Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ccapp.exe working Overtime - Emailer virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 jetfl

jetfl

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 04 January 2010 - 07:13 PM

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/9/2007 12:46:26 PM
System Uptime: 1/4/2010 6:25:28 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5KC
Processor: Intel® Core™2 Duo CPU E6750 @ 2.66GHz | LGA775 | 2671/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 140 GiB total, 31.866 GiB free.
D: is FIXED (NTFS) - 932 GiB total, 898.597 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&1400782C&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&1400782C&0
Service: i8042prt

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP CIO Components Installer
AAC Decoder
ABBYY FineReader 8.0 Professional Edition
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.7 - CPSID_50029
Adobe Acrobat 8.1.7 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Third Party Content
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Setup
Adobe Shockwave Player 11
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AI Suite
Alien Skin Eye Candy 5 Impact
Alien Skin Image Doctor
AMP Font Viewer
Apple Software Update
Attansic Ethernet Utility
Attansic L1 Gigabit Ethernet Driver
AutoUpdate
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Crystal Reports Basic for Visual Studio 2008
Crystal Reports XI Release 2 .NET 2005 Server
CuteFTP 8 Professional
Google Chrome Frame
Google Talk (remove only)
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB946581)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP LaserJet P2030 Series
IE7Pro
imov
Java 2 Runtime Environment, SE v1.4.2_13
Java™ 6 Update 3
LiveUpdate 2.6 (Symantec Corporation)
Logitech QuickCam
Logitech QuickCam Driver Package
Microsoft-tillägget Spara som PDF eller XPS för Microsoft Office 2007-program
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Device Emulator version 3.0 - ENU
Microsoft Document Explorer 2008
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer MUI (English) 2007
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2000 Sample Database Scripts
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Express Edition (TRACKIT80)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft SQL Server Compact 3.5 for Devices ENU
Microsoft SQL Server Database Publishing Wizard 1.2
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2008 Professional Edition - ENU
Microsoft Visual Studio Web Authoring Component
Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
Microsoft Windows SDK for Visual Studio 2008 Tools
Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
Microsoft WSE 3.0 Runtime
MKV Splitter
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
MVision
Nero 7 Ultra Edition
NewsBin Pro
Numara Remote Control Guest
NVIDIA Drivers
NVIDIA nTune
PC Probe II
PDF Settings
Pen Tablet
Photosynth 2.0.1519.13
Picasa 2
Picasa 3
QuickTime
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB936509)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB936514)
Security Update for Publisher 2007 (KB936646)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Software Update for Web Folders
Sothink SWF Decompiler
SpeechRedist
Spell Checker Add-in for Visual Studio 2008
Spell Checker For OE 2.1
Spybot - Search & Destroy
Steam
StuffIt 11
StuffIt Expander
Swift 3D v4.50
SWiSH Max2
Symantec AntiVirus
Tag&Rename 3.2
TCPMP
Tweak UI
UltraVNC 1.0.5
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB934393)
Update for Outlook 2007 (KB937608)
Update for Outlook 2007 Junk Email Filter (kb942575)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Word 2007 (KB934173)
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6i
Virtual Earth 3D (Beta)
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio Tools for the Office system 3.0 Runtime
Windows Defender
Windows Driver Package - SafeNet, Inc. (SNTNLUSB) USB (03/09/2006 7.3.0.0)
Windows Easy Transfer
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile 5.0 SDK R2 for Pocket PC
Windows Mobile 5.0 SDK R2 for Smartphone
Windows Presentation Foundation
Windows Resource Kit Tools
Windows XP Service Pack 3
WinMerge 2.6.14.0
WinMount V3.2.0804
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
ZoneAlarm Pro

==== Event Viewer Messages From Past Week ========

1/4/2010 6:07:14 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
1/4/2010 6:07:14 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
1/3/2010 8:24:40 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
1/3/2010 3:08:00 PM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
1/3/2010 12:37:39 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iexplore.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.
1/2/2010 11:19:34 PM, error: Service Control Manager [7000] - The 61883 Unit Device service failed to start due to the following error: A device attached to the system is not functioning.
1/1/2010 1:57:03 PM, error: Service Control Manager [7024] - The SQL Server (SQLEXPRESS) service terminated with service-specific error 3417 (0xD59).

==== End Of File ===========================

Edited by jetfl, 04 January 2010 - 10:53 PM.


BC AdBot (Login to Remove)

 


#2 jetfl

jetfl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 04 January 2010 - 07:40 PM

Hijack this log - O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.4.cab - Possible issue

Edited by jetfl, 04 January 2010 - 10:52 PM.


#3 jetfl

jetfl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 04 January 2010 - 09:16 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-04 21:06:13
Windows 5.1.2600 Service Pack 3
Running: 61qczbk2.exe; Driver: C:\DOCUME~1\JET\LOCALS~1\Temp\kgrorpoc.sys


---- System - GMER 1.0.15 ----

SSDT 88FF5470 ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xB61C4870] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xB61C4EF0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xB61D0A80] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xB61C4D40] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xB61D11F0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xB61D0D70] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xB61D1020] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xB61C5060] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D7FCE] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FCE] ZwCreateKey [0x804D7FCE] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x804D7FD8] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FD8] ZwDeleteKey [0x804D7FD8] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x804D7FC9] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FC9] ZwDeleteValueKey [0x804D7FC9] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D7FDD] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FDD] ZwEnumerateKey [0x804D7FDD] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D7FE2] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FE2] ZwEnumerateValueKey [0x804D7FE2] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D7FF1] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FF1] ZwOpenKey [0x804D7FF1] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x804D7FEC] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FEC] ZwQueryKey [0x804D7FEC] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x804D7FE7] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FE7] ZwQueryValueKey [0x804D7FE7] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x804D7FD3] <-- ROOTKIT !!!
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FD3] ZwSetValueKey [0x804D7FD3] <-- ROOTKIT !!!

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D7FFB

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B12B0E0

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Disk \Device\Harddisk1\DR1 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] pdwrejt <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\CurrentControlSet\Services\pdwrejt@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\pdwrejt@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\pdwrejt@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\pdwrejt@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\DS\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\LSA\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\NetDDE Object\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\SC Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security Account Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Spooler\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\ControlSet005\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\ControlSet005\Services\pdwrejt@Type 1
Reg HKLM\SYSTEM\ControlSet005\Services\pdwrejt@Start 0
Reg HKLM\SYSTEM\ControlSet005\Services\pdwrejt@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\pdwrejt@Group Boot Bus Extender
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0DE336A57D5E56D4BAD835DE34152048\Usage@SAVUI 1008997039

---- EOF - GMER 1.0.15 ----

GMER - Appears to have resolved the issue.

Edited by jetfl, 04 January 2010 - 10:55 PM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:42 PM

Posted 12 January 2010 - 08:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:42 PM

Posted 17 January 2010 - 02:11 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users