Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files being modified left to right!!! VIRUS! lastgood.tmp?


  • This topic is locked This topic is locked
10 replies to this topic

#1 animesaint

animesaint

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 19 October 2009 - 02:47 AM

I am very scared. I got hit by viruses by either going to websites today and midnight yesterday. Now i have alerts of viruses, modified files, and icons on desktop of porn. I am officially screwed. Search engines do not work, and mbam isin't working because it cant find anything on safe mode and it requires Windows Installation, and when it does i cancel it a lot until mbam.exe comes up. HELP!
Also, mbam.exe was created and modified when the virus hit, along with other anti-viruses and many other programs/files/etc.
Maybe I should reformat the whole thing?
Looking on the internet i think i have a vundo and it is using winlogin.exe to do stuff.

end processes VRT2 and VRT3, VRT 6 and another one i couldn't remember.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:48 AM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TEMP\VRT3.tmp
C:\WINDOWS\TEMP\VRT4.tmp
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\8008036.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\WINDOWS\system32\lsm32.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070612
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ter8m] RUNDLL32.EXE C:\WINDOWS\system32\msxm192z.dll,w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [NCsoft Launcher] C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198337010468
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9379 bytes

Malwarebytes' Anti-Malware 1.39
Database version: 2533
Windows 5.1.2600 Service Pack 3

10/19/2009 12:10:06 AM
mbam-log-2009-10-19 (00-10-06).txt

Scan type: Quick Scan
Objects scanned: 102092
Time elapsed: 8 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\av care (Rogue.AVCare) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av care (Rogue.AVCare) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\MyMobile02\Start Menu\Programs\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Program Files\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AV Care\AVCare.exe (Rogue.AVCare) -> Quarantined and deleted successfully.
c:\documents and settings\mymobile02\local settings\temp\xecowrmsan.tmp (Rogue.AVCare) -> Quarantined and deleted successfully.
c:\documents and settings\mymobile02\start menu\Programs\AV Care\AV Care.lnk (Rogue.AVCare) -> Quarantined and deleted successfully.
c:\program files\AV Care\avc.ico (Rogue.AVCare) -> Quarantined and deleted successfully.
c:\program files\AV Care\AVCare.ini (Rogue.AVCare) -> Quarantined and deleted successfully.
c:\program files\AV Care\PP.exe (Rogue.AVCare) -> Quarantined and deleted successfully.
c:\program files\AV Care\Uninstall.exe (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\MyMobile02\Desktop\AV Care.lnk (Rogue.AVCare) -> Quarantined and deleted successfully.

mbam log 2
Malwarebytes' Anti-Malware 1.41
Database version: 2991
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/19/2009 3:34:35 PM
mbam-log-2009-10-19 (15-34-34).txt

Scan type: Quick Scan
Objects scanned: 111571
Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 16

Memory Processes Infected:
C:\WINDOWS\TEMP\VRT6.tmp (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.Exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fastnetsrv (Backdoor.Refpron) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ter8m (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\10279684 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\TEMP\VRT6.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\BtwSrv.dllx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\VRT1.tmp (Malware.Tool) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\VRT4.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Attached Files


Edited by animesaint, 19 October 2009 - 06:41 PM.


BC AdBot (Login to Remove)

 


#2 animesaint

animesaint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 29 October 2009 - 10:03 PM

Didn't find the edit button. When I connected to the net with the infected computer, I checked the processes to see VRT6 (random VRT#). I dled DDS and now I went to the desktop to see if the logs were saved there and found again porn icons on the desktop.


DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by MyMobile02 at 20:00:20.29 on Thu 10/29/2009
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============


============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\smss.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitComet] "c:\program files\bitcomet\BitComet.exe" /tray
uRun: [mount.exe] c:\program files\gipo@utilities\fileutilities.3\mount.exe /z
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
uRun: [PlayNC Launcher]
uRun: [NCsoft Launcher] c:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ter8m] RUNDLL32.EXE c:\windows\system32\msxm192z.dll,w
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: antimalwareguard.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198337010468
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: 1.exe - c:\windows\system32\ahui.exe
IFEO: reader_s.exe - c:\windows\system32\ahui.exe
IFEO: servises.exe - c:\windows\system32\ahui.exe
IFEO: sys64_nov.exe - c:\windows\system32\ahui.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mymobi~1\applic~1\mozilla\firefox\profiles\s8qah0xr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\documents and settings\mymobile02\application data\mozilla\firefox\profiles\s8qah0xr.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\npdsplay.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-30 02:59:01 88576 ----a-w- c:\windows\system32\12.tmp
2009-10-30 02:58:59 52 ----a-w- c:\windows\system32\F.tmp
2009-10-30 02:58:50 61440 ----a-w- c:\windows\system32\msxm192z.dll
2009-10-30 02:58:43 0 d-----w- c:\program files\Protection System
2009-10-30 02:58:43 0 ----a-w- c:\windows\SC.INS
2009-10-30 02:58:43 0 ----a-w- c:\windows\sc.exe
2009-10-19 22:25:11 808 ----a-w- c:\windows\system32\6169855.exe
2009-10-19 07:35:34 680 ----a-w- c:\windows\system32\3337061.exe
2009-10-19 06:54:00 8192 --sha-w- c:\windows\system32\Thumbs.db
2009-10-19 06:47:47 0 d-----w- c:\windows\LastGood.Tmp
2009-10-03 20:01:32 0 d-----w- c:\docume~1\mymobi~1\applic~1\foobar2000
2009-10-03 20:01:25 0 d-----w- c:\program files\foobar2000
2009-10-03 19:47:11 0 d-----w- c:\docume~1\mymobi~1\applic~1\Desktopicon
2009-10-03 19:47:08 0 d-----w- c:\program files\Exact Audio Copy
2009-10-03 19:41:24 364544 ----a-w- c:\windows\system32\MACDll.dll
2009-10-03 19:41:24 0 d-----w- c:\program files\Monkey's Audio

==================== Find3M ====================

2009-10-19 07:35:08 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-10-19 07:35:08 361600 ----a-w- c:\windows\system32\dllcache\TCPIP.SYS
2009-10-19 07:21:27 65536 ----a-w- c:\windows\system32\bdod.bin
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-09-01 17:58:17 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-08-28 10:35:52 193024 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-25 21:10:00 78945 ----a-w- c:\windows\War3Unin.dat
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 09:01:48 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 03:44:46 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-05 02:52:22 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-03 22:07:42 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 22:07:42 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 22:07:42 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2008-10-09 22:30:50 49152 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080929\index.dat
2008-10-09 22:30:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100920081010\index.dat

============= FINISH: 20:00:58.78 ===============

Attached Files


Edited by animesaint, 29 October 2009 - 10:05 PM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:16 PM

Posted 30 October 2009 - 04:29 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • RootRepeal log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 animesaint

animesaint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 October 2009 - 11:35 AM

I will edit this post, but I will start with the problems I have. When I log on to the computer the log in screen changed from before because usually I wouldn't have put a password on the Windows XP 2000 way where you ctrl+alt+del to go to the username/password textbox. This scares me from just straight up booting the system so I am currenty booting the system through safe mode and safe mode w/ networking only. Also, when the internet is established, the three icons appear on the desktop. Along with that, after start-up, text boxes pop up saying something about missing stuff and errors where the options include debugging, but what I do is press the "X" button on the text box.

Here is the DDS log


DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by MyMobile02 at 9:21:13.03 on Sat 10/31/2009
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============


============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\smss.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitComet] "c:\program files\bitcomet\BitComet.exe" /tray
uRun: [mount.exe] c:\program files\gipo@utilities\fileutilities.3\mount.exe /z
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
uRun: [PlayNC Launcher]
uRun: [NCsoft Launcher] c:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ter8m] RUNDLL32.EXE c:\windows\system32\msxm192z.dll,w
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: antimalwareguard.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198337010468
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: 1.exe - c:\windows\system32\ahui.exe
IFEO: reader_s.exe - c:\windows\system32\ahui.exe
IFEO: servises.exe - c:\windows\system32\ahui.exe
IFEO: sys64_nov.exe - c:\windows\system32\ahui.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mymobi~1\applic~1\mozilla\firefox\profiles\s8qah0xr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\documents and settings\mymobile02\application data\mozilla\firefox\profiles\s8qah0xr.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\npdsplay.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-31 16:19:46 88576 ----a-w- c:\windows\system32\13.tmp
2009-10-31 16:19:45 52 ----a-w- c:\windows\system32\11.tmp
2009-10-30 02:59:01 88576 ----a-w- c:\windows\system32\12.tmp
2009-10-30 02:58:59 52 ----a-w- c:\windows\system32\F.tmp
2009-10-30 02:58:50 61440 ----a-w- c:\windows\system32\msxm192z.dll
2009-10-30 02:58:43 0 d-----w- c:\program files\Protection System
2009-10-30 02:58:43 0 ----a-w- c:\windows\SC.INS
2009-10-30 02:58:43 0 ----a-w- c:\windows\sc.exe
2009-10-19 22:25:11 808 ----a-w- c:\windows\system32\6169855.exe
2009-10-19 07:35:34 680 ----a-w- c:\windows\system32\3337061.exe
2009-10-19 06:54:00 8192 --sha-w- c:\windows\system32\Thumbs.db
2009-10-19 06:47:47 0 d-----w- c:\windows\LastGood.Tmp
2009-10-03 20:01:32 0 d-----w- c:\docume~1\mymobi~1\applic~1\foobar2000
2009-10-03 20:01:25 0 d-----w- c:\program files\foobar2000
2009-10-03 19:47:11 0 d-----w- c:\docume~1\mymobi~1\applic~1\Desktopicon
2009-10-03 19:47:08 0 d-----w- c:\program files\Exact Audio Copy
2009-10-03 19:41:24 364544 ----a-w- c:\windows\system32\MACDll.dll
2009-10-03 19:41:24 0 d-----w- c:\program files\Monkey's Audio

==================== Find3M ====================

2009-10-19 07:35:08 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-10-19 07:35:08 361600 ----a-w- c:\windows\system32\dllcache\TCPIP.SYS
2009-10-19 07:21:27 65536 ----a-w- c:\windows\system32\bdod.bin
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-09-01 17:58:17 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-08-28 10:35:52 193024 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-25 21:10:00 78945 ----a-w- c:\windows\War3Unin.dat
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 09:01:48 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 03:44:46 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-05 02:52:22 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-03 22:07:42 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 22:07:42 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 22:07:42 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2008-10-09 22:30:50 49152 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080929\index.dat
2008-10-09 22:30:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100920081010\index.dat

============= FINISH: 9:21:48.31 ===============


Here is the GMER log

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-31 12:44:54
Windows 5.1.2600 Service Pack 3
Running: qruki47h.exe; Driver: C:\DOCUME~1\MYMOBI~1\LOCALS~1\Temp\uwtdqpog.sys


---- System - GMER 1.0.15 ----

SSDT spiq.sys ZwCreateKey [0xF73670E0]
SSDT spiq.sys ZwEnumerateKey [0xF7385CA2]
SSDT spiq.sys ZwEnumerateValueKey [0xF7386030]
SSDT spiq.sys ZwOpenKey [0xF73670C0]
SSDT spiq.sys ZwQueryKey [0xF7386108]
SSDT spiq.sys ZwQueryValueKey [0xF7385F88]
SSDT spiq.sys ZwSetValueKey [0xF738619A]

INT 0x63 ? 85410F00
INT 0x73 ? 85529BF8
INT 0x83 ? 85529BF8
INT 0xB1 ? 8552ABF8
INT 0xB1 ? 854BBBF8
INT 0xB4 ? 85410F00

---- Kernel code sections - GMER 1.0.15 ----

? spiq.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F70E18AC 5 Bytes JMP 854104E0
.text adx3rdmr.SYS F7016384 1 Byte [20]
.text adx3rdmr.SYS F7016384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text adx3rdmr.SYS F70163AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text adx3rdmr.SYS F70163C4 3 Bytes [00, 00, 00]
.text adx3rdmr.SYS F70163C9 1 Byte [00]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7
.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF946EA
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF94779
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF94786
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF94A0A
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF9476F
.text C:\WINDOWS\system32\lsass.exe[764] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF947C7
.text C:\WINDOWS\TEMP\VRTE.tmp[912] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\WINDOWS\TEMP\VRTE.tmp[912] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\WINDOWS\TEMP\VRTE.tmp[912] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\WINDOWS\TEMP\VRTE.tmp[912] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\WINDOWS\TEMP\VRTE.tmp[912] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\WINDOWS\TEMP\VRTE.tmp[912] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7
.text C:\WINDOWS\system32\Rundll32.exe[960] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\WINDOWS\system32\Rundll32.exe[960] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\WINDOWS\system32\Rundll32.exe[960] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\WINDOWS\system32\Rundll32.exe[960] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\WINDOWS\system32\Rundll32.exe[960] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\WINDOWS\system32\Rundll32.exe[960] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7
.reloc C:\WINDOWS\Explorer.EXE[1620] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040]
.reloc C:\WINDOWS\Explorer.EXE[1620] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x01103360]
.text C:\WINDOWS\Explorer.EXE[1620] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\WINDOWS\Explorer.EXE[1620] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\WINDOWS\Explorer.EXE[1620] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\WINDOWS\Explorer.EXE[1620] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\WINDOWS\Explorer.EXE[1620] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\WINDOWS\Explorer.EXE[1620] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7
.text C:\WINDOWS\system32\svchost.exe[1832] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\WINDOWS\system32\svchost.exe[1832] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\WINDOWS\system32\svchost.exe[1832] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\WINDOWS\system32\svchost.exe[1832] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\WINDOWS\system32\svchost.exe[1832] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\WINDOWS\system32\svchost.exe[1832] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7
.text C:\Documents and Settings\MyMobile02\Desktop\qruki47h.exe[1868] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA46EA
.text C:\Documents and Settings\MyMobile02\Desktop\qruki47h.exe[1868] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4779
.text C:\Documents and Settings\MyMobile02\Desktop\qruki47h.exe[1868] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4786
.text C:\Documents and Settings\MyMobile02\Desktop\qruki47h.exe[1868] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A0A
.text C:\Documents and Settings\MyMobile02\Desktop\qruki47h.exe[1868] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA476F
.text C:\Documents and Settings\MyMobile02\Desktop\qruki47h.exe[1868] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA47C7

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 854BB2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7398C4C] spiq.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7398CA0] spiq.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7368040] spiq.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F736813C] spiq.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73680BE] spiq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73687FC] spiq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73686D2] spiq.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 854105E0
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlInitUnicodeString] 0000004C
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!swprintf] 00000095
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeSetEvent] 0000000B
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 00000042
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 000000FA
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 000000C3
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmFreeMappingAddress] 0000004E
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 00000008
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 0000002E
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmUnmapIoSpace] 000000A1
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 00000066
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IofCompleteRequest] 00000028
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 000000D9
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IofCallDriver] 00000024
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 000000B2
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 00000076
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoConnectInterrupt] 0000005B
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoDetachDevice] 000000A2
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeWaitForSingleObject] 00000049
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeInitializeEvent] 0000006D
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeCancelTimer] 0000008B
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 000000D1
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlInitAnsiString] 00000025
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 00000072
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoQueueWorkItem] 000000F8
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmMapIoSpace] 000000F6
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 00000064
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoReportDetectedDevice] 00000086
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoReportResourceForDetection] 00000068
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 00000098
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!NlsMbCodePageTag] 00000016
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!PoRequestPowerIrp] 000000D4
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 000000A4
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 0000005C
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!sprintf] 000000CC
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 0000005D
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!ObfDereferenceObject] 00000065
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 000000B6
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 00000092
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!ZwClose] 0000006C
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 00000070
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 00000048
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 00000050
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 000000FD
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoCreateDevice] 000000ED
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 000000B9
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 000000DA
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 0000005E
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!ZwOpenKey] 00000015
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 00000046
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoStartTimer] 00000057
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeInitializeTimer] 000000A7
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoInitializeTimer] 0000008D
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeInitializeDpc] 0000009D
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeInitializeSpinLock] 00000084
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoInitializeIrp] 00000090
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!ZwCreateKey] 000000D8
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 000000AB
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 00000000
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!ZwSetValueKey] 0000008C
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000BC
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 000000D3
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoStartPacket] 0000000A
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 000000F7
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 000000E4
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoFreeMdl] 00000058
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmUnlockPages] 00000005
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 000000B8
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 000000B3
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 00000045
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 00000006
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeSynchronizeExecution] 000000D0
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoStartNextPacket] 0000002C
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeBugCheckEx] 0000001E
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 0000008F
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeSetTimer] 000000CA
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!_allmul] 0000003F
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmProbeAndLockPages] 0000000F
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!_except_handler3] 00000002
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!PoSetPowerState] 000000C1
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000AF
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000BD
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 00000003
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!_aulldiv] 00000001
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!strstr] 00000013
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!_strupr] 0000008A
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeQuerySystemTime] 0000006B
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 0000003A
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!KeTickCount] 00000091
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 00000011
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoDeleteDevice] 00000041
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 0000004F
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000067
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoAllocateIrp] 000000DC
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoAllocateMdl] 000000EA
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 00000097
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmLockPagableDataSection] 000000F2
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 000000CF
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 000000CE
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!ExFreePoolWithTag] 000000F0
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoFreeIrp] 000000B4
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!IoFreeWorkItem] 000000E6
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!InitSafeBootMode] 00000073
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!RtlCompareMemory] 00000096
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!PoCallDriver] 000000AC
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!memmove] 00000074
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[ntoskrnl.exe!MmHighestUserAddress] 00000022
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!KfAcquireSpinLock] 00000034
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!READ_PORT_UCHAR] 0000008E
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!KeGetCurrentIrql] 00000043
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!KfRaiseIrql] 00000044
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!KfLowerIrql] 000000C4
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!HalGetInterruptVector] 000000DE
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!HalTranslateBusAddress] 000000E9
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!KeStallExecutionProcessor] 000000CB
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!KfReleaseSpinLock] 00000054
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0000007B
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!READ_PORT_USHORT] 00000094
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000032
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[HAL.dll!WRITE_PORT_UCHAR] 000000A6
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[WMILIB.SYS!WmiSystemControl] 00000023
IAT \SystemRoot\System32\Drivers\adx3rdmr.SYS[WMILIB.SYS!WmiCompleteRequest] 0000003D

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 855281F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{929B59D3-D325-4A65-9E76-F69F17785DC4} 850F6500

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\usbohci \Device\USBPDO-0 854111F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 854B91F8
Device \Driver\dmio \Device\DmControl\DmConfig 854B91F8
Device \Driver\dmio \Device\DmControl\DmPnP 854B91F8
Device \Driver\dmio \Device\DmControl\DmInfo 854B91F8
Device \Driver\usbehci \Device\USBPDO-1 8539D1F8
Device \Driver\PCI_PNP1288 \Device\00000055 spiq.sys

AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\PCI_PNP1288 \Device\00000056 spiq.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8552B1F8
Device \Driver\sptd \Device\2846338788 spiq.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 8552B1F8
Device \Driver\Cdrom \Device\CdRom0 8539F1F8
Device \Driver\nvata \Device\00000072 855291F8
Device \Driver\Cdrom \Device\CdRom1 8539F1F8
Device \Driver\nvata \Device\00000073 855291F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8552B1F8
Device \Driver\atapi \Device\Ide\IdePort0 [F72A5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom2 8539F1F8
Device \Driver\Cdrom \Device\CdRom3 8539F1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 850F6500
Device \Driver\NetBT \Device\NetbiosSmb 850F6500

AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\usbohci \Device\USBFDO-0 854111F8
Device \Driver\nvata \Device\NvAta0 855291F8
Device \Driver\usbehci \Device\USBFDO-1 8539D1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 850A91F8
Device \Driver\nvata \Device\NvAta1 855291F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 850A91F8
Device \Driver\Ftdisk \Device\FtControl 8552B1F8
Device \Driver\adx3rdmr \Device\Scsi\adx3rdmr1Port3Path0Target0Lun0 853691F8
Device \Driver\adx3rdmr \Device\Scsi\adx3rdmr1Port3Path0Target2Lun0 853691F8
Device \Driver\adx3rdmr \Device\Scsi\adx3rdmr1Port3Path0Target1Lun0 853691F8
Device \Driver\adx3rdmr \Device\Scsi\adx3rdmr1 853691F8
Device \FileSystem\Fastfat \Fat 85086500
Device \FileSystem\Fastfat \Fat F6063297
Device \FileSystem\Cdfs \Cdfs 85087500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x9C 0x00 0x75 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBC 0x7D 0xD7 0x1E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x85 0x4D 0x1B 0x2E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDD 0x73 0x2B 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xB1 0xB6 0xAD 0x67 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x4D 0x37 0xD2 0xB5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x44 0x7A 0x57 0xEA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xBF 0x49 0x98 0xD1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.@\v m\0k\0v\0_\0a\0u\0t\0o\0_\0f\0i\0l\0e

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by animesaint, 31 October 2009 - 03:03 PM.


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:16 PM

Posted 31 October 2009 - 12:29 PM

Well, without seeing your new logs, I can already tell you this looks bad, most likely Virux. However to confirm this, please do the following.

UPLOAD A FILE
--------------------
We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

c:\windows\system32\userinit.exe
c:\windows\system32\svchost.exe
c:\windows\explorer.exe
c:\windows\system32\lsass.exe

If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.

No need to post other logs, before we have the results of the uploads.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 animesaint

animesaint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 October 2009 - 02:59 PM

Ok i edited my previous post with the GMER log.
I found an avenger folder in my C:Drive and I didn't remember that being there.
Not sure on how to post them, but I clicked compact, copied all and pasted all.

c:\windows\system32\userinit.exe

File userinit.exe received on 2009.10.31 19:48:08 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.31 Gen.Malware!IK
AhnLab-V3 5.0.0.2 2009.10.30 -
AntiVir 7.9.1.53 2009.10.30 W32/Virut.Gen
Antiy-AVL 2.0.3.7 2009.10.30 -
Authentium 5.1.2.4 2009.10.31 W32/Virut.AI!Generic
Avast 4.8.1351.0 2009.10.30 Win32:Vitro
AVG 8.5.0.423 2009.10.31 Win32/Virut
BitDefender 7.2 2009.10.31 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.10.31 W32.Virut.G
ClamAV 0.94.1 2009.10.31 -
Comodo 2794 2009.10.31 -
DrWeb 5.0.0.12182 2009.10.31 Win32.Virut.56
eSafe 7.0.17.0 2009.10.29 -
eTrust-Vet 35.1.7094 2009.10.30 Win32/Virut.17408
F-Prot 4.5.1.85 2009.10.31 W32/Virut.AI!Generic
F-Secure 9.0.15370.0 2009.10.30 Win32.Virtob.Gen.12
Fortinet 3.120.0.0 2009.10.31 -
GData 19 2009.10.31 Win32.Virtob.Gen.12
Ikarus T3.1.1.72.0 2009.10.31 Gen.Malware
Jiangmin 11.0.800 2009.10.31 -
K7AntiVirus 7.10.885 2009.10.31 -
Kaspersky 7.0.0.125 2009.10.31 Virus.Win32.Virut.ce
McAfee 5788 2009.10.31 New Win32
McAfee+Artemis 5788 2009.10.31 New Win32
McAfee-GW-Edition 6.8.5 2009.10.31 Heuristic.LooksLike.Win32.SuspiciousPE.H
Microsoft 1.5202 2009.10.31 Virus:Win32/Virut.gen!O
NOD32 4561 2009.10.31 Win32/Virut.NBP
Norman 6.03.02 2009.10.31 W32/Virut.DY
nProtect 2009.1.8.0 2009.10.31 -
Panda 10.0.2.2 2009.10.31 -
PCTools 7.0.3.5 2009.10.30 Malware.Virut
Prevx 3.0 2009.10.31 -
Rising 21.53.52.00 2009.10.31 -
Sophos 4.47.0 2009.10.31 -
Sunbelt 3.2.1858.2 2009.10.31 LooksLike.Win32.InfectedFile!A (v)
Symantec 1.4.4.12 2009.10.31 W32.Virut.CF
TheHacker 6.5.0.2.058 2009.10.31 -
TrendMicro 8.950.0.1094 2009.10.31 PE_VIRUX.J
VBA32 3.12.10.11 2009.10.30 Virus.Win32.Virut.X7
ViRobot 2009.10.31.2015 2009.10.31 -
VirusBuster 4.6.5.0 2009.10.31 Win32.Virut.AB.Gen

Additional information
File size: 46080 bytes
MD5...: 046d0637b39c534b7cba87feb7ccffcd
SHA1..: c74c2dcf5fd89b9e25187decbd9e5b0e5a803a7f
SHA256: d8935d98c7113d5dac6970be2c4ef1f464fb65927a3d0f3ca493a33cb285ffaa
ssdeep: 768:hRMJi8jDLIDSAaQFxfftjaLacmkLGKOq983IigncbSr+E6x3Q0eCzyh2mgVU<BR>xbqw:hRMJbDMDSA7FxffJaLaSLG9q9836CSUi<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0xd623<BR>timedatestamp.....: 0xbd32674aL (invalid)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1<BR>.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf<BR>.rsrc 0x8000 0x5c00 0x5a00 7.64 ac997379d88112e4c7661b3a89975e41<BR><BR>( 9 imports ) <BR>&gt; USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW<BR>&gt; ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA<BR>&gt; CRYPT32.dll: CryptProtectData<BR>&gt; WINSPOOL.DRV: SpoolerInit<BR>&gt; ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken<BR>&gt; NETAPI32.dll: DsGetDcNameW, NetApiBufferFree<BR>&gt; WLDAP32.dll: -, -, -, -, -, -<BR>&gt; msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit<BR>&gt; KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<BR>Win32 Executable Generic (14.7%)<BR>Win32 Dynamic Link Library (generic) (13.1%)<BR>Generic Win/DOS Executable (3.4%)<BR>DOS Executable Generic (3.4%)
sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: © Microsoft Corporation. All rights reserved.<BR>product......: Microsoft_ Windows_ Operating System<BR>description..: Userinit Logon Application<BR>original name: USERINIT.EXE<BR>internal name: userinit<BR>file version.: 5.1.2600.5512 (xpsp.080413-2113)<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>

END

c:\windows\system32\svchost.exe

File svchost.exe received on 2009.10.31 19:52:50 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.31 -
AhnLab-V3 5.0.0.2 2009.10.30 -
AntiVir 7.9.1.53 2009.10.30 -
Antiy-AVL 2.0.3.7 2009.10.30 -
Authentium 5.1.2.4 2009.10.31 -
Avast 4.8.1351.0 2009.10.30 -
AVG 8.5.0.423 2009.10.31 -
BitDefender 7.2 2009.10.31 -
CAT-QuickHeal 10.00 2009.10.31 -
ClamAV 0.94.1 2009.10.31 -
Comodo 2794 2009.10.31 -
DrWeb 5.0.0.12182 2009.10.31 -
eSafe 7.0.17.0 2009.10.29 -
eTrust-Vet 35.1.7094 2009.10.30 -
F-Prot 4.5.1.85 2009.10.31 -
F-Secure 9.0.15370.0 2009.10.30 -
Fortinet 3.120.0.0 2009.10.31 -
GData 19 2009.10.31 -
Ikarus T3.1.1.72.0 2009.10.31 -
Jiangmin 11.0.800 2009.10.31 -
K7AntiVirus 7.10.885 2009.10.31 -
Kaspersky 7.0.0.125 2009.10.31 -
McAfee 5788 2009.10.31 -
McAfee+Artemis 5788 2009.10.31 -
McAfee-GW-Edition 6.8.5 2009.10.31 -
Microsoft 1.5202 2009.10.31 -
NOD32 4561 2009.10.31 -
nProtect 2009.1.8.0 2009.10.31 -
Panda 10.0.2.2 2009.10.31 -
PCTools 7.0.3.5 2009.10.30 -
Prevx 3.0 2009.10.31 -
Rising 21.53.52.00 2009.10.31 -
Sophos 4.47.0 2009.10.31 -
Sunbelt 3.2.1858.2 2009.10.31 -
Symantec 1.4.4.12 2009.10.31 -
TheHacker 6.5.0.2.058 2009.10.31 -
TrendMicro 8.950.0.1094 2009.10.31 -
VBA32 3.12.10.11 2009.10.30 -
ViRobot 2009.10.31.2015 2009.10.31 -
VirusBuster 4.6.5.0 2009.10.31 -

Additional information
File size: 14336 bytes
MD5...: 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1..: 49083ae3725a0488e0a8fbbe1335c745f70c4667
SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5
ssdeep: 384:IDvi+JmG6yqlCRaJt4RHS5LutGJae7g9VJnpWCNJbW:INcG6xlCRaJKGOA7S<BR>HJ<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x2509<BR>timedatestamp.....: 0x48025bc0 (Sun Apr 13 19:15:12 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x2c00 0x2c00 6.29 f6589e1ed3da6afefb0b4294d9ff7f2e<BR>.data 0x4000 0x210 0x200 1.62 cbd504e46c836e09e8faabdcfbabaec2<BR>.rsrc 0x5000 0x408 0x600 2.51 dcede0c303bbb48c6875eb64477e5882<BR><BR>( 4 imports ) <BR>&gt; ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW<BR>&gt; KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook<BR>&gt; ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid<BR>&gt; RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: © Microsoft Corporation. All rights reserved.<BR>product......: Microsoft_ Windows_ Operating System<BR>description..: Generic Host Process for Win32 Services<BR>original name: svchost.exe<BR>internal name: svchost.exe<BR>file version.: 5.1.2600.5512 (xpsp.080413-2111)<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
trid..: Win32 Executable Generic (42.3%)<BR>Win32 Dynamic Link Library (generic) (37.6%)<BR>Generic Win/DOS Executable (9.9%)<BR>DOS Executable Generic (9.9%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

END

c:\windows\explorer.exe

File explorer.exe received on 2009.10.31 19:55:24 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.31 Trojan.Win32.Patched!IK
AhnLab-V3 5.0.0.2 2009.10.30 -
AntiVir 7.9.1.53 2009.10.30 W32/Virut.Gen
Antiy-AVL 2.0.3.7 2009.10.30 -
Authentium 5.1.2.4 2009.10.31 W32/Virut.AI!Generic
Avast 4.8.1351.0 2009.10.30 Win32:Vitro
AVG 8.5.0.423 2009.10.31 Win32/Virut
BitDefender 7.2 2009.10.31 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.10.31 W32.Virut.G
ClamAV 0.94.1 2009.10.31 -
Comodo 2794 2009.10.31 -
DrWeb 5.0.0.12182 2009.10.31 Win32.Virut.56
eSafe 7.0.17.0 2009.10.29 -
eTrust-Vet 35.1.7094 2009.10.30 Win32/Virut.17408
F-Prot 4.5.1.85 2009.10.31 W32/Virut.AI!Generic
F-Secure 9.0.15370.0 2009.10.30 Win32.Virtob.Gen.12
Fortinet 3.120.0.0 2009.10.31 -
GData 19 2009.10.31 Win32.Virtob.Gen.12
Ikarus T3.1.1.72.0 2009.10.31 Trojan.Win32.Patched
Jiangmin 11.0.800 2009.10.31 -
K7AntiVirus 7.10.885 2009.10.31 -
Kaspersky 7.0.0.125 2009.10.31 Virus.Win32.Virut.ce
McAfee 5788 2009.10.31 New Win32.g2
McAfee+Artemis 5788 2009.10.31 New Win32.g2
McAfee-GW-Edition 6.8.5 2009.10.31 Heuristic.BehavesLike.Win32.Backdoor.H
Microsoft 1.5202 2009.10.31 Virus:Win32/Virut.gen!O
NOD32 4561 2009.10.31 Win32/Virut.NBP
Norman 6.03.02 2009.10.31 W32/Virut.DY
nProtect 2009.1.8.0 2009.10.31 -
Panda 10.0.2.2 2009.10.31 -
PCTools 7.0.3.5 2009.10.30 Malware.Virut
Prevx 3.0 2009.10.31 -
Rising 21.53.52.00 2009.10.31 -
Sophos 4.47.0 2009.10.31 -
Sunbelt 3.2.1858.2 2009.10.31 LooksLike.Win32.InfectedFile!A (v)
Symantec 1.4.4.12 2009.10.31 W32.Virut.CF
TheHacker 6.5.0.2.058 2009.10.31 -
TrendMicro 8.950.0.1094 2009.10.31 PE_VIRUX.J
VBA32 3.12.10.11 2009.10.30 Virus.Win32.Virut.X7
ViRobot 2009.10.31.2015 2009.10.31 -
VirusBuster 4.6.5.0 2009.10.31 Win32.Virut.AB.Gen

Additional information
File size: 1053696 bytes
MD5...: 51b6e216a5e39efe0af723bca3a7b6a6
SHA1..: c133260dc43eb1b879142906a3fb7d62d17f3ae8
SHA256: f6fd9b6fad06bb0a62495f0e218d03d75a2e4f9016e864c0095dd7aa4ddec5f7
ssdeep: 12288:gHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:Cmfty/wA<BR>vN7lrvbkf8w0VnH1/g/J/k<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x103360<BR>timedatestamp.....: 0xbd32674aL (invalid)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809<BR>.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359<BR>.rsrc 0x48000 0xb2268 0xb2400 6.63 95339c37646fa93e3695e06572a21889<BR>.reloc 0xfb000 0x8800 0x8600 7.67 836f57d4ca3919b5746c5df649bbfd63<BR><BR>( 13 imports ) <BR>&gt; ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW<BR>&gt; BROWSEUI.dll: -, -, -, -<BR>&gt; GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode<BR>&gt; KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject<BR>&gt; msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf<BR>&gt; ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess<BR>&gt; ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop<BR>&gt; OLEAUT32.dll: -, -<BR>&gt; SHDOCVW.dll: -, -, -<BR>&gt; SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -<BR>&gt; SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -<BR>&gt; USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW<BR>&gt; UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)<BR>Win32 Dynamic Link Library (generic) (37.6%)<BR>Generic Win/DOS Executable (9.9%)<BR>DOS Executable Generic (9.9%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: © Microsoft Corporation. All rights reserved.<BR>product......: Microsoft_ Windows_ Operating System<BR>description..: Windows Explorer<BR>original name: EXPLORER.EXE<BR>internal name: explorer<BR>file version.: 6.00.2900.5512 (xpsp.080413-2105)<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>

END

c:\windows\system32\lsass.exe

File lsass.exe received on 2009.10.31 19:57:43 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.31 -
AhnLab-V3 5.0.0.2 2009.10.30 -
AntiVir 7.9.1.53 2009.10.30 -
Antiy-AVL 2.0.3.7 2009.10.30 -
Authentium 5.1.2.4 2009.10.31 -
Avast 4.8.1351.0 2009.10.30 -
AVG 8.5.0.423 2009.10.31 -
BitDefender 7.2 2009.10.31 -
CAT-QuickHeal 10.00 2009.10.31 -
ClamAV 0.94.1 2009.10.31 -
Comodo 2794 2009.10.31 -
DrWeb 5.0.0.12182 2009.10.31 -
eSafe 7.0.17.0 2009.10.29 Win32.Banker
eTrust-Vet 35.1.7094 2009.10.30 -
F-Prot 4.5.1.85 2009.10.31 -
F-Secure 9.0.15370.0 2009.10.30 -
Fortinet 3.120.0.0 2009.10.31 -
GData 19 2009.10.31 -
Ikarus T3.1.1.72.0 2009.10.31 -
Jiangmin 11.0.800 2009.10.31 -
K7AntiVirus 7.10.885 2009.10.31 -
Kaspersky 7.0.0.125 2009.10.31 -
McAfee 5788 2009.10.31 -
McAfee+Artemis 5788 2009.10.31 -
McAfee-GW-Edition 6.8.5 2009.10.31 -
Microsoft 1.5202 2009.10.31 -
NOD32 4561 2009.10.31 -
Norman 6.03.02 2009.10.31 -
nProtect 2009.1.8.0 2009.10.31 -
Panda 10.0.2.2 2009.10.31 -
PCTools 7.0.3.5 2009.10.30 -
Prevx 3.0 2009.10.31 -
Rising 21.53.52.00 2009.10.31 -
Sophos 4.47.0 2009.10.31 -
Sunbelt 3.2.1858.2 2009.10.31 -
Symantec 1.4.4.12 2009.10.31 -
TheHacker 6.5.0.2.058 2009.10.31 -
TrendMicro 8.950.0.1094 2009.10.31 -
VBA32 3.12.10.11 2009.10.30 -
ViRobot 2009.10.31.2015 2009.10.31 -
VirusBuster 4.6.5.0 2009.10.31 -

Additional information
File size: 13312 bytes
MD5...: bf2466b3e18e970d8a976fb95fc1ca85
SHA1..: de5a73cbb5f51f64c53fb4277ef2c23e70db123f
SHA256: f7794b5d12dc5d820a162850f4388e2aa80426ad07cb221799cf941c682ab501
ssdeep: 384:ggHUJZXmtGDWkzLWT4a8WfMptsN0BhgO49:338z4zRfMpy0BF4<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x14bd<BR>timedatestamp.....: 0x48025186 (Sun Apr 13 18:31:34 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x10d0 0x1200 6.00 7d33d24893e1db0fa0ecbd7a8fa637bd<BR>.data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250<BR>.rsrc 0x4000 0x1b30 0x1c00 7.15 54488850c25258396b2c9492c36b0bd5<BR><BR>( 5 imports ) <BR>&gt; ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf<BR>&gt; KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery<BR>&gt; ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter<BR>&gt; LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo<BR>&gt; SAMSRV.dll: SamIInitialize, SampUsingDsData<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)<BR>Win32 Dynamic Link Library (generic) (37.6%)<BR>Generic Win/DOS Executable (9.9%)<BR>DOS Executable Generic (9.9%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: © Microsoft Corporation. All rights reserved.<BR>product......: Microsoft_ Windows_ Operating System<BR>description..: LSA Shell (Export Version)<BR>original name: lsass.exe<BR>internal name: lsass.exe<BR>file version.: 5.1.2600.5512 (xpsp.080413-2113)<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:16 PM

Posted 31 October 2009 - 03:08 PM

Well, I am afraid, thats not good news. Just FYI, that avenger folder is most likely created by Malwarebytes' Antimalware.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html and lately even .pdf and .jpg). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 animesaint

animesaint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 October 2009 - 03:18 PM

Reformatting...not a bad idea, is there really no other way >.>?

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:16 PM

Posted 31 October 2009 - 04:04 PM

If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. From what I have read, seen, and tried its virtually impossible to completely remove and just a waste of time. You can try booting from every rescue disk you can find but they will likely leave you computer in an unbootable state in as a result of futile attempts to repair system files and drivers. Even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD utilities that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Note: In order to use a rescue disk, the boot order must be set to start from the CD-ROM drive. If the CD is not first in the boot order, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computer’s BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. The default will normally be A:, C:, CD-ROM. Different computers have different ways to enter the BIOS. If you're not sure how to do this, refer to:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 animesaint

animesaint
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 31 October 2009 - 04:11 PM

oh man. I think reformatting is the best idea because the method posted seems intricate. Don't have much stuff but media and game programs.
I appreciate your time Elise.

Edited by animesaint, 31 October 2009 - 04:13 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,824 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:16 PM

Posted 31 October 2009 - 04:18 PM

I am truly sorry I couldn't be of more help in this case. I hope you will get your machine up and running again soon.

This topic will now be closed. If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users