Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus prevents me from downloading HijackThis/Malwarebytes


  • This topic is locked This topic is locked
18 replies to this topic

#1 kitchen knives

kitchen knives

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 25 November 2009 - 11:03 PM

I was recently infected with Antispyware Pro. I don't think I got rid of it, but I no longer have the constant pop-ups. However, when I try to Google search Malwarebytes, the browser automatically closes. Even when I download the Malwarebytes.exe file, nothing happens when I double-click it. I also can't Google search HiJack this, although I haven't yet tried downloading it on a different computer and transferring it over. I downloaded Spyware Doctor because Symantec wasn't updating, and it said that I was infected with a Trojan.


DDS (Ver_09-11-24.02) - NTFSx86
Run by Kevin at 20:56:11.51 on Wed 11/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1188 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\mHotKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\WacomTouchService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\mshearts.exe
C:\Documents and Settings\Kevin\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www3.imsa.edu
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: ALO: {506cd401-5203-4b27-bb5a-03c97758fd02} - c:\windows\system32\lastmon.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] NA
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [ovhybpsk] c:\documents and settings\kevin\local settings\application data\xoavyd\dyhdsysguard.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Gateway Hotkey Software] c:\windows\mHotKey.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ovhybpsk] c:\documents and settings\kevin\local settings\application data\xoavyd\dyhdsysguard.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\kevin\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181078090671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: eeecdacedfa - c:\windows\system32\eeecdacedfa.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin\applic~1\mozilla\firefox\profiles\psff46cr.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-25 207280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-25 112592]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-25 358600]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-6-17 434864]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [2007-5-20 86016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [2007-5-20 10160]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2007-5-20 11312]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 fdcecdecacfad;485e905bbf23b1b66b2a4296ba8a0c57;c:\windows\fdcecdecacfad.exe /s --> c:\windows\fdcecdecacfad.exe [?]
S2 NFAgent;NFAgent;c:\program files\system\smss.exe /pid=10180 --> c:\program files\system\smss.exe [?]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;c:\windows\system32\drivers\vpnva.sys [2009-6-17 20152]

=============== Created Last 30 ================

2009-11-26 00:20:06 0 d-----w- c:\program files\Spyware Doctor
2009-11-26 00:20:06 0 d-----w- c:\program files\common files\PC Tools
2009-11-26 00:20:06 0 d-----w- c:\docume~1\kevin\applic~1\PC Tools
2009-11-26 00:20:06 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-22 15:30:22 277519 ----a-w- c:\windows\system32\eeecdacedfa.dll
2009-11-21 02:59:32 0 d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess
2009-11-21 02:59:27 0 d-----w- c:\docume~1\kevin\applic~1\Multi File Downloader
2009-11-21 02:37:48 0 d-----w- c:\program files\Microsoft WSE
2009-11-21 01:55:54 0 d-----w- c:\program files\DAEMON Tools Lite
2009-11-07 05:02:14 0 d-----w- c:\program files\iPod
2009-11-07 05:02:09 0 d-----w- c:\program files\iTunes
2009-11-06 05:07:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Cisco
2009-11-06 05:07:29 0 d-----w- c:\program files\Cisco

==================== Find3M ====================

2009-11-21 01:56:03 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-08 17:31:46 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 17:31:44 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 17:31:44 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 17:31:14 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-06 22:31:30 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-02 20:19:04 1152470 ----a-w- c:\windows\UDB.zip
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 05:27:19 2684749 ----a-w- c:\windows\fonts\HDZB_39.TTF
2009-09-01 05:24:43 4682183 ----a-w- c:\windows\fonts\HDZB_36.TTF
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ------w- c:\windows\system32\corpol.dll
2008-09-07 00:39:59 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 20:57:40.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 AM

Posted 01 December 2009 - 05:47 AM

Hello and :( to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications.
In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.

2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.

3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.

4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


Posted Image
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:(

#3 kitchen knives

kitchen knives
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 06 December 2009 - 02:18 PM

Thank you for your help!

DDS (Ver_09-11-24.02) - NTFSx86
Run by user at 13:13:29.87 on Sun 12/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1270 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\WacomTouchService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\mHotKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Documents and Settings\Kevin\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www3.imsa.edu
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {506CD401-5203-4B27-BB5A-03C97758FD02} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] NA
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [ovhybpsk] c:\documents and settings\kevin\local settings\application data\xoavyd\dyhdsysguard.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Gateway Hotkey Software] c:\windows\mHotKey.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ovhybpsk] c:\documents and settings\kevin\local settings\application data\xoavyd\dyhdsysguard.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\kevin\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181078090671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: eeecdacedfa - c:\windows\system32\eeecdacedfa.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin\applic~1\mozilla\firefox\profiles\psff46cr.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-25 207280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-25 112592]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-25 358600]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-6-17 434864]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [2007-5-20 86016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [2007-5-20 10160]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2007-5-20 11312]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 fdcecdecacfad;485e905bbf23b1b66b2a4296ba8a0c57;c:\windows\fdcecdecacfad.exe /s --> c:\windows\fdcecdecacfad.exe [?]
S2 NFAgent;NFAgent;c:\program files\system\smss.exe /pid=10180 --> c:\program files\system\smss.exe [?]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;c:\windows\system32\drivers\vpnva.sys [2009-6-17 20152]

=============== Created Last 30 ================

2009-12-05 19:34:52 0 d-----w- c:\program files\Nowcom
2009-12-05 06:22:25 193040 ----a-w- c:\windows\system32\lastmon.dll
2009-11-28 01:38:43 0 d-----w- c:\program files\Rosetta Stone
2009-11-28 01:38:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-11-27 02:16:15 6253745 ----a-w- c:\windows\system32\2ndrive_setup.exe
2009-11-27 01:37:08 2785280 ----a-w- c:\windows\system32\clubbox.exe
2009-11-26 00:20:06 0 d-----w- c:\program files\Spyware Doctor
2009-11-26 00:20:06 0 d-----w- c:\program files\common files\PC Tools
2009-11-26 00:20:06 0 d-----w- c:\docume~1\kevin\applic~1\PC Tools
2009-11-26 00:20:06 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-22 15:30:22 277519 ----a-w- c:\windows\system32\eeecdacedfa.dll
2009-11-21 02:59:32 0 d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess
2009-11-21 02:59:27 0 d-----w- c:\docume~1\kevin\applic~1\Multi File Downloader
2009-11-21 02:37:48 0 d-----w- c:\program files\Microsoft WSE
2009-11-21 01:55:54 0 d-----w- c:\program files\DAEMON Tools Lite
2009-11-07 05:02:14 0 d-----w- c:\program files\iPod
2009-11-07 05:02:09 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-11-27 22:12:48 644224 ----a-w- c:\windows\system32\NowUpdate.exe
2009-11-21 01:56:03 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-04 05:07:21 45400 ----a-w- c:\windows\system32\clubboxuninstall.exe
2009-11-04 04:01:59 159744 ----a-w- c:\windows\system32\downengine.dll
2009-11-04 03:50:34 188416 ----a-w- c:\windows\system32\fscagent.exe
2009-11-04 00:25:38 180224 ----a-w- c:\windows\system32\alivecommlibudp.dll
2009-10-08 17:31:46 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 17:31:44 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 17:31:44 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 17:31:14 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-02 20:19:04 1152470 ----a-w- c:\windows\UDB.zip
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-09-07 00:39:59 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 13:15:48.32 ===============

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 06 December 2009 - 07:56 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 11 December 2009 - 05:11 PM

Hi,

I have not had a reply from you for 4 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 12 December 2009 - 01:26 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 13 December 2009 - 07:17 AM

Reopened at user's request

----------------------------------------------------

Hi,

Please run a new DDS scan and post the log.txt only.


Then please runRootRepeal if you are able to

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 18 December 2009 - 08:21 PM

Hi kitchen knives,

Please reply or I will close the topic tomorrow, 6pm GMT Saturday.

Thanks,

m0le
Posted Image
m0le is a proud member of UNITE

#9 kitchen knives

kitchen knives
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 20 December 2009 - 04:51 PM

Here are the scans:


DDS (Ver_09-11-24.02) - NTFSx86
Run by Kevin at 15:46:11.79 on Sun 12/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1283 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\mHotKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\WacomTouchService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Documents and Settings\Kevin\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www3.imsa.edu
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: ALO: {506cd401-5203-4b27-bb5a-03c97758fd02} - c:\windows\system32\lastmon.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] NA
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Gateway Hotkey Software] c:\windows\mHotKey.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\kevin\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181078090671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: eeecdacedfa - c:\windows\system32\eeecdacedfa.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin\applic~1\mozilla\firefox\profiles\psff46cr.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\adaafedbb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-25 207280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-25 112592]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-25 358600]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-6-17 434864]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [2007-5-20 86016]
R3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [2007-5-20 10160]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2007-5-20 11312]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 fdcecdecacfad;485e905bbf23b1b66b2a4296ba8a0c57;c:\windows\fdcecdecacfad.exe /s --> c:\windows\fdcecdecacfad.exe [?]
S2 NFAgent;NFAgent;c:\program files\system\smss.exe /pid=10180 --> c:\program files\system\smss.exe [?]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;c:\windows\system32\drivers\vpnva.sys [2009-6-17 20152]

=============== Created Last 30 ================

2009-12-18 05:28:02 0 d-----w- c:\program files\iPod
2009-12-18 05:27:55 0 d-----w- c:\program files\iTunes
2009-12-09 21:04:05 118 ----a-w- c:\windows\system32\MRT.INI
2009-12-05 19:34:52 0 d-----w- c:\program files\Nowcom
2009-12-05 06:22:25 190480 ----a-w- c:\windows\system32\lastmon.dll
2009-11-28 01:38:43 0 d-----w- c:\program files\Rosetta Stone
2009-11-28 01:38:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-11-27 02:16:15 6253745 ----a-w- c:\windows\system32\2ndrive_setup.exe
2009-11-27 01:37:08 2785280 ----a-w- c:\windows\system32\clubbox.exe
2009-11-26 00:20:06 0 d-----w- c:\program files\Spyware Doctor
2009-11-26 00:20:06 0 d-----w- c:\program files\common files\PC Tools
2009-11-26 00:20:06 0 d-----w- c:\docume~1\kevin\applic~1\PC Tools
2009-11-26 00:20:06 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-22 15:30:22 277519 ----a-w- c:\windows\system32\eeecdacedfa.dll
2009-11-21 02:59:32 0 d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess
2009-11-21 02:59:27 0 d-----w- c:\docume~1\kevin\applic~1\Multi File Downloader
2009-11-21 02:37:48 0 d-----w- c:\program files\Microsoft WSE
2009-11-21 01:55:54 0 d-----w- c:\program files\DAEMON Tools Lite

==================== Find3M ====================

2009-11-27 22:12:48 644224 ----a-w- c:\windows\system32\NowUpdate.exe
2009-11-21 01:56:03 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-04 05:07:21 45400 ----a-w- c:\windows\system32\clubboxuninstall.exe
2009-11-04 04:01:59 159744 ----a-w- c:\windows\system32\downengine.dll
2009-11-04 03:50:34 188416 ----a-w- c:\windows\system32\fscagent.exe
2009-11-04 00:25:38 180224 ----a-w- c:\windows\system32\alivecommlibudp.dll
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-08 17:31:46 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 17:31:44 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 17:31:44 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 17:31:14 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-02 20:19:04 1152470 ----a-w- c:\windows\UDB.zip
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2008-09-07 00:39:59 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 15:47:58.04 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/19 15:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP Tablet PC Edition SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9B42D000 Size: 753664 File Visible: No Signed: -
Status: -

Name: PCI_PNP5838
Image Path: \Driver\PCI_PNP5838
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x98AD6000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spyz.sys
Image Path: spyz.sys
Address: 0xB9EB4000 Size: 995328 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\85fbf.msi
Status: Locked to the Windows API!

Path: c:\documents and settings\kevin\local settings\temp\etilqs_ekkqh2olrfgl24zzpotp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\kevin\local settings\temp\etilqs_kbub0ls1dh6mxoikecsh
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F01C3593-B0C4-4E54-807A-E19A1EBC5882}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F0224A10-6725-4791-8BB1-DFF15F6E4EF1}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F02FE979-0E7C-4B8E-985C-BE5AD83B0566}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F053A769-BFF9-4251-986F-24190FEF6C0A}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F0A7E092-6447-4E32-90CF-4F609C424CE2}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F10609C9-51C0-471D-BFAB-2BAA83E58507}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F176C9DE-6C60-4826-BBDF-3A81561A0514}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F19A8EA0-7988-4123-911B-27A276C79248}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F1A5C31F-85B1-4E7E-AE55-B5A03ACAF6E7}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F1D25A36-4FBB-466C-838F-08A6203152D1}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F1E2ED2F-05E5-4184-A4D3-4020602A40BF}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F1F7768F-C5AD-4A4E-963F-543FAF632314}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FA0B1C4B-DEE5-4735-8326-60E45D955FC4}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FA0BE82C-A928-4AC8-821C-15399F5F74AD}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FA1C4742-5A81-4DA0-AB2A-63B56F6039BF}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FA4113E4-F948-42E9-97D0-C09692B4D9A8}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FA831A77-9B04-4C36-B443-62EE0B5C9AAB}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FA8B39A0-3ED5-496E-BD7C-EDBF46B407A0}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FAB863C6-1868-4EEA-8AF8-692DF276BB95}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FACACB0F-8435-41AA-A4FE-5E25B6C7DE62}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FACDDF9C-A3E3-4A71-9AF4-98005C142E0F}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FADDE5A7-DD9A-4DB7-B5DE-5FD7C5D068D3}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FB4ECB78-44FB-4C4E-BD92-D63AAE52C108}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FB615A2D-2CFE-46A3-BC9A-6E1685BFE9EB}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FB73680E-049C-46B8-A370-CF0B364720CB}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FB83C292-9B6C-4A26-ABD2-C2B1F3F1704D}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FBAA2516-B5E2-43F9-A623-72356E0CC246}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FBC9FA1B-B552-4DF9-9DF4-C6B40205FF0E}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FBFC213F-CBE9-4F89-93CD-14AFE79725BF}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E9BF56D1-9AA1-404B-BE37-B77A472575E2}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E9E24A67-B596-4E42-89F7-EC4DB9ABE307}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E9FD090C-0B2D-4C9C-9E86-1AC265A72461}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EA50CD42-5AB6-4098-8D1C-E88F2D27E55D}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EA5B8828-730C-4A44-B124-12558173A63B}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EAC994C5-A15F-4471-B833-A77A65173262}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EB412102-75DE-4B35-9EA7-622A6DD18693}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EB5C0EA9-98C4-4918-BDC7-246BB79D43EF}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EB90C096-28EA-4443-96D4-F616D3E2518C}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EB9C70CC-DC78-4B87-8138-AC8A037A694F}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EBBF112C-FC6F-4178-AF81-B32E9BB7BD6F}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EC2CC174-91FD-4EDA-82AB-6B83FA0C0C5F}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EC323239-B1C8-4D8E-AD9E-237FCF3DD258}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EC4DB5A6-57D4-4599-9FAD-8A68B6A9296A}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EC550C12-FCDE-4417-952C-53207DC848C1}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EC6267B3-7EF9-4F20-B216-6BCB092CD4F8}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EC67B7C9-8C10-466A-93F9-8D69B64E3549}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F62CFB3E-9D36-43FB-B13F-CF98CD54F547}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F660647F-85CA-43DF-808D-815C4E44DBB8}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F66DB0AF-F3AA-4745-BCA5-B62B551FDEEB}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F69A808E-519F-43AE-9450-61131A79101F}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F6C8D8C8-CD2A-44B9-9525-31A2BF11705E}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F6FD6139-2935-470D-B78E-DAD4D6608EBC}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F75BCAA2-9418-49B5-9759-4A8C2E42DF88}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F7C60BAA-8637-427D-84FE-4C4A7499EF64}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F7D08A5E-EC7F-4CA5-9865-31A1480B2651}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F7F76BE0-3ACA-457C-B2EF-98748C99AA27}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F80C047D-8768-4C4D-8184-1A2296F80B6D}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F82475D1-C439-4291-B160-69E82355ED5E}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F836A60F-1AE2-445D-8DA7-979428A15D41}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F85388B9-EF26-4861-8D34-D0993C316D18}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F869DC82-7524-4A23-91D5-252996616B42}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F8CCFA0A-84B5-43E4-AED2-56AB9F448B3E}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F9391E98-9BE6-4CC8-A28A-D20DE7D6C6C0}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F96E06A6-33A5-411E-A73A-255C961C4582}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F97CBF0D-0219-4FC9-BD0F-78D72C6239F8}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F98BC19B-9693-4223-9E49-DC2B4BB34597}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F9E7D7CD-D1BC-4F0C-B2FE-2C0D21F54C42}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E6963830-D74C-4E84-A52A-4525E9FAA0A5}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E715531F-E3BC-4B60-8CD6-282F7A59AC19}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E719762A-B689-4A8D-876F-C9548399B504}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E778E9FD-4E25-4287-80DA-D7C3AD55FBE6}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E7AB4E8F-6A6A-49C4-B1B0-1B4C8A2F13A0}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E7B05833-C472-4A3F-9C2A-2CBB2E5683BC}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E81E8C7F-FE6C-4086-B1ED-72549DB1D406}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E87CB104-C482-4401-B49E-0050E62591A3}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E88AE9C3-5719-4E91-8B48-774D0A563EB2}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E895921B-7D12-449C-B21A-018F5F5D9BA6}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E8987C1E-04D4-4BB9-8F5D-76543E68206E}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E89E92D5-1B88-4E58-93D1-439F77F40351}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E8A90B16-C4CC-4C73-AC60-5AF3DBBD9A87}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E8C9D92C-CB5C-4765-85CB-D28503647178}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E8F4C414-992B-4F4B-89FF-3D8733C7D182}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E9183F23-2BFE-4971-AAFE-7B73A4EE481C}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E93D5349-A644-420A-B7C3-9019684E2C10}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E94FF329-49BF-4A20-9ED0-C7410BF1FD45}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E9524A13-E4D6-4135-B9E6-106D79280DFF}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E99E182A-41A6-47BE-A736-D6A93DFAD82B}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FCE94F1E-5D72-46FB-86EA-C04EB4808A3D}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FD647004-A3CE-4267-B283-1B3443232339}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FD91204B-3BB5-407A-86C1-9EA9EDAF30C9}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FE145C67-4722-4A9A-8EF7-8066DC697452}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FE3B4BE3-EB82-4501-9A1D-DCB68DD018C2}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FE3E9430-002A-462A-9472-377DE18032C9}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FE8A5E2C-7CBF-4483-BDBD-6915C5F2B547}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FEBA562D-C757-41B1-91DD-2F29B60211DB}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FEECD10D-4FEC-41A6-8DB1-534DA7FF04AC}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FF8A5FB4-E57E-4F91-B396-D6C0F8868711}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FF914E25-CE2B-4B5E-8E67-8018C9DACC87}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FFC845B9-BCB5-4D72-8E74-47C9D526D872}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FFCF878C-F161-4841-9D90-5BB32AE2770D}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FFEFBA5C-E020-4341-BC1F-E5595A875291}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{ECFF68B6-EF78-4484-B004-02C08E05049C}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{ED1269FA-C6B7-48B2-AA40-5636EEF98AA9}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{ED592166-096C-40C0-AE5D-119BB9494088}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{ED77CFEE-71B7-45FF-A0FA-CBB1D85898B6}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{ED794662-7782-4BCB-A033-85F20541E407}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{ED858BA5-F22D-4C43-8BFE-74E56CFD2F70}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{ED9B7270-E3CF-46EA-901C-3233DC6CC72C}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EDC13B7B-D70A-4155-BFC2-F92DF27AD9C7}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EDC40DDA-6F3D-4084-8366-6B57C05EB0DC}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EDFB431A-102A-4C27-91C9-411944FF6BF2}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EE34B6B2-CC3B-4235-BBDB-A96F261A3C17}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EE4A3C00-4E34-49AB-A5F2-F4002C6118CE}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EE60F466-A321-4FFC-92B1-6F42794B6AE4}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EE948028-6C04-463D-BCE9-C423D7EEBC7A}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EEC8C08C-3FC7-4FDE-A9EF-CE2CCE575476}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EEDB5901-AD17-44D7-B7E0-BA8756A3C435}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EEE0BDA8-664B-450A-8ED9-63407E4E463C}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EF170B17-15F8-4179-959C-214990A2235A}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EF2DDD0D-9348-4F00-AE4A-955B83A5AE1C}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EF70EB59-1BB1-4A56-813E-E9E231B9D24E}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{EF769BD7-E1A6-4412-B6AD-CA81A5D9755A}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F29E3D21-5E92-41DE-AB4D-6EFC713BCADC}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F32ECAC9-EBA7-413B-BC16-5FFAE28A8EDE}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F37386ED-0A58-44A5-87B9-180574700392}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F38F60EB-8EA5-4B15-87E6-779256E12A4A}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F390B156-767B-4323-A90F-1851FFAC585F}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F3C7C6FF-79E6-4DB0-A81C-956A87DACCFC}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F3F2D4B3-AD2A-41D9-A357-D6DCF31AEE46}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F3F41B67-4F96-4839-9C21-0E7619F2C9B3}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F4038645-049D-4B93-9245-F641EEE5348D}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F42DC351-DC44-4507-8C97-6AB87EBD652D}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F433A67B-6EB8-411A-9595-EEC4BC6678A0}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F43CDFDD-DB94-4D1A-80FB-4182ECC4F18A}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F52D931F-058A-4CA8-8351-CCCCC2FB553B}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F5348640-3689-4FBE-BD70-B5B64F1BFA3A}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F54E7543-07C9-4A03-82E0-ACCA263B4579}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F55B4F1B-985F-4DBE-90D5-8EAE042E6EEF}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F5A9DA12-923B-4158-A0B1-C48B7E6AC71A}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E691E324-A98A-4633-90B1-EA514A3422B1}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E9B17320-54FE-4A02-A56A-76E595E6EB6E}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{ECAE3072-7794-4EDF-8BE8-5E5D088FDF03}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F25CC607-91ED-426E-A05E-C9E7F008B52D}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F5E5837C-CCFB-4D6C-8BDD-896033280352}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{F9F41BCC-0C44-4F51-8FA6-753A8B6467D1}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{FC60FF11-DC47-4D0B-8B7B-8678342B92C3}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E44C7614-D13F-42AD-80EA-93D7BFE5E259}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E48573F1-0DB6-429A-A04F-21AB2C3112DA}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E4A66001-3EC9-480F-92AC-B1311E3E8A54}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E4D0B022-3E20-4209-AD6B-4743C1DBA1FC}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E4DFBC6D-4483-45F2-82AA-AD3B1A272EFE}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E51337B6-B0A0-4717-990E-8DB407522D67}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E57A9966-12A5-4595-AEDD-BFF1A5162E1A}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E6270017-EB2F-46B3-B4F5-21FD0986BF0D}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E654EE3A-2E9F-4520-8DED-797DEAF0015C}.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.Word\~WRS{E6872AC4-7C93-4475-85B7-ADC31964F49E}.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090816.003\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\psff46cr.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 031 FunStealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a8791f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x88fa11f8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_CREATE]
Process: System Address: 0x8a87f1f8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_CLOSE]
Process: System Address: 0x8a87f1f8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a87f1f8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a87f1f8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_POWER]
Process: System Address: 0x8a87f1f8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a87f1f8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_PNP]
Process: System Address: 0x8a87f1f8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_CREATE]
Process: System Address: 0x8a8891f8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_CLOSE]
Process: System Address: 0x8a8891f8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8891f8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8891f8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_POWER]
Process: System Address: 0x8a8891f8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8891f8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_PNP]
Process: System Address: 0x8a8891f8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_CREATE]
Process: System Address: 0x8a87c1f8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_CLOSE]
Process: System Address: 0x8a87c1f8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a87c1f8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a87c1f8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_POWER]
Process: System Address: 0x8a87c1f8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a87c1f8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_PNP]
Process: System Address: 0x8a87c1f8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_CREATE]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_CLOSE]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_POWER]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_PNP]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_CREATE]
Process: System Address: 0x8a8811f8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_CLOSE]
Process: System Address: 0x8a8811f8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8811f8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8811f8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_POWER]
Process: System Address: 0x8a8811f8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8811f8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_PNP]
Process: System Address: 0x8a8811f8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_CREATE]
Process: System Address: 0x8a8881f8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_CLOSE]
Process: System Address: 0x8a8881f8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8881f8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8881f8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_POWER]
Process: System Address: 0x8a8881f8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8881f8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_PNP]
Process: System Address: 0x8a8881f8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_CREATE]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_POWER]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_PNP]
Process: System Address: 0x8a8f41f8 Size: 121

Object: Hidden Code [Driver: auo8ne8h؅䍐䍔؁఍敋ꁹ, IRP_MJ_CREATE]
Process: System Address: 0x89b181f8 Size: 121

Object: Hidden Code [Driver: auo8ne8h؅䍐䍔؁఍敋ꁹ, IRP_MJ_CLOSE]
Process: System Address: 0x89b181f8 Size: 121

Object: Hidden Code [Driver: auo8ne8h؅䍐䍔؁఍敋ꁹ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b181f8 Size: 121

Object: Hidden Code [Driver: auo8ne8h؅䍐䍔؁఍敋ꁹ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b181f8 Size: 121

Object: Hidden Code [Driver: auo8ne8h؅䍐䍔؁఍敋ꁹ, IRP_MJ_POWER]
Process: System Address: 0x89b181f8 Size: 121

Object: Hidden Code [Driver: auo8ne8h؅䍐䍔؁఍敋ꁹ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b181f8 Size: 121

Object: Hidden Code [Driver: auo8ne8h؅䍐䍔؁఍敋ꁹ, IRP_MJ_PNP]
Process: System Address: 0x89b181f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89b541f8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_CREATE]
Process: System Address: 0x8a8821f8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_CLOSE]
Process: System Address: 0x8a8821f8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8821f8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8821f8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_POWER]
Process: System Address: 0x8a8821f8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8821f8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_PNP]
Process: System Address: 0x8a8821f8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_CREATE]
Process: System Address: 0x8a8871f8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_CLOSE]
Process: System Address: 0x8a8871f8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8871f8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8871f8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_POWER]
Process: System Address: 0x8a8871f8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8871f8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_PNP]
Process: System Address: 0x8a8871f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x87fcd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x87fcd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x87fcd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x87fcd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87fcd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87fcd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x87fcd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87fcd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x87fcd500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a8ff1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89be6500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89be6500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89be6500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89be6500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89be6500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89be6500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89be6500 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_CREATE]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_POWER]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_PNP]
Process: System Address: 0x8a8f61f8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_CREATE]
Process: System Address: 0x8a8f31f8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f31f8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f31f8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f31f8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_POWER]
Process: System Address: 0x8a8f31f8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f31f8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_PNP]
Process: System Address: 0x8a8f31f8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_CREATE]
Process: System Address: 0x8a8851f8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_CLOSE]
Process: System Address: 0x8a8851f8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8851f8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8851f8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_POWER]
Process: System Address: 0x8a8851f8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8851f8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_PNP]
Process: System Address: 0x8a8851f8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_CREATE]
Process: System Address: 0x8a8fb1f8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_CLOSE]
Process: System Address: 0x8a8fb1f8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8fb1f8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8fb1f8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_POWER]
Process: System Address: 0x8a8fb1f8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8fb1f8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_PNP]
Process: System Address: 0x8a8fb1f8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_CREATE]
Process: System Address: 0x8a8f21f8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f21f8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f21f8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f21f8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_POWER]
Process: System Address: 0x8a8f21f8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f21f8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_PNP]
Process: System Address: 0x8a8f21f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a88e1f8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_CREATE]
Process: System Address: 0x8a8f51f8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f51f8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f51f8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f51f8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_POWER]
Process: System Address: 0x8a8f51f8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f51f8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_PNP]
Process: System Address: 0x8a8f51f8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_CREATE]
Process: System Address: 0x8a8831f8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_CLOSE]
Process: System Address: 0x8a8831f8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8831f8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8831f8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_POWER]
Process: System Address: 0x8a8831f8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8831f8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_PNP]
Process: System Address: 0x8a8831f8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_CREATE]
Process: System Address: 0x8a8f01f8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f01f8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f01f8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f01f8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_POWER]
Process: System Address: 0x8a8f01f8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f01f8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_PNP]
Process: System Address: 0x8a8f01f8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_CREATE]
Process: System Address: 0x8a87d1f8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_CLOSE]
Process: System Address: 0x8a87d1f8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a87d1f8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a87d1f8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_POWER]
Process: System Address: 0x8a87d1f8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a87d1f8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_PNP]
Process: System Address: 0x8a87d1f8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_CREATE]
Process: System Address: 0x8a8fc1f8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_CLOSE]
Process: System Address: 0x8a8fc1f8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8fc1f8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8fc1f8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_POWER]
Process: System Address: 0x8a8fc1f8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8fc1f8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_PNP]
Process: System Address: 0x8a8fc1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8973a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8973a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8973a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8973a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8973a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8973a1f8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_CREATE]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_CLOSE]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_POWER]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_PNP]
Process: System Address: 0x8a8801f8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_CREATE]
Process: System Address: 0x8a88a1f8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_CLOSE]
Process: System Address: 0x8a88a1f8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a88a1f8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a88a1f8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_POWER]
Process: System Address: 0x8a88a1f8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a88a1f8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_PNP]
Process: System Address: 0x8a88a1f8 Size: 121

Object: Hidden Code [Driver: dac2w2k, IRP_MJ_CREATE]
Process: System Address: 0x8a87b1f8 Size: 121

Object: Hidden Code [Driver: dac2w2k, IRP_MJ_CLOSE]
Process: System Address: 0x8a87b1f8 Size: 121

Object: Hidden Code [Driver: dac2w2k, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a87b1f8 Size: 121

Object: Hidden Code [Driver: dac2w2k, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a87b1f8 Size: 121

Object: Hidden Code [Driver: dac2w2k, IRP_MJ_POWER]
Process: System Address: 0x8a87b1f8 Size: 121

Object: Hidden Code [Driver: dac2w2k, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a87b1f8 Size: 121

Object: Hidden Code [Driver: dac2w2k, IRP_MJ_PNP]
Process: System Address: 0x8a87b1f8 Size: 121

Object: Hidden Code [Driver: amsint, IRP_MJ_CREATE]
Process: System Address: 0x8a8fa1f8 Size: 121

Object: Hidden Code [Driver: amsint, IRP_MJ_CLOSE]
Process: System Address: 0x8a8fa1f8 Size: 121

Object: Hidden Code [Driver: amsint, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8fa1f8 Size: 121

Object: Hidden Code [Driver: amsint, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8fa1f8 Size: 121

Object: Hidden Code [Driver: amsint, IRP_MJ_POWER]
Process: System Address: 0x8a8fa1f8 Size: 121

Object: Hidden Code [Driver: amsint, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8fa1f8 Size: 121

Object: Hidden Code [Driver: amsint, IRP_MJ_PNP]
Process: System Address: 0x8a8fa1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89bc61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89bc61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89bc61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89bc61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89bc61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89bc61f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89bc61f8 Size: 121

Object: Hidden Code [Driver: ql1240, IRP_MJ_CREATE]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: ql1240, IRP_MJ_CLOSE]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: ql1240, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: ql1240, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: ql1240, IRP_MJ_POWER]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: ql1240, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: ql1240, IRP_MJ_PNP]
Process: System Address: 0x8a8f71f8 Size: 121

Object: Hidden Code [Driver: Sparrow, IRP_MJ_CREATE]
Process: System Address: 0x8a88b1f8 Size: 121

Object: Hidden Code [Driver: Sparrow, IRP_MJ_CLOSE]
Process: System Address: 0x8a88b1f8 Size: 121

Object: Hidden Code [Driver: Sparrow, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a88b1f8 Size: 121

Object: Hidden Code [Driver: Sparrow, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a88b1f8 Size: 121

Object: Hidden Code [Driver: Sparrow, IRP_MJ_POWER]
Process: System Address: 0x8a88b1f8 Size: 121

Object: Hidden Code [Driver: Sparrow, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a88b1f8 Size: 121

Object: Hidden Code [Driver: Sparrow, IRP_MJ_PNP]
Process: System Address: 0x8a88b1f8 Size: 121

Object: Hidden Code [Driver: sym_hi, IRP_MJ_CREATE]
Process: System Address: 0x8a8841f8 Size: 121

Object: Hidden Code [Driver: sym_hi, IRP_MJ_CLOSE]
Process: System Address: 0x8a8841f8 Size: 121

Object: Hidden Code [Driver: sym_hi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8841f8 Size: 121

Object: Hidden Code [Driver: sym_hi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8841f8 Size: 121

Object: Hidden Code [Driver: sym_hi, IRP_MJ_POWER]
Process: System Address: 0x8a8841f8 Size: 121

Object: Hidden Code [Driver: sym_hi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8841f8 Size: 121

Object: Hidden Code [Driver: sym_hi, IRP_MJ_PNP]
Process: System Address: 0x8a8841f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_CREATE]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_CLOSE]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_READ]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_WRITE]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_SET_EA]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a87e1f8 Size: 121

Object: Hidden Code [Driver: perc2hib, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System ==EOF==

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 20 December 2009 - 05:33 PM

Welcome back, kitchen knives. :(

The logs are showing quite a bit of infection. There's also rootkit activity, so this fix could take a bit longer.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#11 kitchen knives

kitchen knives
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 23 December 2009 - 01:47 PM

Thank you for your help!

ComboFix 09-12-22.09 - Kevin 12/23/2009 11:56:11.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1222 [GMT -6:00]
Running from: c:\documents and settings\Kevin\Desktop\ComFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\Kevin\Desktop\Internet Security 2010.lnk
c:\documents and settings\Kevin\Start Menu\Internet Security 2010.lnk
c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
C:\U.exe
c:\windows\AegisP.inf
c:\windows\system32\2ndrive_setup.exe
c:\windows\system32\41.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\eeecdacedfa.dll
c:\windows\system32\laSTmon.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))
.

2009-12-18 05:28 . 2009-12-18 05:28 -------- d-----w- c:\program files\iPod
2009-12-18 05:27 . 2009-12-18 05:29 -------- d-----w- c:\program files\iTunes
2009-12-05 19:34 . 2009-12-05 19:34 -------- d-----w- c:\program files\Nowcom
2009-11-28 02:23 . 2009-11-28 02:23 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\Threat Expert
2009-11-28 01:38 . 2009-12-22 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-11-28 01:38 . 2009-11-28 01:38 -------- d-----w- c:\program files\Rosetta Stone
2009-11-25 23:58 . 2009-12-09 21:04 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\xoavyd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 18:16 . 2007-06-05 21:06 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-23 18:16 . 2009-02-13 19:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-23 18:15 . 2009-11-26 00:20 -------- d-----w- c:\program files\Spyware Doctor
2009-12-23 17:39 . 2008-03-16 00:32 -------- d-----w- c:\documents and settings\Kevin\Application Data\uTorrent
2009-12-23 17:27 . 2009-02-02 17:22 -------- d-----w- c:\program files\Norton Security Scan
2009-12-18 05:28 . 2008-01-18 23:20 -------- d-----w- c:\program files\Common Files\Apple
2009-12-18 05:21 . 2009-10-03 04:02 -------- d-----w- c:\program files\QuickTime
2009-12-17 06:50 . 2009-08-16 16:10 -------- d-----w- c:\documents and settings\Kevin\Application Data\DC++
2009-12-12 03:38 . 2007-05-21 03:27 102968 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-09 21:08 . 2007-06-06 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-05 19:33 . 2009-07-18 00:52 78 -c--a-w- c:\windows\system32\fscagent.ini.tmp
2009-11-28 01:39 . 2008-03-14 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-27 22:12 . 2009-07-03 20:28 644224 ----a-w- c:\windows\system32\NowUpdate.exe
2009-11-26 00:21 . 2009-11-26 00:20 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-26 00:20 . 2009-11-26 00:20 -------- d-----w- c:\documents and settings\Kevin\Application Data\PC Tools
2009-11-26 00:20 . 2009-11-26 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-24 21:03 . 2007-05-21 03:19 -------- d-----w- c:\program files\Microsoft Works
2009-11-21 03:00 . 2009-11-21 02:59 -------- d-----w- c:\documents and settings\Kevin\Application Data\Multi File Downloader
2009-11-21 02:59 . 2009-11-21 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2009-11-21 02:37 . 2009-11-21 02:37 -------- d-----w- c:\program files\Microsoft WSE
2009-11-21 02:03 . 2009-11-21 02:03 -------- d-----w- c:\program files\Electronic Arts
2009-11-21 02:03 . 2006-06-24 04:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 01:56 . 2009-11-21 01:55 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-11-21 01:56 . 2008-03-14 03:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-21 01:55 . 2008-12-13 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-07 21:47 . 2008-03-15 03:21 -------- d-----w- c:\program files\DivX
2009-11-07 21:46 . 2009-05-24 02:27 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-06 05:07 . 2009-11-06 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco
2009-11-06 05:07 . 2009-11-06 05:07 -------- d-----w- c:\program files\Cisco
2009-10-29 07:46 . 2006-06-22 22:07 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2006-06-22 22:06 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2006-06-22 22:06 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2006-06-22 22:06 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-06-22 22:06 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 07:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2006-06-22 22:06 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-06-22 22:06 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-06-22 22:06 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-08 17:31 . 2009-11-26 00:20 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 17:31 . 2009-11-26 00:20 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 17:31 . 2009-11-26 00:20 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 17:31 . 2009-11-26 00:20 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-06 22:31 . 2009-11-26 00:20 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-02 20:19 . 2009-11-26 00:20 1152470 ----a-w- c:\windows\UDB.zip
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-12-15 20:01 . 2009-12-10 06:46 119312 ----a-w- c:\program files\mozilla firefox\components\adaafedbb.dll
2007-01-05 20:36 . 2007-06-05 20:12 864768 ----a-w- c:\program files\mozilla firefox\components\pbgk1_8.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-01-05 20:41 2857984 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-01-05 20:41 2857984 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-25 68856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-26 68296]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-12 794714]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-22 303104]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-01-05 49168]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 89541]
"Gateway Hotkey Software"="c:\windows\mHotKey.exe" [2007-03-08 478720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2006-09-28 125168]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 970752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-19 185896]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-6-6 1528880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-01-05 20:28 90112 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 18:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Kevin\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\Kevin\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Kevin\\My Documents\\AgilixLog\\Other\\utorrent.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57326:TCP"= 57326:TCP:Pando Media Booster
"57326:UDP"= 57326:UDP:Pando Media Booster

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/25/2009 6:20 PM 207280]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/13/2008 9:42 PM 691696]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [11/25/2009 6:20 PM 112592]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/25/2009 6:20 PM 358600]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [6/17/2009 2:17 PM 434864]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [5/20/2007 9:09 PM 86016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/17/2009 5:07 AM 101936]
R3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [5/20/2007 9:42 PM 10160]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [5/20/2007 9:42 PM 11312]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 fdcecdecacfad;485e905bbf23b1b66b2a4296ba8a0c57;c:\windows\fdcecdecacfad.exe /s --> c:\windows\fdcecdecacfad.exe [?]
S2 NFAgent;NFAgent;c:\program files\system\smss.exe /pid=10180 --> c:\program files\system\smss.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = www3.imsa.edu
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\psff46cr.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\adaafedbb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-Free Mp3 Wma Converter_is1 - c:\documents and settings\Kevin\Desktop\Free Audio Pack\unins000.exe
AddRemove-클럽박스 파일잔송겨리자 - c:\windows\system32\clubboxuninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 12:16
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll iaStor.sys sppf.sys >>UNKNOWN [0x8A8B9938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba18cf28
\Driver\ACPI -> ACPI.sys @ 0xb9e74cb8
\Driver\atapi -> atapi.sys @ 0xb9d13b40
\Driver\iaStor -> iaStor.sys @ 0xb9d5afa0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9bc0bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9bafa0d
SendHandler -> NDIS.sys @ 0xb9bc3b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1388)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1448)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'explorer.exe'(4468)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\AGRSMMSG.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Spyware Doctor\Update.exe
.
**************************************************************************
.
Completion time: 2009-12-23 12:26:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-23 18:26
ComboFix2.txt 2009-06-26 02:32

Pre-Run: 1,140,842,496 bytes free
Post-Run: 2,421,039,104 bytes free

- - End Of File - - 0C60178524184A39927BBBF2A212F1CD

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 23 December 2009 - 05:54 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\fdcecdecacfad.exe
c:\program files\system\smss.exe
c:\program files\Mozilla Firefox\components\adaafedbb.dll

Driver::
fdcecdecacfad
NFAgent

Firefox::
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\psff46cr.default\
FF - component: c:\program files\Mozilla Firefox\components\adaafedbb.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 kitchen knives

kitchen knives
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 23 December 2009 - 11:01 PM

Here's the latest scan:

ComboFix 09-12-22.09 - Kevin 12/23/2009 20:22:49.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1408 [GMT -6:00]
Running from: c:\documents and settings\Kevin\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\Kevin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\program files\Mozilla Firefox\components\adaafedbb.dll"
"c:\program files\system\smss.exe"
"c:\windows\fdcecdecacfad.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\components\adaafedbb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FDCECDECACFAD
-------\Legacy_NFAGENT
-------\Service_fdcecdecacfad
-------\Service_NFAgent


((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-23 17:49 . 2009-12-23 18:26 -------- d-----w- C:\ComFix
2009-12-18 05:28 . 2009-12-18 05:28 -------- d-----w- c:\program files\iPod
2009-12-18 05:27 . 2009-12-18 05:29 -------- d-----w- c:\program files\iTunes
2009-12-05 19:34 . 2009-12-05 19:34 -------- d-----w- c:\program files\Nowcom
2009-11-28 02:23 . 2009-11-28 02:23 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\Threat Expert
2009-11-28 01:38 . 2009-12-22 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-11-28 01:38 . 2009-11-28 01:38 -------- d-----w- c:\program files\Rosetta Stone
2009-11-25 23:58 . 2009-12-09 21:04 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\xoavyd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 02:45 . 2009-02-13 19:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-24 02:39 . 2007-06-05 21:06 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-24 02:39 . 2009-11-26 00:20 -------- d-----w- c:\program files\Spyware Doctor
2009-12-24 02:15 . 2008-03-16 00:32 -------- d-----w- c:\documents and settings\Kevin\Application Data\uTorrent
2009-12-24 00:00 . 2009-02-02 17:22 -------- d-----w- c:\program files\Norton Security Scan
2009-12-18 05:28 . 2008-01-18 23:20 -------- d-----w- c:\program files\Common Files\Apple
2009-12-18 05:21 . 2009-10-03 04:02 -------- d-----w- c:\program files\QuickTime
2009-12-17 06:50 . 2009-08-16 16:10 -------- d-----w- c:\documents and settings\Kevin\Application Data\DC++
2009-12-12 03:38 . 2007-05-21 03:27 102968 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-09 21:08 . 2007-06-06 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-05 19:33 . 2009-07-18 00:52 78 -c--a-w- c:\windows\system32\fscagent.ini.tmp
2009-11-28 01:39 . 2008-03-14 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-27 22:12 . 2009-07-03 20:28 644224 ----a-w- c:\windows\system32\NowUpdate.exe
2009-11-26 00:21 . 2009-11-26 00:20 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-26 00:20 . 2009-11-26 00:20 -------- d-----w- c:\documents and settings\Kevin\Application Data\PC Tools
2009-11-26 00:20 . 2009-11-26 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-24 21:03 . 2007-05-21 03:19 -------- d-----w- c:\program files\Microsoft Works
2009-11-21 03:00 . 2009-11-21 02:59 -------- d-----w- c:\documents and settings\Kevin\Application Data\Multi File Downloader
2009-11-21 02:59 . 2009-11-21 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2009-11-21 02:37 . 2009-11-21 02:37 -------- d-----w- c:\program files\Microsoft WSE
2009-11-21 02:03 . 2009-11-21 02:03 -------- d-----w- c:\program files\Electronic Arts
2009-11-21 02:03 . 2006-06-24 04:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 01:56 . 2009-11-21 01:55 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-11-21 01:56 . 2008-03-14 03:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-21 01:55 . 2008-12-13 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-07 21:47 . 2008-03-15 03:21 -------- d-----w- c:\program files\DivX
2009-11-07 21:46 . 2009-05-24 02:27 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-06 05:07 . 2009-11-06 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco
2009-11-06 05:07 . 2009-11-06 05:07 -------- d-----w- c:\program files\Cisco
2009-10-29 07:46 . 2006-06-22 22:07 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2006-06-22 22:06 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2006-06-22 22:06 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2006-06-22 22:06 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-06-22 22:06 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 07:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2006-06-22 22:06 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-06-22 22:06 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-06-22 22:06 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-08 17:31 . 2009-11-26 00:20 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 17:31 . 2009-11-26 00:20 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 17:31 . 2009-11-26 00:20 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 17:31 . 2009-11-26 00:20 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-06 22:31 . 2009-11-26 00:20 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-02 20:19 . 2009-11-26 00:20 1152470 ----a-w- c:\windows\UDB.zip
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2007-01-05 20:36 . 2007-06-05 20:12 864768 ----a-w- c:\program files\mozilla firefox\components\pbgk1_8.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-01-05 20:41 2857984 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-01-05 20:41 2857984 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-25 68856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-26 68296]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-12 794714]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-22 303104]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-01-05 49168]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 89541]
"Gateway Hotkey Software"="c:\windows\mHotKey.exe" [2007-03-08 478720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2006-09-28 125168]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 970752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-19 185896]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-6-6 1528880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-01-05 20:28 90112 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 18:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Kevin\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\Kevin\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Kevin\\My Documents\\AgilixLog\\Other\\utorrent.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57326:TCP"= 57326:TCP:Pando Media Booster
"57326:UDP"= 57326:UDP:Pando Media Booster

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/25/2009 6:20 PM 207280]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/13/2008 9:42 PM 691696]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [11/25/2009 6:20 PM 112592]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/25/2009 6:20 PM 358600]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [6/17/2009 2:17 PM 434864]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [5/20/2007 9:09 PM 86016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/23/2009 1:12 PM 102448]
R3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [5/20/2007 9:42 PM 10160]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [5/20/2007 9:42 PM 11312]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = www3.imsa.edu
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\psff46cr.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 20:50
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1388)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1448)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'explorer.exe'(4916)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\AGRSMMSG.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-23 20:56:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-24 02:55
ComboFix2.txt 2009-12-23 18:26
ComboFix3.txt 2009-06-26 02:32

Pre-Run: 1,151,303,680 bytes free
Post-Run: 994,091,008 bytes free

- - End Of File - - F083D8020EF3A8E42D064D67816CABA5

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:50 AM

Posted 24 December 2009 - 05:39 AM

There's still some malware showing so we need to run Combofix one more time.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\Kevin\Local Settings\Application Data\xoavyd
c:\windows\system32\fscagent.ini.tmp


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

How is the PC running now?
Posted Image
m0le is a proud member of UNITE

#15 kitchen knives

kitchen knives
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 24 December 2009 - 05:56 PM

My computer is definitely in a better condition than before, as I am able to view this webpage and respond. I was having some trouble with my Google searches being redirected (I've had this problem before, too), but as of right now, I don't think it's happening.

Thank you for all your help so far!

ComboFix 09-12-24.02 - Kevin 12/24/2009 12:29:35.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1209 [GMT -6:00]
Running from: c:\documents and settings\Kevin\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\Kevin\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\documents and settings\Kevin\Local Settings\Application Data\xoavyd"
"c:\windows\system32\fscagent.ini.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fscagent.ini.tmp

.
((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-23 17:49 . 2009-12-23 18:26 -------- d-----w- C:\ComFix
2009-12-18 05:28 . 2009-12-18 05:28 -------- d-----w- c:\program files\iPod
2009-12-18 05:27 . 2009-12-18 05:29 -------- d-----w- c:\program files\iTunes
2009-12-05 19:34 . 2009-12-05 19:34 -------- d-----w- c:\program files\Nowcom
2009-11-28 02:23 . 2009-11-28 02:23 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\Threat Expert
2009-11-28 01:38 . 2009-12-22 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-11-28 01:38 . 2009-11-28 01:38 -------- d-----w- c:\program files\Rosetta Stone
2009-11-25 23:58 . 2009-12-09 21:04 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\xoavyd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 18:38 . 2009-02-13 19:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-24 18:26 . 2007-06-05 21:06 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-24 18:23 . 2009-11-26 00:20 -------- d-----w- c:\program files\Spyware Doctor
2009-12-24 02:15 . 2008-03-16 00:32 -------- d-----w- c:\documents and settings\Kevin\Application Data\uTorrent
2009-12-24 00:00 . 2009-02-02 17:22 -------- d-----w- c:\program files\Norton Security Scan
2009-12-18 05:28 . 2008-01-18 23:20 -------- d-----w- c:\program files\Common Files\Apple
2009-12-18 05:21 . 2009-10-03 04:02 -------- d-----w- c:\program files\QuickTime
2009-12-17 06:50 . 2009-08-16 16:10 -------- d-----w- c:\documents and settings\Kevin\Application Data\DC++
2009-12-12 03:38 . 2007-05-21 03:27 102968 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-09 21:08 . 2007-06-06 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-28 01:39 . 2008-03-14 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-27 22:12 . 2009-07-03 20:28 644224 ----a-w- c:\windows\system32\NowUpdate.exe
2009-11-26 00:21 . 2009-11-26 00:20 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-26 00:20 . 2009-11-26 00:20 -------- d-----w- c:\documents and settings\Kevin\Application Data\PC Tools
2009-11-26 00:20 . 2009-11-26 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-24 21:03 . 2007-05-21 03:19 -------- d-----w- c:\program files\Microsoft Works
2009-11-21 03:00 . 2009-11-21 02:59 -------- d-----w- c:\documents and settings\Kevin\Application Data\Multi File Downloader
2009-11-21 02:59 . 2009-11-21 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2009-11-21 02:37 . 2009-11-21 02:37 10134 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-11-21 02:37 . 2009-11-21 02:37 -------- d-----w- c:\program files\Microsoft WSE
2009-11-21 02:03 . 2009-11-21 02:03 -------- d-----w- c:\program files\Electronic Arts
2009-11-21 02:03 . 2006-06-24 04:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 01:56 . 2009-11-21 01:55 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-11-21 01:56 . 2008-03-14 03:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-21 01:55 . 2008-12-13 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-07 21:47 . 2008-03-15 03:21 -------- d-----w- c:\program files\DivX
2009-11-07 21:46 . 2009-05-24 02:27 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-06 05:07 . 2009-11-06 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco
2009-11-06 05:07 . 2009-11-06 05:07 -------- d-----w- c:\program files\Cisco
2009-10-29 07:46 . 2006-06-22 22:07 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2006-06-22 22:06 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2006-06-22 22:06 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2006-06-22 22:06 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-06-22 22:06 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 07:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2006-06-22 22:06 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-06-22 22:06 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-06-22 22:06 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-08 17:31 . 2009-11-26 00:20 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 17:31 . 2009-11-26 00:20 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 17:31 . 2009-11-26 00:20 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 17:31 . 2009-11-26 00:20 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-06 22:31 . 2009-11-26 00:20 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-02 20:19 . 2009-11-26 00:20 1152470 ----a-w- c:\windows\UDB.zip
2007-01-05 20:36 . 2007-06-05 20:12 864768 ----a-w- c:\program files\mozilla firefox\components\pbgk1_8.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-01-05 20:41 2857984 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-01-05 20:41 2857984 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-25 68856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-26 68296]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-12 794714]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-22 303104]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-01-05 49168]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 89541]
"Gateway Hotkey Software"="c:\windows\mHotKey.exe" [2007-03-08 478720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2006-09-28 125168]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 970752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-19 185896]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-6-6 1528880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-01-05 20:28 90112 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 18:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Kevin\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\Kevin\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Kevin\\My Documents\\AgilixLog\\Other\\utorrent.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57326:TCP"= 57326:TCP:Pando Media Booster
"57326:UDP"= 57326:UDP:Pando Media Booster

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/25/2009 6:20 PM 207280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [11/25/2009 6:20 PM 112592]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/25/2009 6:20 PM 358600]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [6/17/2009 2:17 PM 434864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/23/2009 1:12 PM 102448]
R3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [5/20/2007 9:42 PM 10160]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [5/20/2007 9:42 PM 11312]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/13/2008 9:42 PM 691696]
S2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [5/20/2007 9:09 PM 86016]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10910
*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = www3.imsa.edu
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\psff46cr.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 12:43
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1368)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1424)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2009-12-24 12:47:52
ComboFix-quarantined-files.txt 2009-12-24 18:47
ComboFix2.txt 2009-12-24 02:56
ComboFix3.txt 2009-12-23 18:26
ComboFix4.txt 2009-06-26 02:32

Pre-Run: 993,316,864 bytes free
Post-Run: 954,511,360 bytes free

- - End Of File - - E359595763DBCC64A1EB5BD7D5F0772A

Malwarebytes' Anti-Malware 1.42
Database version: 3425
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/24/2009 4:38:24 PM
mbam-log-2009-12-24 (16-38-24).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 415692
Time elapsed: 3 hour(s), 14 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\U.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\IS2010.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper86.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon86.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP128\A0218719.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP128\A0218725.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP128\A0219723.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP128\A0219901.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP128\A0219895.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP128\A0219896.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP128\A0219902.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users