Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log + RootRepeal Log


  • Please log in to reply
2 replies to this topic

#1 TriNiMaN

TriNiMaN

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Home
  • Local time:06:23 PM

Posted 30 September 2009 - 04:30 PM

ComboFix 09-09-29.04 - Nicholas 09/30/2009 15:35.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.600 [GMT -4:00]
Running from: c:\documents and settings\Nicholas\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\WMEncoder.msi

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-25 20:09 . 2009-09-25 20:09 69352 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-22 19:54 . 2009-09-22 19:54 -------- d-----w- C:\LAME
2009-09-22 19:49 . 2009-09-22 19:49 -------- d-----w- c:\documents and settings\Nicholas\Application Data\AccurateRip
2009-09-22 19:49 . 2009-09-22 19:49 -------- d-----w- c:\program files\Exact Audio Copy
2009-09-18 16:47 . 2009-06-25 08:41 56832 -c----w- c:\windows\system32\dllcache\secur32.dll
2009-09-18 16:47 . 2009-06-24 10:28 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-09-18 16:46 . 2009-06-25 08:41 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-09-18 16:46 . 2009-06-25 08:41 147456 -c----w- c:\windows\system32\dllcache\schannel.dll
2009-09-18 16:46 . 2009-06-25 08:41 136704 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-18 16:46 . 2009-06-25 08:41 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-09-17 19:10 . 2009-09-17 19:21 -------- d-----w- c:\program files\Webcam and Screen Recorder
2009-09-17 18:33 . 2009-09-17 18:33 162816 ----a-w- c:\windows\system32\fmod.dll
2009-09-17 18:31 . 2009-09-17 18:32 -------- d--h--w- c:\windows\msdownld.tmp
2009-09-17 18:31 . 2009-09-17 18:45 -------- d-----w- c:\documents and settings\Nicholas\Local Settings\Application Data\ApplicationHistory
2009-09-17 18:12 . 2009-09-17 18:13 -------- d-----w- c:\program files\WinPcap
2009-09-17 04:18 . 2001-09-06 00:00 51712 ----a-w- c:\windows\system32\regsvc.dll
2009-09-15 19:30 . 2009-09-15 19:30 -------- d-----w- c:\documents and settings\Nicholas\Application Data\VSRevoGroup
2009-09-15 19:27 . 2009-09-15 19:27 -------- d-----w- c:\program files\VS Revo Group
2009-09-14 22:56 . 2009-09-14 22:56 -------- d--h--w- c:\windows\PIF
2009-09-14 21:57 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-14 21:57 . 2009-09-19 01:57 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-14 21:57 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-14 21:57 . 2009-09-14 22:03 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-14 21:57 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-14 21:57 . 2009-09-26 15:31 -------- d-----w- c:\program files\Spyware Doctor
2009-09-14 21:57 . 2009-09-14 21:57 -------- d-----w- c:\documents and settings\Nicholas\Application Data\PC Tools
2009-09-14 21:57 . 2009-09-14 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-14 21:23 . 2009-09-29 13:26 -------- d-----w- c:\documents and settings\Nicholas\Application Data\nod32 updater
2009-09-14 05:23 . 2009-09-14 05:23 -------- d-----w- c:\windows\system32\Adobe
2009-09-12 21:39 . 2009-09-12 21:39 -------- d-----w- c:\program files\Wide Angle Software
2009-09-12 18:09 . 2009-09-12 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-09-12 18:03 . 2009-09-12 18:03 -------- d-----w- c:\program files\SlySoft
2009-09-11 14:30 . 2008-08-29 20:45 16896 ----a-w- c:\windows\system32\drivers\VirtualAudio.sys
2009-09-11 03:11 . 2008-11-19 13:41 16640 ----a-w- c:\windows\system32\drivers\WsAudioDevice_383.sys
2009-09-10 23:44 . 2006-10-29 15:11 126976 ----a-r- c:\windows\system32\Prounstl.exe
2009-09-10 23:44 . 2006-10-29 15:10 21504 ----a-r- c:\windows\system32\NicCo.dll
2009-09-10 22:53 . 2009-09-10 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 22:51 . 2009-09-10 22:52 -------- d-----w- c:\program files\QuickTime
2009-09-10 19:33 . 2009-09-10 19:50 -------- d-----w- c:\documents and settings\Nicholas\Application Data\Pamela
2009-09-10 19:33 . 2009-09-10 19:33 175104 ----a-w- c:\windows\system32\RemoteControl.dll
2009-09-10 19:33 . 2009-09-10 19:35 -------- d-----w- c:\program files\Pamela
2009-09-09 11:54 . 2009-06-21 21:49 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 11:53 . 2009-06-22 06:44 726528 -c----w- c:\windows\system32\dllcache\jscript.dll
2009-09-08 22:37 . 2009-09-08 22:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-08 22:37 . 2009-09-25 22:57 -------- d-----w- c:\documents and settings\Nicholas\Application Data\skypePM
2009-09-08 22:24 . 2009-09-26 00:44 -------- d-----w- c:\documents and settings\Nicholas\Application Data\Skype
2009-09-08 22:24 . 2009-09-08 22:24 -------- d-----w- c:\program files\Common Files\Skype
2009-09-08 22:24 . 2009-09-08 22:24 -------- d-----r- c:\program files\Skype
2009-09-08 22:23 . 2009-09-08 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-08 22:23 . 2009-09-08 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-09-08 22:19 . 2009-09-14 22:43 -------- d-----w- c:\documents and settings\Nicholas\Application Data\Tor
2009-09-08 22:19 . 2009-09-14 22:43 -------- d-----w- c:\documents and settings\Nicholas\Application Data\Vidalia
2009-09-08 22:19 . 2009-09-08 22:19 -------- d-----w- c:\program files\Vidalia Bundle
2009-09-08 22:18 . 2009-09-08 22:18 -------- d-----w- c:\program files\SoulseekNS
2009-09-08 22:01 . 2009-09-08 22:03 -------- d-----w- c:\program files\Video Convert Master
2009-09-05 02:40 . 2009-09-05 02:40 -------- d-----w- c:\program files\DivX
2009-09-05 02:40 . 2009-09-05 02:40 -------- d-----w- c:\program files\Common Files\DivX Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 18:30 . 2009-08-10 09:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-30 05:41 . 2009-08-11 00:57 -------- d-----w- c:\documents and settings\Nicholas\Application Data\foobar2000
2009-09-29 13:31 . 2009-08-21 03:26 -------- d-----w- c:\documents and settings\Nicholas\Application Data\uTorrent
2009-09-28 03:34 . 2009-08-12 19:52 -------- d-----w- c:\program files\Starcraft
2009-09-26 18:54 . 2009-08-11 02:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 01:56 . 2009-09-19 01:56 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-19 01:44 . 2009-08-26 04:11 -------- d-----w- c:\documents and settings\Nicholas\Application Data\Folder Guard
2009-09-19 01:44 . 2009-08-26 04:09 -------- d-----w- c:\program files\Folder Guard Pro
2009-09-16 17:21 . 2009-08-20 06:36 180080 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-15 20:45 . 2009-08-10 22:30 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-15 20:09 . 2009-08-10 06:54 84688 ----a-w- c:\documents and settings\Nicholas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 23:36 . 2009-08-20 06:39 -------- d-----w- c:\program files\UlisesSoft
2009-09-12 19:08 . 2009-08-10 09:15 -------- d-----w- c:\program files\ABBYY FineReader 9.0
2009-09-12 18:05 . 2009-09-12 18:05 0 --sh--w- c:\windows\SC27D5317.tmp
2009-09-11 23:12 . 2009-08-10 08:39 -------- d-----w- c:\documents and settings\Nicholas\Application Data\Apple Computer
2009-09-11 14:30 . 2009-08-18 16:47 -------- d-----w- c:\program files\Wondershare
2009-09-10 22:55 . 2009-08-13 22:44 -------- d-----w- c:\program files\iTunes
2009-09-10 22:53 . 2009-08-13 22:44 -------- d-----w- c:\program files\iPod
2009-09-10 22:50 . 2009-08-13 22:43 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 07:10 . 2009-08-10 06:43 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 07:01 . 2009-08-10 09:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-07 16:19 . 2009-08-10 08:41 -------- d-----w- c:\program files\foobar2000
2009-08-26 18:56 . 2009-08-11 06:31 -------- d-----w- c:\documents and settings\Nicholas\Application Data\Nero
2009-08-26 02:50 . 2009-08-26 02:50 -------- d-----w- c:\program files\FLAV
2009-08-21 04:07 . 2009-08-21 04:05 20 ----a-w- C:\sccfg.sys
2009-08-21 03:26 . 2009-08-21 03:26 -------- d-----w- c:\program files\uTorrent
2009-08-20 07:02 . 2009-08-20 07:02 -------- d-----w- c:\documents and settings\Nicholas\Application Data\acccore
2009-08-20 07:02 . 2009-08-20 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-08-20 07:01 . 2009-08-20 07:00 -------- d-----w- c:\program files\AIM6
2009-08-20 07:01 . 2009-08-20 07:01 -------- d-----w- c:\program files\Viewpoint
2009-08-20 07:01 . 2009-08-20 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-20 07:01 . 2009-08-20 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-08-20 07:01 . 2009-08-20 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-20 07:01 . 2009-08-20 07:00 -------- d-----w- c:\program files\Common Files\AOL
2009-08-20 06:33 . 2009-08-20 06:30 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-20 06:33 . 2009-08-20 06:33 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-08-20 06:33 . 2009-08-20 06:33 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-20 06:30 . 2009-08-20 06:30 -------- d-----w- c:\documents and settings\Nicholas\Application Data\TuneUp Software
2009-08-20 06:30 . 2009-08-20 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-08-20 06:29 . 2009-08-20 06:29 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-14 23:39 . 2009-08-14 23:39 -------- d-----w- c:\program files\FLV to MP3 Converter
2009-08-13 22:44 . 2009-08-13 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-13 22:44 . 2009-08-10 08:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-13 22:44 . 2009-08-13 22:44 -------- d-----w- c:\program files\Bonjour
2009-08-13 20:39 . 2009-08-10 08:59 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-12 19:56 . 2009-08-12 19:53 35382 ----a-w- c:\windows\scunin.dat
2009-08-12 19:56 . 2009-08-12 19:53 967 ----a-w- c:\windows\ScUnin.pif
2009-08-12 19:56 . 2009-08-12 19:53 94208 ----a-w- c:\windows\ScUnin.exe
2009-08-11 16:10 . 2009-08-11 16:09 -------- d-----w- c:\program files\Free M4a to MP3 Converter
2009-08-11 05:22 . 2009-08-11 01:37 -------- d-----w- c:\program files\Common Files\Nero
2009-08-11 02:39 . 2009-08-11 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-11 02:05 . 2009-08-11 01:38 -------- d-----w- c:\program files\Nero
2009-08-11 02:02 . 2009-08-11 02:02 -------- d-----w- c:\program files\Windows Sidebar
2009-08-11 01:52 . 2009-08-11 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-11 00:40 . 2009-08-11 00:40 -------- d-----w- c:\program files\RocketDock
2009-08-11 00:21 . 2009-08-11 00:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 00:21 . 2009-08-11 00:21 -------- d-----w- c:\program files\Java
2009-08-10 23:53 . 2009-08-10 23:53 -------- d-----w- c:\program files\Microsoft
2009-08-10 23:53 . 2009-08-10 23:52 -------- d-----w- c:\program files\Windows Live
2009-08-10 23:53 . 2009-08-10 23:53 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-10 23:30 . 2009-08-10 23:30 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-10 23:30 . 2009-08-10 23:30 -------- d-----w- c:\program files\MSECACHE
2009-08-10 23:24 . 2009-08-10 23:24 0 ----a-w- c:\windows\nsreg.dat
2009-08-10 23:22 . 2009-08-10 09:53 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-10 23:04 . 2009-08-10 23:04 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-10 22:28 . 2009-08-10 22:28 -------- d-----w- c:\program files\Alcohol Soft
2009-08-10 22:26 . 2009-08-10 22:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-10 22:25 . 2009-08-10 22:25 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-10 22:20 . 2009-08-10 09:59 -------- d-----w- c:\program files\Microsoft Works
2009-08-10 22:12 . 2009-08-10 22:12 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-10 21:38 . 2009-08-10 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-08-10 09:58 . 2009-08-10 08:41 -------- d-----w- c:\program files\MSBuild
2009-08-10 09:57 . 2009-08-10 09:57 -------- d-----w- c:\program files\Microsoft.NET
2009-08-10 09:54 . 2009-08-10 09:53 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-08-10 09:19 . 2009-08-10 09:19 -------- d-----w- c:\program files\Common Files\ABBYY
2009-08-10 09:15 . 2009-08-10 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ABBYY
2009-08-10 09:06 . 2009-08-10 09:06 -------- d-----w- c:\program files\Lavalys
2009-08-10 09:03 . 2009-08-10 09:03 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2009-08-10 09:03 . 2009-08-10 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-08-10 09:03 . 2009-08-10 09:03 -------- d-----w- c:\program files\Diskeeper Corporation
2009-08-10 08:57 . 2009-08-10 08:57 -------- d-----w- c:\program files\Analog Devices
2009-08-10 08:41 . 2009-08-10 08:41 -------- d-----w- c:\program files\Reference Assemblies
2009-08-10 08:33 . 2009-08-10 08:33 -------- d-----w- c:\program files\Apple Software Update
2009-08-10 08:33 . 2009-08-10 08:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-10 08:19 . 2009-08-10 08:19 -------- d-----w- c:\documents and settings\Nicholas\Application Data\ESET
2009-08-10 08:16 . 2009-08-10 07:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-10 08:16 . 2009-08-10 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-08-10 08:15 . 2009-08-10 08:15 -------- d-----w- c:\program files\Creative
2009-08-10 08:14 . 2009-08-10 08:14 -------- d-----w- c:\program files\Common Files\Borland Shared
2009-08-10 08:14 . 2009-08-10 08:14 -------- d-----w- c:\program files\Gemstar
2009-08-10 08:13 . 2009-08-10 08:13 -------- d-----w- c:\program files\ATI Multimedia
2009-08-10 08:13 . 2009-08-10 08:13 -------- d-----w- c:\program files\Common Files\CyberLink
2009-08-10 08:12 . 2009-08-10 08:12 -------- d-----w- c:\program files\Windows Media Components
2009-08-10 08:12 . 2009-08-10 07:57 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-10 08:06 . 2009-08-10 08:06 -------- d-----w- c:\program files\MozBackup
2009-08-10 08:02 . 2009-08-10 08:02 -------- d-----w- c:\program files\ESET
2009-08-10 08:02 . 2009-08-10 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-10 07:59 . 2009-08-10 07:59 -------- d-----w- c:\program files\Intel
2009-08-10 06:49 . 2009-08-10 06:49 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-10 06:46 . 2009-08-10 06:46 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-06-15 . EA032FC150B9C6276C98EB3DED3B75C6 . 652800 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2009-06-15 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2009-06-15 . C6BE3E18287F21EE3ED3C84ED14E9D7A . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\comctl32.dll

[-] 2009-06-15 . 038CA45522FE9B756EFB90DBFA9141EA . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-06-15 . 043715053721DF2C319DB6DD137D8841 . 2350464 . . [5.1.2600.5755] . . c:\windows\system32\ntoskrnl.exe

[-] 2009-06-15 . D075177EBE8735C080831BE2E99941CC . 575488 . . [5.1.2600.5577] . . c:\windows\system32\user32.dll

[-] 2009-06-15 . 50D6EE240E804F638D88E26200D37670 . 570368 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe

[-] 2009-06-15 . 331257F9A07F1759ADB603D807226DAE . 1789440 . . [6.00.2900.5634] . . c:\windows\explorer.exe

[-] 2009-06-15 . F0005C4A59B7AB05602881F074D5FA1F . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[-] 2009-06-15 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

[-] 2001-09-06 . 223D3359535294A1F0C9AB9DD9389593 . 51712 . . [5.1.2600.0] . . c:\windows\system32\regsvc.dll

[-] 2009-06-15 . E93DF9474833B3475F18FBA01AE57201 . 2227456 . . [5.1.2600.5755] . . c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-08-11 3885408]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"LClock"="c:\windows\resources\DiamondStyle\LClock\lclock.exe" [2009-06-15 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-26 2029640]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-02 135264]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-10-29 1404928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]
"FG_Monitor"="c:\program files\Folder Guard Pro\FGKey.exe" [2008-01-05 118600]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-28 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-06-15 37376]
"Windows7Taskbar"="c:\windows\resources\DiamondStyle\Windows 7 Taskbar\Windows7Taskbar.exe" [2009-06-15 331776]
"LClock"="c:\windows\resources\DiamondStyle\LClock\LClock.exe" [2009-06-15 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-06-15 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\G:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdReg"=c:\windows\UpdReg.EXE
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [09/14/2009 5:57 PM 206256]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [04/26/2009 2:22 PM 107256]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [10/27/2008 7:03 AM 759072]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [04/26/2009 2:22 PM 731840]
R2 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [08/26/2009 12:09 AM 54008]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [08/20/2009 2:33 AM 604416]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [08/20/2009 3:01 AM 24652]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [09/11/2009 10:30 AM 16896]
S3 mpr_freader;MPR FileReader Driver;\??\g:\programs\PortableMultiPasswordRecoveryv1.0.9\Portable Multi Password Recovery v1.0.9 Multilingual\mpr_freader.sys --> g:\programs\PortableMultiPasswordRecoveryv1.0.9\Portable Multi Password Recovery v1.0.9 Multilingual\mpr_freader.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/06/2007 4:22 PM 34064]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [09/14/2009 5:57 PM 348752]
S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [09/10/2009 11:11 PM 16640]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALERTER
*NewlyCreated* - UPS
*NewlyCreated* - WMDMPMSN
*Deregistered* - mchInjDrv
*Deregistered* - uxriifoc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 05:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:8081
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\b8t0rqy2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 15:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1425521274-1417001333-1002\Software\Microsoft\ActiveMovie\devenum\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\*ROw]
"VFWIndex"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1144)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1216)
c:\windows\system32\wdigest.dll
c:\windows\system32\setupapi.dll
.
Completion time: 2009-09-30 15:46
ComboFix-quarantined-files.txt 2009-09-30 19:46
ComboFix2.txt 2009-09-17 04:05

Pre-Run: 75,863,461,888 bytes free
Post-Run: 76,000,722,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

324 --- E O F --- 2009-09-18 07:00

__________________________________________________________________________________________________________________________________


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/30 17:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xBAD31000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D97000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP5264
Image Path: \Driver\PCI_PNP5264
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7D89000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7924000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spkc.sys
Image Path: spkc.sys
Address: 0xF773F000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Nicholas\Local Settings\Application Data\Mozilla\Firefox\Profiles\b8t0rqy2.default\XPC.mfl
Status: Locked to the Windows API!

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8579b8a0

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf764ad72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf762b9a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf762bb98

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf764b568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf764b820

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spkc.sys" at address 0xf775eca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spkc.sys" at address 0xf775f032

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf7649a80

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8579acb0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8579b0d0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spkc.sys" at address 0xf775f10a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spkc.sys" at address 0xf775ef8a

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf764bc8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf764b036

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8579b6d0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8579b4f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf762b656

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8579b310

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x85821118]
Process: System Address: 0x85799930 Size: 1000

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x867d91f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x852a61f8 Size: 121

Object: Hidden Code [Driver: aycywvmeЅఉ浍瑓⒘蒍, IRP_MJ_CREATE]
Process: System Address: 0x860c8500 Size: 121

Object: Hidden Code [Driver: aycywvmeЅఉ浍瑓⒘蒍, IRP_MJ_CLOSE]
Process: System Address: 0x860c8500 Size: 121

Object: Hidden Code [Driver: aycywvmeЅఉ浍瑓⒘蒍, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x860c8500 Size: 121

Object: Hidden Code [Driver: aycywvmeЅఉ浍瑓⒘蒍, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x860c8500 Size: 121

Object: Hidden Code [Driver: aycywvmeЅఉ浍瑓⒘蒍, IRP_MJ_POWER]
Process: System Address: 0x860c8500 Size: 121

Object: Hidden Code [Driver: aycywvmeЅఉ浍瑓⒘蒍, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x860c8500 Size: 121

Object: Hidden Code [Driver: aycywvmeЅఉ浍瑓⒘蒍, IRP_MJ_PNP]
Process: System Address: 0x860c8500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x864731f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x852a91f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x852a91f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x852a91f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x852a91f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x852a91f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x852a91f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x852a91f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x852a91f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x852a91f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x862383c8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x862383c8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x862383c8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x862383c8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x862383c8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x862383c8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x862383c8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x852c81f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x852c81f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x852c81f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x852c81f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x852c81f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x852c81f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8642a1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8642a1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8642a1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8642a1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8642a1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8642a1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8642a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8568a1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_CREATE]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_CLOSE]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_READ]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_SHUTDOWN]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_CLEANUP]
Process: System Address: 0x852b6500 Size: 121

Object: Hidden Code [Driver: CdfsЅ扏煓Ёఊ佃塍COM1, IRP_MJ_PNP]
Process: System Address: 0x852b6500 Size: 121

==EOF==

Edited by TriNiMaN, 01 October 2009 - 09:25 AM.


BC AdBot (Login to Remove)

 


#2 TriNiMaN

TriNiMaN
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Home
  • Local time:06:23 PM

Posted 01 October 2009 - 09:26 AM


did a scan with sysprot ..and this came up? ...can some1 tell me how to get rid of those hidden files plz


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: spva.sys
Service Name: ---
Module Base: F773F000
Module End: F7840000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\aqzvh8px.SYS
Service Name: ---
Module Base: F6922000
Module End: F6959000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: BAD31000
Module End: BAD49000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7D93000
Module End: F7D95000
Hidden: Yes

Module Name: \??\C:\DOCUME~1\Nicholas\LOCALS~1\Temp\uxriifoc.sys
Service Name: uxriifoc
Module Base: B790E000
Module End: B7923000
Hidden: Yes

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{FD27811B-6C7B-4506-B945-89E0766500C9}
Status: Access denied

Edited by Orange Blossom, 01 October 2009 - 07:36 PM.
Merged topics. ~ OB


#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:23 PM

Posted 18 October 2009 - 11:25 AM

Hello TriNiMaN

Welcome to Welcome to BleepingComputer :(
=====================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users