndis.sys

[-] 2005-05-09 23:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\dllcache\ntfs.sys
[-] 2005-05-09 23:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\drivers\ntfs.sys
[-] 2003-06-19 09:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\$NtUpdateRollupPackUninstall$\ntfs.sys
[-] 2003-06-19 09:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\ServicePackFiles\i386\ntfs.sys

[-] 1999-12-07 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\null.sys
[-] 1999-12-07 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\drivers\null.sys

[-] 2005-04-08 01:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\browser.dll
[-] 2005-04-08 01:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\dllcache\browser.dll
[-] 2003-06-19 09:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\$NtUpdateRollupPackUninstall$\browser.dll
[-] 2003-06-19 09:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\ServicePackFiles\i386\browser.dll

[-] 2004-12-19 12:30 . F19D0A319AB4BF5496F08807CB9B8651 . 33552 . . [5.00.2195.7011] . . c:\winnt\system32\LSASS.EXE
[-] 2003-06-19 09:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\$NtUpdateRollupPackUninstall$\lsass.exe
[-] 2003-06-19 09:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\ServicePackFiles\i386\lsass.exe

[-] 2005-08-15 22:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\netman.dll
[-] 2005-08-15 22:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\dllcache\netman.dll
[-] 2003-06-19 09:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\$NtUninstallKB905414$\netman.dll
[-] 2003-06-19 09:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\ServicePackFiles\i386\netman.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\qmgr.dll
[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\BITS\qmgr.dll
[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\dllcache\qmgr.dll
[-] 2003-06-19 09:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\$NtUninstallKB842773$\qmgr.dll
[-] 2003-06-19 09:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\ServicePackFiles\i386\qmgr.dll

[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\rpcss.dll
[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\rpcss.dll
[-] 2005-04-08 01:54 . 391AFA6F7FE9AA667B2C54DFAE2D0FBD . 273680 . . [5.00.2195.7021] . . c:\winnt\$NtUninstallKB902400$\rpcss.dll
[-] 2003-06-19 09:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\$NtUpdateRollupPackUninstall$\rpcss.dll
[-] 2003-06-19 09:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\ServicePackFiles\i386\rpcss.dll

[-] 2005-04-08 01:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\SERVICES.EXE
[-] 2005-04-08 01:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\dllcache\services.exe
[-] 2003-06-19 09:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\$NtUpdateRollupPackUninstall$\services.exe
[-] 2003-06-19 09:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\ServicePackFiles\i386\services.exe

[-] 2005-07-11 18:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\spoolsv.exe
[-] 2005-07-11 18:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\spoolsv.exe
[-] 2005-04-08 01:51 . 1F124B89AA469671821115A39C0FBD27 . 48400 . . [5.00.2195.7013] . . c:\winnt\$NtUninstallKB896423$\spoolsv.exe
[-] 2003-06-19 09:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\$NtUpdateRollupPackUninstall$\spoolsv.exe
[-] 2003-06-19 09:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\ServicePackFiles\i386\spoolsv.exe

[-] 2005-04-08 01:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\WINLOGON.EXE
[-] 2005-04-08 01:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\dllcache\WINLOGON.EXE
[-] 2003-06-19 09:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\$NtUpdateRollupPackUninstall$\winlogon.exe
[-] 2003-06-19 09:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\ServicePackFiles\i386\winlogon.exe

[-] 2005-04-20 22:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\cryptsvc.dll
[-] 2005-04-20 22:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\dllcache\cryptsvc.dll
[-] 2003-06-19 09:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\$NtUpdateRollupPackUninstall$\cryptsvc.dll
[-] 2003-06-19 09:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\ServicePackFiles\i386\cryptsvc.dll

[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\es.dll
[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\dllcache\es.dll
[-] 2005-09-05 08:18 . D8D44D8ED1B35285A83984ACF5D13CB3 . 242448 . . [2000.2.3529.0] . . c:\winnt\$NtUninstallKB950974$\es.dll
[-] 2004-03-11 11:29 . 0400F13BDEC0E1F04C1AD2002D5650A4 . 239888 . . [2000.2.3511.0] . . c:\winnt\$NtUninstallKB902400$\es.dll
[-] 2003-06-19 09:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\$NtUpdateRollupPackUninstall$\es.dll
[-] 2003-06-19 09:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\ServicePackFiles\i386\es.dll

[-] 2003-06-19 09:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\imm32.dll
[-] 2003-06-19 09:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\system32\imm32.dll

[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\Driver Cache\i386\kernel32.dll
[-] 2007-04-16 12:44 . 0AB23B46CCAEBA64D748A5CF79CB4BB6 . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\KERNEL32.DLL
[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\dllcache\kernel32.dll
[-] 2005-06-02 21:54 . 694E9BC2ADE4F30C99D8A59340307E1A . 712464 . . [5.00.2195.7006] . . c:\winnt\$NtUninstallKB935839$\kernel32.dll
[-] 2003-06-19 09:05 . AFFDA6F602A8F0DBA615279C28B3BDF8 . 743184 . . [5.00.2195.6688] . . c:\winnt\$NtUpdateRollupPackUninstall$\kernel32.dll
[-] 2003-06-19 09:05 . 1E93BDAAE187253D18711DA5C210474A . 743184 . . [5.00.2195.6688] . . c:\winnt\ServicePackFiles\i386\kernel32.dll

[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\linkinfo.dll
[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\dllcache\linkinfo.dll
[-] 2005-04-08 01:54 . 4EDE648460D79405487672EFF49805F6 . 17168 . . [5.00.2195.7009] . . c:\winnt\$NtUninstallKB900725$\linkinfo.dll
[-] 1999-12-07 12:00 . A5977BF56A537AFDF2464F1314C315CF . 16144 . . [5.00.2134.1] . . c:\winnt\$NtUpdateRollupPackUninstall$\linkinfo.dll

[-] 2003-06-19 09:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\ServicePackFiles\i386\lpk.dll
[-] 2003-06-19 09:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\system32\lpk.dll

[-] 2003-06-19 09:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\ServicePackFiles\i386\msvcrt.dll
[-] 2003-06-19 09:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\system32\msvcrt.dll

[-] 2003-06-19 09:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\ServicePackFiles\i386\powrprof.dll
[-] 2003-06-19 09:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\system32\powrprof.dll

[-] 2005-01-12 09:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\scecli.dll
[-] 2005-01-12 09:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\dllcache\scecli.dll
[-] 2003-06-19 09:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\$NtUpdateRollupPackUninstall$\scecli.dll
[-] 2003-06-19 09:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\ServicePackFiles\i386\scecli.dll

[-] 1999-12-07 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\svchost.exe
[-] 1999-12-07 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\svchost.exe

[-] 2005-07-02 01:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\tapisrv.dll
[-] 2005-07-02 01:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\dllcache\tapisrv.dll
[-] 2005-01-12 23:10 . 15CC2BD96F18AFFFE655F53DBD1E2214 . 173840 . . [5.00.2195.7002] . . c:\winnt\$NtUninstallKB893756$\tapisrv.dll
[-] 2003-06-19 09:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\$NtUpdateRollupPackUninstall$\tapisrv.dll
[-] 2003-06-19 09:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\tapisrv.dll

[-] 2003-06-19 09:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\ServicePackFiles\i386\userinit.exe
[-] 2003-06-19 09:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\system32\USERINIT.EXE
[-] 2003-06-19 09:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\system32\dllcache\userinit.exe

[-] 2003-06-19 09:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\ServicePackFiles\i386\ws2_32.dll
[-] 2003-06-19 09:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\system32\ws2_32.dll

[-] 2003-06-19 09:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\explorer.exe
[-] 2003-06-19 09:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\ServicePackFiles\i386\explorer.exe

[-] 2005-04-08 01:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\EVENTLOG.DLL
[-] 2005-04-08 01:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\dllcache\EVENTLOG.DLL
[-] 2003-06-19 09:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\$NtUpdateRollupPackUninstall$\eventlog.dll
[-] 2003-06-19 09:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\ServicePackFiles\i386\eventlog.dll

[-] 2005-04-08 00:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\sfcfiles.dll
[-] 2005-04-08 00:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\dllcache\sfcfiles.dll
[-] 2003-06-19 09:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\$NtUpdateRollupPackUninstall$\sfcfiles.dll
[-] 2003-06-19 09:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\ServicePackFiles\i386\sfcfiles.dll

[-] 2003-06-19 09:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\ServicePackFiles\i386\appmgmts.dll
[-] 2003-06-19 09:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\system32\appmgmts.dll

[-] 2003-06-19 09:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\acpiec.sys
[-] 2003-06-19 09:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\system32\dllcache\acpiec.sys
[-] 2003-06-19 09:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\acpiec.sys

[-] 2003-06-19 09:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\agp440.sys
[-] 2003-06-19 09:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\system32\dllcache\agp440.sys
[-] 2003-06-19 09:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\agp440.sys

[-] 2005-04-08 01:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\MSGSVC.DLL
[-] 2005-04-08 01:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\dllcache\msgsvc.dll
[-] 2003-06-19 09:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\$NtUpdateRollupPackUninstall$\msgsvc.dll
[-] 2003-06-19 09:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\ServicePackFiles\i386\msgsvc.dll

[-] 2002-11-26 16:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll

[-] 2003-06-19 09:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ntmssvc.dll
[-] 2003-06-19 09:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\system32\ntmssvc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CP32NOT"="c:\progra~1\ONE-TO~1\CP32NBTN.EXE" [2000-10-05 45056]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2000-09-22 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2000-09-22 249856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-27 271672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-07 180269]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-10-16 208616]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"S3Hotkey"="s3hotkey.exe" - c:\winnt\system32\s3hotkey.exe [2001-03-07 31232]
"S3TRAYHP"="S3trayhp.exe" - c:\winnt\system32\S3trayhp.exe [2001-02-16 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-09-04 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Wlan Utility.lnk - c:\program files\Corinex\Wireless G USB Mini Adapter\ZDWlan.exe [2009-8-19 466944]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R3 ZD1211U(Corinex);Corinex Wireless LAN Driver (USB)(Corinex);c:\winnt\system32\DRIVERS\zd1211u.sys [2004-12-22 258560]
R4 ioperm;ioperm support for Cygwin driver;c:\htt-humaxgbox\cygwin\bin\ioperm.sys [x]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [2009-10-16 33808]
S3 EN5251;Accton EN1207F/EN2220A/EN2242 Series PCI Fast Ethernet Adapter Win2000 Driver;c:\winnt\system32\DRIVERS\EN5251N5.SYS [2001-04-02 34272]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\DRIVERS\klim5.sys [2008-04-30 24592]

.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 10:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?237d0274c52146c4b93fa8f675165c26
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?237d0274c52146c4b93fa8f675165c26
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v2aguhkq.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 23:02
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(228)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1548)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
c:\winnt\system32\WININET.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\system32\stisvc.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\winnt\system32\mspmspsv.exe
c:\combofix\CF29549.exe
c:\progra~1\ONE-TO~1\CDRomMnt.EXE
c:\progra~1\ONE-TO~1\KBOSDCtl.EXE
c:\progra~1\ONE-TO~1\CP32NKCC.EXE
c:\program files\iPod\bin\iPodService.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-24 23:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-24 20:14

Pre-Run: 1,555,783,680 bytes free
Post-Run: 1,577,902,080 bytes free

- - End Of File - - 0E20BD5B43923528D6FA32998B9B2750


THE GMER log is here below:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-24 23:42:55
Windows 5.0.2195 Service Pack 4
Running: uw963jot gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\axtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xBF6CEB96]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwClose [0xBF6CF142]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwConnectPort [0xBF6D0B82]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateFile [0xBF6D0538]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateKey [0xBF6CE30C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xBF6D24E6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateThread [0xBF6CEF3E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwDeleteKey [0xBF6CE74E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwDeleteValueKey [0xBF6CE94E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xBF6D0844]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwDuplicateObject [0xBF6D29F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwEnumerateKey [0xBF6CEA64]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwEnumerateValueKey [0xBF6CEACC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwFsControlFile [0xBF6D06FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwLoadDriver [0xBF6D1FAA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenFile [0xBF6D0394]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenKey [0xBF6CE46E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenProcess [0xBF6CED64]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenSection [0xBF6D2510]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenThread [0xBF6CECBA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwQueryKey [0xBF6CEB34]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xBF6CE838]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwQueryValueKey [0xBF6CE616]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwReplaceKey [0xBF6CDF8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xBF6D140C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwRestoreKey [0xBF6CE0F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSaveKey [0xBF6CDD8C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSecureConnectPort [0xBF6D0A24]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSetSecurityObject [0xBF6D20A4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSetSystemInformation [0xBF6D253A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSetValueKey [0xBF6CE4C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSystemDebugControl [0xBF6D1ED6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwTerminateProcess [0xBF6CEE0E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xBF6CEE80]

---- Kernel code sections - GMER 1.0.15 ----

? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINNT\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[524] C:\WINNT\system32\KERNEL32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[524] USER32.dll!VRipOutput + FFFB8783 77E13A00 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1412] C:\WINNT\system32\KERNEL32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1412] USER32.dll!VRipOutput + FFFB8783 77E13A00 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) [AUTO] Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 24 October 2009 - 09:16 PM

Hello.

Combofix seems it wasn't successfully ran previously.

Please delete the copy of Combofix you have re-download from one of those two links if you haven't already done so and make sure it's on your DESKTOP and not anywhere else. Then double-click to run it and post the new Combofix log once done for me please.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 akramabed

akramabed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 25 October 2009 - 04:07 PM

Hi,
You are right I had shortcut on my desktop. Here is the log after running the combofix again. Is there any difference?


ComboFix 09-10-22.01 - Administrator 25/10/2009 22:30.6.1 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\AUTOCHK.EXE . . . is infected!!

c:\winnt\system32\CHKDSK.EXE . . . is infected!!

c:\winnt\system32\CMD.EXE . . . is infected!!

c:\winnt\system32\fltmc.exe . . . is infected!!

c:\winnt\system32\FONTVIEW.EXE . . . is infected!!

c:\winnt\system32\GRPCONV.EXE . . . is infected!!

c:\winnt\system32\LSASS.EXE . . . is infected!!

c:\winnt\system32\mstask.exe . . . is infected!!

c:\winnt\system32\NETDDE.EXE . . . is infected!!

c:\winnt\system32\NTVDM.EXE . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 19:22 . 2009-10-25 19:22 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_304.dat
2009-10-16 13:41 . 2009-10-16 14:26 95259 ----a-w- c:\winnt\system32\drivers\klick.dat
2009-10-16 13:41 . 2009-10-16 14:26 108059 ----a-w- c:\winnt\system32\drivers\klin.dat
2009-10-16 13:39 . 2009-10-24 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-16 13:28 . 2009-10-16 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-10-09 17:00 . 2009-10-09 17:00 -------- d-----w- c:\program files\Free RM to MP3 Converter
2009-10-09 16:59 . 2009-10-09 16:59 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2009-09-27 21:12 . 2009-10-16 13:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-27 21:12 . 2009-10-16 13:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 14:26 . 2008-01-29 15:29 33808 ----a-w- c:\winnt\system32\drivers\klbg.sys
2009-10-16 13:39 . 2007-10-04 07:38 -------- d-----w- c:\program files\Kaspersky Lab
2009-09-26 19:22 . 2008-07-04 14:45 -------- d-----w- c:\program files\MPlayer for Windows
2009-09-21 23:11 . 2007-02-01 14:57 -------- d-----w- c:\program files\Windows Live Toolbar
2009-09-15 16:05 . 2009-09-15 16:05 -------- d---a-w- c:\program files\Fahess_Activation
2009-09-15 16:05 . 2009-09-15 16:05 -------- d---a-w- c:\program files\Common Files\Motive
2009-09-15 16:04 . 2009-09-15 16:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\Motive
2009-08-19 07:44 . 2009-08-19 07:44 57344 ----a-w- c:\winnt\uneng.exe
2009-08-19 07:44 . 2009-08-19 07:44 58000 ----a-w- c:\winnt\system32\drivers\cdr4_2K.sys
2009-08-19 07:44 . 2009-08-19 07:44 49152 ----a-w- c:\winnt\system32\cdrtc.dll
2009-08-19 07:44 . 2009-08-19 07:44 45056 ----a-w- c:\winnt\system32\cdral.dll
2009-08-19 07:44 . 2009-08-19 07:44 23420 ----a-w- c:\winnt\system32\drivers\cdralw2k.sys
2009-08-05 05:04 . 2009-08-05 05:04 90164 ----a-w- c:\winnt\system32\atl.dll
2000-01-07 08:53 . 2007-01-25 18:43 696320 -c--a-w- c:\program files\Common Files\XCMHook.dll
2000-01-06 12:57 . 2007-01-25 18:43 24576 -c--a-w- c:\program files\Common Files\XCPCMenu.exe
1999-03-28 23:34 . 1999-03-28 23:34 106768 -c--a-w- c:\program files\msscript.ocx
1997-05-23 23:16 . 2006-06-15 17:08 70780 -c--a-r- c:\program files\msscript.hlp
1997-05-23 23:16 . 2006-06-15 17:08 2154 -c--a-r- c:\program files\msscript.cnt
1988-01-15 12:54 . 1988-01-15 12:54 21952 -c-h--w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2003-06-19 09:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\asyncmac.sys
[-] 2003-06-19 09:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\system32\dllcache\asyncmac.sys
[-] 2003-06-19 09:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\asyncmac.sys

[-] 1999-12-07 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\dllcache\beep.sys
[-] 1999-12-07 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\drivers\beep.sys

[-] 2003-06-19 09:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\kbdclass.sys
[-] 2003-06-19 09:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\system32\dllcache\kbdclass.sys
[-] 2003-06-19 09:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\system32\drivers\kbdclass.sys

[-] 2003-06-19 09:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ndis.sys
[-] 2003-06-19 09:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\system32\dllcache\ndis.sys
[-] 2003-06-19 09:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\ndis.sys

[-] 2005-05-09 23:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\dllcache\ntfs.sys
[-] 2005-05-09 23:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\drivers\ntfs.sys
[-] 2003-06-19 09:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\$NtUpdateRollupPackUninstall$\ntfs.sys
[-] 2003-06-19 09:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\ServicePackFiles\i386\ntfs.sys

[-] 1999-12-07 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\null.sys
[-] 1999-12-07 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\drivers\null.sys

[-] 2005-04-08 01:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\browser.dll
[-] 2005-04-08 01:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\dllcache\browser.dll
[-] 2003-06-19 09:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\$NtUpdateRollupPackUninstall$\browser.dll
[-] 2003-06-19 09:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\ServicePackFiles\i386\browser.dll

[-] 2004-12-19 12:30 . F19D0A319AB4BF5496F08807CB9B8651 . 33552 . . [5.00.2195.7011] . . c:\winnt\system32\LSASS.EXE
[-] 2003-06-19 09:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\$NtUpdateRollupPackUninstall$\lsass.exe
[-] 2003-06-19 09:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\ServicePackFiles\i386\lsass.exe

[-] 2005-08-15 22:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\netman.dll
[-] 2005-08-15 22:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\dllcache\netman.dll
[-] 2003-06-19 09:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\$NtUninstallKB905414$\netman.dll
[-] 2003-06-19 09:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\ServicePackFiles\i386\netman.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\qmgr.dll
[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\BITS\qmgr.dll
[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\dllcache\qmgr.dll
[-] 2003-06-19 09:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\$NtUninstallKB842773$\qmgr.dll
[-] 2003-06-19 09:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\ServicePackFiles\i386\qmgr.dll

[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\rpcss.dll
[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\rpcss.dll
[-] 2005-04-08 01:54 . 391AFA6F7FE9AA667B2C54DFAE2D0FBD . 273680 . . [5.00.2195.7021] . . c:\winnt\$NtUninstallKB902400$\rpcss.dll
[-] 2003-06-19 09:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\$NtUpdateRollupPackUninstall$\rpcss.dll
[-] 2003-06-19 09:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\ServicePackFiles\i386\rpcss.dll

[-] 2005-04-08 01:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\SERVICES.EXE
[-] 2005-04-08 01:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\dllcache\services.exe
[-] 2003-06-19 09:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\$NtUpdateRollupPackUninstall$\services.exe
[-] 2003-06-19 09:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\ServicePackFiles\i386\services.exe

[-] 2005-07-11 18:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\spoolsv.exe
[-] 2005-07-11 18:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\spoolsv.exe
[-] 2005-04-08 01:51 . 1F124B89AA469671821115A39C0FBD27 . 48400 . . [5.00.2195.7013] . . c:\winnt\$NtUninstallKB896423$\spoolsv.exe
[-] 2003-06-19 09:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\$NtUpdateRollupPackUninstall$\spoolsv.exe
[-] 2003-06-19 09:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\ServicePackFiles\i386\spoolsv.exe

[-] 2005-04-08 01:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\WINLOGON.EXE
[-] 2005-04-08 01:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\dllcache\WINLOGON.EXE
[-] 2003-06-19 09:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\$NtUpdateRollupPackUninstall$\winlogon.exe
[-] 2003-06-19 09:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\ServicePackFiles\i386\winlogon.exe

[-] 2005-04-20 22:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\cryptsvc.dll
[-] 2005-04-20 22:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\dllcache\cryptsvc.dll
[-] 2003-06-19 09:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\$NtUpdateRollupPackUninstall$\cryptsvc.dll
[-] 2003-06-19 09:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\ServicePackFiles\i386\cryptsvc.dll

[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\es.dll
[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\dllcache\es.dll
[-] 2005-09-05 08:18 . D8D44D8ED1B35285A83984ACF5D13CB3 . 242448 . . [2000.2.3529.0] . . c:\winnt\$NtUninstallKB950974$\es.dll
[-] 2004-03-11 11:29 . 0400F13BDEC0E1F04C1AD2002D5650A4 . 239888 . . [2000.2.3511.0] . . c:\winnt\$NtUninstallKB902400$\es.dll
[-] 2003-06-19 09:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\$NtUpdateRollupPackUninstall$\es.dll
[-] 2003-06-19 09:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\ServicePackFiles\i386\es.dll

[-] 2003-06-19 09:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\imm32.dll
[-] 2003-06-19 09:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\system32\imm32.dll

[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\Driver Cache\i386\kernel32.dll
[-] 2007-04-16 12:44 . 0AB23B46CCAEBA64D748A5CF79CB4BB6 . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\KERNEL32.DLL
[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\dllcache\kernel32.dll
[-] 2005-06-02 21:54 . 694E9BC2ADE4F30C99D8A59340307E1A . 712464 . . [5.00.2195.7006] . . c:\winnt\$NtUninstallKB935839$\kernel32.dll
[-] 2003-06-19 09:05 . AFFDA6F602A8F0DBA615279C28B3BDF8 . 743184 . . [5.00.2195.6688] . . c:\winnt\$NtUpdateRollupPackUninstall$\kernel32.dll
[-] 2003-06-19 09:05 . 1E93BDAAE187253D18711DA5C210474A . 743184 . . [5.00.2195.6688] . . c:\winnt\ServicePackFiles\i386\kernel32.dll

[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\linkinfo.dll
[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\dllcache\linkinfo.dll
[-] 2005-04-08 01:54 . 4EDE648460D79405487672EFF49805F6 . 17168 . . [5.00.2195.7009] . . c:\winnt\$NtUninstallKB900725$\linkinfo.dll
[-] 1999-12-07 12:00 . A5977BF56A537AFDF2464F1314C315CF . 16144 . . [5.00.2134.1] . . c:\winnt\$NtUpdateRollupPackUninstall$\linkinfo.dll

[-] 2003-06-19 09:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\ServicePackFiles\i386\lpk.dll
[-] 2003-06-19 09:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\system32\lpk.dll

[-] 2003-06-19 09:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\ServicePackFiles\i386\msvcrt.dll
[-] 2003-06-19 09:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\system32\msvcrt.dll

[-] 2003-06-19 09:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\ServicePackFiles\i386\powrprof.dll
[-] 2003-06-19 09:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\system32\powrprof.dll

[-] 2005-01-12 09:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\scecli.dll
[-] 2005-01-12 09:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\dllcache\scecli.dll
[-] 2003-06-19 09:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\$NtUpdateRollupPackUninstall$\scecli.dll
[-] 2003-06-19 09:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\ServicePackFiles\i386\scecli.dll

[-] 1999-12-07 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\svchost.exe
[-] 1999-12-07 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\svchost.exe

[-] 2005-07-02 01:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\tapisrv.dll
[-] 2005-07-02 01:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\dllcache\tapisrv.dll
[-] 2005-01-12 23:10 . 15CC2BD96F18AFFFE655F53DBD1E2214 . 173840 . . [5.00.2195.7002] . . c:\winnt\$NtUninstallKB893756$\tapisrv.dll
[-] 2003-06-19 09:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\$NtUpdateRollupPackUninstall$\tapisrv.dll
[-] 2003-06-19 09:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\tapisrv.dll

[-] 2003-06-19 09:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\ServicePackFiles\i386\userinit.exe
[-] 2003-06-19 09:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\system32\USERINIT.EXE
[-] 2003-06-19 09:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\system32\dllcache\userinit.exe

[-] 2003-06-19 09:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\ServicePackFiles\i386\ws2_32.dll
[-] 2003-06-19 09:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\system32\ws2_32.dll

[-] 2003-06-19 09:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\explorer.exe
[-] 2003-06-19 09:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\ServicePackFiles\i386\explorer.exe

[-] 2005-04-08 01:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\EVENTLOG.DLL
[-] 2005-04-08 01:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\dllcache\EVENTLOG.DLL
[-] 2003-06-19 09:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\$NtUpdateRollupPackUninstall$\eventlog.dll
[-] 2003-06-19 09:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\ServicePackFiles\i386\eventlog.dll

[-] 2005-04-08 00:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\sfcfiles.dll
[-] 2005-04-08 00:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\dllcache\sfcfiles.dll
[-] 2003-06-19 09:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\$NtUpdateRollupPackUninstall$\sfcfiles.dll
[-] 2003-06-19 09:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\ServicePackFiles\i386\sfcfiles.dll

[-] 2003-06-19 09:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\ServicePackFiles\i386\appmgmts.dll
[-] 2003-06-19 09:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\system32\appmgmts.dll

[-] 2003-06-19 09:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\acpiec.sys
[-] 2003-06-19 09:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\system32\dllcache\acpiec.sys
[-] 2003-06-19 09:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\acpiec.sys

[-] 2003-06-19 09:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\agp440.sys
[-] 2003-06-19 09:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\system32\dllcache\agp440.sys
[-] 2003-06-19 09:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\agp440.sys

[-] 2005-04-08 01:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\MSGSVC.DLL
[-] 2005-04-08 01:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\dllcache\msgsvc.dll
[-] 2003-06-19 09:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\$NtUpdateRollupPackUninstall$\msgsvc.dll
[-] 2003-06-19 09:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\ServicePackFiles\i386\msgsvc.dll

[-] 2002-11-26 16:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll

[-] 2003-06-19 09:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ntmssvc.dll
[-] 2003-06-19 09:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\system32\ntmssvc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CP32NOT"="c:\progra~1\ONE-TO~1\CP32NBTN.EXE" [2000-10-05 45056]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2000-09-22 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2000-09-22 249856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-27 271672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-07 180269]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"S3Hotkey"="s3hotkey.exe" - c:\winnt\system32\s3hotkey.exe [2001-03-07 31232]
"S3TRAYHP"="S3trayhp.exe" - c:\winnt\system32\S3trayhp.exe [2001-02-16 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-09-04 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R3 ZD1211U(Corinex);Corinex Wireless LAN Driver (USB)(Corinex);c:\winnt\system32\DRIVERS\zd1211u.sys [2004-12-22 258560]
R4 ioperm;ioperm support for Cygwin driver;c:\htt-humaxgbox\cygwin\bin\ioperm.sys [x]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [2009-10-16 33808]
S3 EN5251;Accton EN1207F/EN2220A/EN2242 Series PCI Fast Ethernet Adapter Win2000 Driver;c:\winnt\system32\DRIVERS\EN5251N5.SYS [2001-04-02 34272]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\DRIVERS\klim5.sys [2008-04-30 24592]

.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 10:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?237d0274c52146c4b93fa8f675165c26
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?237d0274c52146c4b93fa8f675165c26
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v2aguhkq.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 22:56
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(228)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1172)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
c:\winnt\system32\WININET.DLL
.
Completion time: 2009-10-25 23:10
ComboFix-quarantined-files.txt 2009-10-25 20:10

Pre-Run: 1,613,004,800 bytes free
Post-Run: 1,606,148,096 bytes free

- - End Of File - - 89605E15827E0B9946518E2E7AF8CD11

Edited by akramabed, 25 October 2009 - 04:10 PM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 26 October 2009 - 03:13 PM

Hello.

Okay, this system is a windows 2k. I think those are okay, but since you have your disk available I suggest you do a sfc scan.

Refer to these pages for further information: http://support.microsoft.com/kb/222471
http://www.networkclue.com/os/Windows/commands/sfc.aspx
http://www.updatexp.com/scannow-sfc.html

Then run a scan with Malwarebytes followed by Kaspersky...

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 akramabed

akramabed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 27 October 2009 - 03:17 PM

Hello EB,
I did first step but when running MBAM, it freezes after around 40 second(on the time counter). You mentionned patience, does this mean hours or how long? The time counter stops for more than 30 minutes and I am suspecting program crashed. I uninstalled then re-installed the program and tried running again after re-booting with same resuts. It does not stop at the same point but at around 40s+_ 5 s Please advise how to proceed. Thanks...AA

Edited by akramabed, 28 October 2009 - 10:10 AM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 28 October 2009 - 03:46 PM

Try running it in Safe Mode.

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.


Additional instructions on booting into Safe Mode can be found here
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 akramabed

akramabed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 29 October 2009 - 01:55 PM

Hello EB,
I ran MBAM in safe mode and results posted below. (nothing detected). I also ran Kasspersky 9 rather that I had installed on my laptop rather than the one you requested "version 7". Results are also posted (nothing detected). I hope this is ok. If not please let me know if I need to run version 7 instead of 9. Combofix shows system file infected while other programs do not detect anything. I am puzzled. Is there an infection or not? What about deleting and replacing the infected system files? Thanks for your help. AA
Malwarebytes' Anti-Malware 1.41
Database version: 3043
Windows 5.0.2195 Service Pack 4 (Safe Mode)

29/10/09 5:13:34 PM
mbam-log-2009-10-29 (17-13-34).txt

Scan type: Quick Scan
Objects scanned: 80658
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is KASPERSKY LOG
Scan: completed 29/10/09 9:50:40 PM (events: 12, objects: , time: 00:00:00)
29/10/09 9:50:41 PM Task completed
29/10/09 8:25:11 PM Task started
Scan: completed 29/10/09 9:50:40 PM (events: 12, objects: , time: 00:00:00)
29/10/09 5:16:08 PM Task started
29/10/09 5:22:42 PM Task completed
Scan: completed 29/10/09 9:50:40 PM (events: 12, objects: , time: 00:00:00)
16/10/09 10:06:33 PM Task completed
16/10/09 9:00:19 PM Task started
16/10/09 8:51:29 PM Task stopped
16/10/09 8:51:26 PM Task started
Scan: completed 29/10/09 9:50:40 PM (events: 12, objects: , time: 00:00:00)
16/10/09 8:39:35 PM Task started
16/10/09 8:44:37 PM Task completed
Scan: completed 29/10/09 9:50:40 PM (events: 12, objects: , time: 00:00:00)
16/10/09 4:46:55 PM Task started
16/10/09 5:03:44 PM Task completed
Date: Today (events: 21)
Protection (events: 21)
29/10/09 8:23:29 PM Web Traffic Kaspersky Anti-Virus Task started
Protection (events: 21)
29/10/09 8:23:29 PM Email and IM Kaspersky Anti-Virus Task started
Protection (events: 21)
29/10/09 8:23:28 PM Files and Memory Kaspersky Anti-Virus Task started
Date: Today (events: 21)
Protection (events: 21)
22/10/09 1:27:14 AM Web Traffic Kaspersky Anti-Virus Task started
22/10/09 7:17:43 PM Web Traffic Kaspersky Anti-Virus Task started
24/10/09 9:08:01 PM Web Traffic Kaspersky Anti-Virus Task started
24/10/09 11:33:40 PM Web Traffic Kaspersky Anti-Virus Task stopped
Protection (events: 21)
22/10/09 1:27:14 AM Email and IM Kaspersky Anti-Virus Task started
22/10/09 7:17:43 PM Email and IM Kaspersky Anti-Virus Task started
24/10/09 9:08:01 PM Email and IM Kaspersky Anti-Virus Task started
24/10/09 11:33:40 PM Email and IM Kaspersky Anti-Virus Task stopped
Protection (events: 21)
22/10/09 1:27:14 AM Files and Memory Kaspersky Anti-Virus Task started
22/10/09 7:17:43 PM Files and Memory Kaspersky Anti-Virus Task started
24/10/09 9:08:01 PM Files and Memory Kaspersky Anti-Virus Task started
24/10/09 11:33:40 PM Files and Memory Kaspersky Anti-Virus Task stopped
Date: Today (events: 21)
Protection (events: 21)
16/10/09 4:46:49 PM Web Traffic Kaspersky Anti-Virus Task started
16/10/09 8:30:10 PM Web Traffic Kaspersky Anti-Virus Task started
Protection (events: 21)
16/10/09 4:46:49 PM Email and IM Kaspersky Anti-Virus Task started
16/10/09 8:30:09 PM Email and IM Kaspersky Anti-Virus Task started
Protection (events: 21)
16/10/09 4:46:49 PM Files and Memory Kaspersky Anti-Virus Task started
16/10/09 8:30:09 PM Files and Memory Kaspersky Anti-Virus Task started

Edited by akramabed, 29 October 2009 - 02:01 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users