Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix But Still Malware


  • Please log in to reply
3 replies to this topic

#1 killerderk

killerderk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 09 January 2010 - 07:36 PM

Here is the log that it gave me.


|********************ComboFix Log***************************|
ComboFix 10-01-04.01 - Owner 01/09/2010 17:15:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1704 [GMT -8:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Templates\info.tmp
c:\program files\BitDefender\BitDefender Online Backup\ntSVc.ocx
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Downloaded Program Files\poPCaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\patchw.dll
c:\windows\system32\dovamewo.dll
c:\windows\system32\gjxym2.dll
c:\windows\system32\IS15.exe
c:\windows\system32\notabage.dll
c:\windows\system32\SIntf16.dll
c:\windows\system32\wasoteba.dll
c:\windows\system32\WORK.DAT
c:\windows\system32\yivilaje.dll
c:\windows\Tasks\jaqpvmve.job

----- BITS: Possible infected sites -----

hxxp://85.12.18.119
.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Service_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-10 00:54 . 2010-01-10 01:04 -------- d-----w- c:\documents and settings\HelpAssistant
2010-01-10 00:46 . 2010-01-10 00:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Opera
2010-01-10 00:46 . 2010-01-10 00:46 -------- d-----w- c:\program files\Opera
2010-01-09 21:33 . 2010-01-09 21:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-09 21:33 . 2010-01-09 21:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 21:33 . 2010-01-09 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-09 15:58 . 2010-01-09 15:58 -------- d-----w- c:\program files\Common Files\VMware
2010-01-09 07:30 . 2010-01-09 07:30 -------- d-----w- c:\program files\Intel
2010-01-09 07:11 . 2010-01-09 07:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitDefender
2010-01-09 04:37 . 2010-01-09 04:37 93184 --sh--w- c:\windows\system32\gidobedi.dll
2010-01-09 04:32 . 2010-01-09 04:32 -------- d-sh--w- c:\documents and settings\Owner\.COMMgr
2010-01-09 04:32 . 2010-01-09 04:32 33792 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-09 04:32 . 2010-01-09 04:32 33792 ----a-w- c:\windows\system32\smss32.exe
2010-01-09 04:32 . 2010-01-09 04:32 52224 ----a-w- C:\eddc.exe
2010-01-09 04:32 . 2010-01-09 04:32 33792 ----a-w- C:\ifbsexlt.exe
2010-01-09 03:45 . 2010-01-09 04:56 -------- d-----w- c:\documents and settings\Owner\Application Data\VMware
2010-01-09 03:41 . 2009-10-22 12:59 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2010-01-09 03:41 . 2009-10-22 13:00 395824 ----a-w- c:\windows\system32\vmnat.exe
2010-01-09 03:41 . 2010-01-09 15:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-01-09 03:38 . 2010-01-09 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-01-09 02:16 . 2010-01-09 02:16 -------- d-----w- c:\program files\Speccy
2010-01-08 01:53 . 2010-01-08 01:53 -------- d--h--w- c:\windows\PIF
2010-01-07 23:22 . 2010-01-07 23:22 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-01-07 23:22 . 2010-01-07 23:22 16 ----a-w- c:\windows\system32\asdict.dat
2010-01-07 23:17 . 2010-01-09 07:01 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-07 23:11 . 2010-01-07 23:11 -------- d-----w- c:\documents and settings\Owner\Application Data\BitDefender
2010-01-07 23:11 . 2010-01-07 23:11 -------- d-----w- C:\Binaries
2010-01-07 23:10 . 2010-01-10 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-01-07 23:10 . 2010-01-07 23:11 -------- d-----w- c:\program files\BitDefender
2010-01-07 23:10 . 2010-01-07 23:10 -------- d-----w- c:\program files\Common Files\BitDefender
2010-01-07 23:08 . 2010-01-07 23:08 64814 ----a-w- C:\BdUninstallTool2010.01.07-03.08.04.reg
2010-01-07 22:46 . 2010-01-07 22:46 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-07 22:46 . 2010-01-07 22:46 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-07 22:46 . 2010-01-07 22:46 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-07 22:46 . 2010-01-07 22:46 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-07 22:46 . 2010-01-07 22:46 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-07 22:46 . 2010-01-07 22:46 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-07 04:37 . 2010-01-09 07:46 -------- d-----w- c:\program files\nLite
2009-12-31 18:53 . 2009-12-31 18:53 -------- d-----w- c:\program files\Common Files\Apple
2009-12-31 18:52 . 2009-12-31 18:53 -------- d-----w- c:\program files\QuickTime
2009-12-31 18:52 . 2009-12-31 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-30 18:30 . 2009-12-30 18:30 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2009-12-30 01:12 . 2009-12-30 01:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Prism
2009-12-30 01:12 . 2009-12-30 01:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Prism
2009-12-30 01:12 . 2009-12-30 01:21 -------- d-----w- c:\documents and settings\Owner\Application Data\WebApps
2009-12-29 09:55 . 2010-01-10 01:24 0 ---ha-w- c:\documents and settings\Owner\jwindows.dll
2009-12-26 22:00 . 2009-12-26 22:00 -------- d-----w- c:\program files\Valve
2009-12-26 20:16 . 2009-12-11 06:17 69632 ----a-w- c:\windows\system32\OpenCL.dll
2009-12-26 20:16 . 2009-12-11 06:17 11381352 ----a-w- c:\windows\system32\nvcompiler.dll
2009-12-12 07:18 . 2009-12-12 07:18 -------- d-----w- c:\program files\Microprose
2009-12-11 08:28 . 2009-12-11 08:28 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-12-11 08:28 . 2009-12-11 08:28 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-12-11 08:28 . 2009-12-11 08:28 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-12-11 08:28 . 2009-12-11 08:28 12669544 ------w- c:\windows\system32\nvcpl.dll
2009-12-11 08:28 . 2009-12-11 08:28 110184 ------w- c:\windows\system32\nvmctray.dll
2009-12-11 08:28 . 2009-12-11 08:28 81920 ----a-w- c:\windows\system32\nvwddi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 01:24 . 2010-01-10 01:24 1020928 ----a-w- c:\windows\system32\IS15.exe
2010-01-10 01:24 . 2010-01-10 01:24 17920 ----a-w- c:\windows\system32\helper32.dll
2010-01-10 00:55 . 2009-08-20 14:29 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-01-09 07:30 . 2009-08-14 23:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-08 18:00 . 2009-11-16 02:01 -------- d-----w- c:\program files\Steam
2010-01-08 00:00 . 2009-08-23 03:52 0 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-01-05 06:38 . 2009-09-02 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-01-03 21:40 . 2009-08-20 05:51 34392 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-20 05:32 . 2009-08-20 06:48 -------- d-----w- c:\program files\World of Warcraft
2009-12-11 06:17 . 2009-08-20 15:19 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-12-11 06:17 . 2009-08-20 15:19 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-12-11 06:17 . 2009-08-20 15:19 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-12-11 06:17 . 2009-08-20 15:19 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-12-11 06:17 . 2009-08-14 23:55 592488 -c--a-w- c:\windows\system32\nvudisp.exe
2009-12-11 06:17 . 2009-07-29 17:00 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-12-11 06:17 . 2009-07-29 17:00 219752 ----a-w- c:\windows\system32\nvcodins.dll
2009-12-11 06:17 . 2009-07-29 17:00 219752 ----a-w- c:\windows\system32\nvcod.dll
2009-12-11 06:17 . 2009-07-29 17:00 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-12-11 06:17 . 2009-07-29 17:00 10236288 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-11 06:17 . 2009-07-29 17:00 6283520 ----a-w- c:\windows\system32\nv4_disp.dll
2009-12-10 22:57 . 2009-08-14 23:52 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-12-08 02:49 . 2009-12-08 02:49 105736 ----a-w- c:\windows\system32\drivers\bdhv.sys
2009-12-08 02:46 . 2009-12-08 02:46 152456 ----a-w- c:\windows\system32\drivers\bdfm.sys
2009-12-05 06:19 . 2009-09-01 00:42 -------- d-----w- c:\program files\MediaMonkey
2009-12-05 04:23 . 2009-12-02 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-12-05 00:38 . 2009-12-05 00:38 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-04 22:14 . 2009-12-04 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-12-02 05:19 . 2009-12-02 05:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-12-02 05:18 . 2009-12-02 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-02 05:18 . 2009-12-02 05:17 -------- d-----w- c:\program files\Yahoo!
2009-11-24 22:50 . 2009-11-24 22:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Atari
2009-11-24 22:47 . 2009-11-24 22:45 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-24 22:36 . 2009-10-31 20:59 -------- d-----w- c:\program files\MagicISO
2009-11-24 22:23 . 2009-11-24 22:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2009-11-24 22:19 . 2009-11-24 22:19 -------- d-----w- c:\program files\Atari
2009-11-24 03:08 . 2009-08-20 09:12 -------- d-----w- c:\program files\AVG
2009-11-24 03:01 . 2009-11-04 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-18 06:45 . 2009-08-20 06:53 -------- d-----w- c:\program files\EA GAMES
2009-11-13 03:51 . 2009-11-13 03:51 -------- d-----w- c:\program files\Audacity
2009-11-11 03:30 . 2009-10-29 08:06 -------- d-----w- c:\program files\Crazy Machines II
2009-10-29 08:07 . 2009-10-29 08:07 278984 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-10-29 08:07 . 2009-10-29 08:07 25416 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-10-29 08:06 . 2009-10-29 08:06 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-29 08:06 . 2009-10-29 08:06 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-29 07:45 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-24 08:54 . 2009-10-24 08:54 128 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-10-22 13:00 . 2009-10-22 13:00 853936 ----a-w- c:\windows\system32\drivers\vmx86.sys
2009-10-22 13:00 . 2009-10-22 13:00 70704 ----a-w- c:\windows\system32\drivers\vmci.sys
2009-10-22 11:22 . 2009-10-22 11:22 252464 ----a-w- c:\windows\system32\vmnc.dll
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 00:04 . 2009-10-20 00:04 110984 ----a-w- c:\windows\system32\drivers\bdfndisf.sys
2009-10-19 21:35 . 2010-01-10 01:03 38 ----a-w- c:\documents and settings\HelpAssistant\jagex_runescape_preferences.dat
2009-10-19 21:35 . 2009-08-20 15:30 38 -c--a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-10-19 20:45 . 2010-01-10 01:03 45 ----a-w- c:\documents and settings\HelpAssistant\jagex_runescape_preferences2.dat
2009-10-19 20:45 . 2009-09-05 01:22 45 -c--a-w- c:\documents and settings\Owner\jagex_runescape_preferences2.dat
2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 22:33 . 2009-10-12 22:33 64960 ----a-w- c:\windows\system32\drivers\stcp2v30.sys
2009-10-12 13:38 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-20 02:59 . 2010-01-07 23:15 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\system32\difodime.dll
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\system32\fohomugu.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\kajepajo.dll
1601-01-01 00:03 . 1601-01-01 00:03 45568 --sha-w- c:\windows\system32\norupeze.dll
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\system32\telemize.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\yumaluso.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40f846ac-1bbb-4314-bc51-fc15e079e669}]
1601-01-01 00:03 53248 --sha-w- c:\windows\system32\fohomugu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-23 289072]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Windows Runtime"="c:\documents and settings\Owner\javar.jar" [2009-12-29 25939]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-11-30 188448]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-13 17531392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-20 149280]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-11 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-12-11 110184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-20 71152]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2009-12-05 1118144]
"smss32.exe"="c:\windows\system32\smss32.exe" [2010-01-09 33792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AdobeUpdate.jar [2009-10-22 57391]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-23 00:05 81920 -c--a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 23:44 3883856 ------w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-10-23 00:09 289072 ------w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58738:TCP"= 58738:TCP:Pando Media Booster
"58738:UDP"= 58738:UDP:Pando Media Booster
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [8/19/2009 9:42 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [8/19/2009 9:42 PM 5248]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 152456]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/14/2009 3:56 PM 1684736]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva281;XDva281;\??\c:\windows\system32\XDva281.sys --> c:\windows\system32\XDva281.sys [?]
S3 XDva317;XDva317;\??\c:\windows\system32\XDva317.sys --> c:\windows\system32\XDva317.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
TCP: {6B964F47-F814-4BD0-885A-7F4FFB5DB5C2} = 193.104.110.38,4.2.2.1
TCP: {E31A52AD-AA7F-43F7-B92E-3EA80E791895} = 193.104.110.38,4.2.2.1
TCP: {F094BEED-7E6A-4C7A-9631-14E81739638E} = 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\phznl3x3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\phznl3x3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\phznl3x3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\phznl3x3.default\extensions\refractor@developer.mozilla.org\components\prism.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-dakiweluh - c:\windows\system32\notabage.dll
HKLM-Run-fiyoteponu - wasoteba.dll
SharedTaskScheduler-{c4098f18-9ee0-439d-8928-6adb47da9479} - c:\windows\system32\notabage.dll
SSODL-niwovadip-{c4098f18-9ee0-439d-8928-6adb47da9479} - c:\windows\system32\notabage.dll
AddRemove-Cross Fire_is1 - c:\documents and settings\Owner\Desktop\My Folder DONT DELETE\unins000.exe
AddRemove-FamilyFeudOnlineParty - c:\program files\iWin\FamilyFeudOnlineParty\Uninstall.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-09 17:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Owner\LOCALS~1\Temp\hsperfdata_Owner\1396 65536 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS >>UNKNOWN [0x8A375918]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7f59cb8
\Driver\atapi -> 0x89f98a00
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7d80bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7d8da21
SendHandler -> NDIS.sys @ 0xb7d6b87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x025429800
malicious code @ sector 0x025429803 !
PE file found in sector at 0x025429819 !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallTS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_ts=\"0\" />"
"Device"="yM29zbvPzMnLvrm+x8fPzce+zro="
DUMPHIVE0.003 (REGF)

[HKEY_USERS\S-1-5-21-515967899-1644491937-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9DE0113D-C1C4-35A2-BF31-6A2460DFE8B1}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-515967899-1644491937-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:3f,81,06,57,5b,bf,f9,73,d1,99,bc,77,ee,2b,18,d6,d3,df,da,9b,7d,
a1,34,16,60,60,79,e1,78,82,b8,38,28,a7,ad,07,77,8e,d4,ce,3c,a2,39,cb,d2,51,\
"rkeysecu"=hex:3c,0a,ec,94,24,8b,ff,de,02,00,b6,b5,c1,36,fa,76
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(248)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\Java\jre6\bin\java.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-01-09 17:32:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-10 01:32

Pre-Run: 241,774,718,976 bytes free
Post-Run: 241,797,115,904 bytes free

- - End Of File - - 6F8010CDCD3E0D571CA0B183903C38B8


|*************************DDS Log****************************************|


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 22:31:40.67 on Sat 01/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1054 [GMT -8:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2010\uiscan.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {40f846ac-1bbb-4314-bc51-fc15e079e669} - fohomugu.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Windows Runtime] "c:\documents and settings\owner\javar.jar"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [smss32.exe] c:\windows\system32\smss32.exe
mRun: [fiyoteponu] Rundll32.exe "wasoteba.dll",s
mRun: [dakiweluh] Rundll32.exe "c:\windows\system32\jetebusu.dll",a
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\AdobeUpdate.jar
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {6B964F47-F814-4BD0-885A-7F4FFB5DB5C2} = 193.104.110.38,4.2.2.1
TCP: {E31A52AD-AA7F-43F7-B92E-3EA80E791895} = 193.104.110.38,4.2.2.1
TCP: {F094BEED-7E6A-4C7A-9631-14E81739638E} = 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: genupabav - {0a516952-3a6e-4587-9599-eac3d04c955e} - c:\windows\system32\jetebusu.dll
STS: mujuzedij: {0a516952-3a6e-4587-9599-eac3d04c955e} - c:\windows\system32\jetebusu.dll
LSA: Notification Packages = scecli yivilaje.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\phznl3x3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\phznl3x3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\phznl3x3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\phznl3x3.default\extensions\refractor@developer.mozilla.org\components\prism.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2009-8-19 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2009-8-19 5248]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-12-7 152456]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-14 1684736]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva281;XDva281;\??\c:\windows\system32\xdva281.sys --> c:\windows\system32\XDva281.sys [?]
S3 XDva317;XDva317;\??\c:\windows\system32\xdva317.sys --> c:\windows\system32\XDva317.sys [?]

=============== Created Last 30 ================

2010-01-10 01:45:55 0 d-----w- C:\ComboFix
2010-01-10 01:24:48 1020928 ----a-w- c:\windows\system32\IS15.exe
2010-01-10 01:09:41 0 d-sha-r- C:\cmdcons
2010-01-10 01:09:03 98816 ----a-w- c:\windows\sed.exe
2010-01-10 01:09:03 77312 ----a-w- c:\windows\MBR.exe
2010-01-10 01:09:03 261632 ----a-w- c:\windows\PEV.exe
2010-01-10 01:09:03 161792 ----a-w- c:\windows\SWREG.exe
2010-01-09 21:33:07 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-01-09 21:33:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 21:33:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-09 15:58:33 0 d-----w- c:\program files\common files\VMware
2010-01-09 06:46:46 2931 ----a-w- c:\windows\system32\warning.html
2010-01-09 05:55:35 53136 ----a-w- c:\windows\system32\PxSecure.dll-11469406
2010-01-09 05:55:27 48 ----a-w- c:\windows\wininit.ini
2010-01-09 04:37:37 93184 --sh--w- c:\windows\system32\gidobedi.dll
2010-01-09 04:32:25 0 d-sh--w- c:\documents and settings\owner\.COMMgr
2010-01-09 04:32:20 33792 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-09 04:32:20 33792 ----a-w- c:\windows\system32\smss32.exe
2010-01-09 04:32:08 33792 ----a-w- C:\ifbsexlt.exe
2010-01-09 03:41:41 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2010-01-09 03:41:37 395824 ----a-w- c:\windows\system32\vmnat.exe
2010-01-09 03:41:01 1024 ----a-w- C:\.rnd
2010-01-09 02:16:23 0 d-----w- c:\program files\Speccy
2010-01-08 22:37:19 376 ----a-w- c:\documents and settings\owner\Application Dataprivacy.xml
2010-01-08 22:37:17 385 ----a-w- c:\windows\system32\user_gensett.xml
2010-01-08 09:49:48 385 ----a-w- c:\documents and settings\owner\Application Datauser_gensett.xml
2010-01-08 01:53:38 0 d--h--w- c:\windows\PIF
2010-01-07 23:22:43 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-01-07 23:22:43 16 ----a-w- c:\windows\system32\asdict.dat
2010-01-07 23:17:38 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-07 23:11:21 0 d-----w- c:\docume~1\owner\applic~1\BitDefender
2010-01-07 23:11:08 0 d-----w- C:\Binaries
2010-01-07 23:10:49 0 d-----w- c:\program files\BitDefender
2010-01-07 23:10:49 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-01-07 23:10:01 0 d-----w- c:\program files\common files\BitDefender
2010-01-07 23:08:04 64814 ----a-w- C:\BdUninstallTool2010.01.07-03.08.04.reg
2010-01-07 04:37:09 0 d-----w- c:\program files\nLite
2010-01-07 04:11:20 0 d-----w- c:\windows\setup.pss
2009-12-30 01:12:52 0 d-----w- c:\docume~1\owner\applic~1\Prism
2009-12-30 01:12:48 0 d-----w- c:\docume~1\owner\applic~1\WebApps
2009-12-29 09:55:23 25939 ---h--w- c:\documents and settings\owner\javar.jar
2009-12-29 09:55:23 0 ---ha-w- c:\documents and settings\owner\jwindows.dll
2009-12-26 22:00:52 0 d-----w- c:\program files\Valve
2009-12-26 20:16:50 9046 ----a-w- c:\windows\system32\nvinfo.pb
2009-12-26 20:16:50 69632 ----a-w- c:\windows\system32\OpenCL.dll
2009-12-26 20:16:48 11381352 ----a-w- c:\windows\system32\nvcompiler.dll
2009-12-12 07:18:15 0 d-----w- c:\program files\Microprose
2009-12-11 08:28:42 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-12-11 08:28:42 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-12-11 08:28:42 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-12-11 08:28:42 12669544 ------w- c:\windows\system32\nvcpl.dll
2009-12-11 08:28:42 110184 ------w- c:\windows\system32\nvmctray.dll
2009-12-11 08:28:32 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-12-11 08:28:04 64882 ----a-w- c:\windows\system32\NvwsApps.xml
2009-12-11 08:28:04 275145 ----a-w- c:\windows\system32\NvApps.xml

==================== Find3M ====================

2009-12-11 06:17:14 6283520 ----a-w- c:\windows\system32\nv4_disp.dll
2009-12-11 06:17:14 592488 -c--a-w- c:\windows\system32\nvudisp.exe
2009-12-11 06:17:14 4038656 ----a-w- c:\windows\system32\nvcuda.dll
2009-12-11 06:17:14 2293286 ----a-w- c:\windows\system32\nvdata.bin
2009-12-11 06:17:14 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2009-12-11 06:17:14 219752 ----a-w- c:\windows\system32\nvcodins.dll
2009-12-11 06:17:14 219752 ----a-w- c:\windows\system32\nvcod.dll
2009-12-11 06:17:14 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-12-11 06:17:14 13602816 ----a-w- c:\windows\system32\nvoglnt.dll
2009-12-11 06:17:14 1056768 ----a-w- c:\windows\system32\nvapi.dll
2009-12-11 06:17:14 10236288 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-10 22:57:02 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-12-08 02:49:08 105736 ----a-w- c:\windows\system32\drivers\bdhv.sys
2009-12-08 02:46:28 152456 ----a-w- c:\windows\system32\drivers\bdfm.sys
2009-11-25 23:45:54 353996 ----a-w- c:\windows\fonts\MAKEM___.ttf
2009-11-24 22:47:14 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-15 19:37:34 516096 ----a-w- c:\windows\fonts\BEYONDSKTRIAL.ttf
2009-10-29 08:06:07 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-29 08:06:07 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-25 21:55:58 485516 ----a-w- c:\windows\fonts\Andalusian Trial.ttf
2009-10-22 23:54:50 82056 ----a-w- c:\windows\fonts\LLCOOPER.TTF
2009-10-22 11:22:38 252464 ----a-w- c:\windows\system32\vmnc.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-19 21:35:58 38 -c--a-w- c:\documents and settings\owner\jagex_runescape_preferences.dat
2009-10-19 20:45:14 45 -c--a-w- c:\documents and settings\owner\jagex_runescape_preferences2.dat
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
1601-01-01 00:03:28 53248 --sha-w- c:\windows\system32\difodime.dll
1601-01-01 00:03:52 53248 --sha-w- c:\windows\system32\fohomugu.dll
1601-01-01 00:03:28 93184 --sha-w- c:\windows\system32\jetebusu.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\kajepajo.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\lewabenu.dll
1601-01-01 00:03:28 45568 --sha-w- c:\windows\system32\norupeze.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\telemize.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\yiriyidi.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\yumaluso.dll

============= FINISH: 22:32:12.56 ===============


|***********************RootRepel Log**************************|


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/09 22:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xB7EEA000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: 1b25cf38.sys
Image Path: C:\WINDOWS\System32\Drivers\1b25cf38.sys
Address: 0xA581F000 Size: 143744 File Visible: No Signed: -
Status: -

Name: 23ac832f.sys
Image Path: C:\WINDOWS\System32\Drivers\23ac832f.sys
Address: 0xA5792000 Size: 574976 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xB8128000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xB04C7000 Size: 16384 File Visible: No Signed: -
Status: -

Name: dump_nvgts.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvgts.sys
Address: 0xA7100000 Size: 122880 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xB861A000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA562E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e8c6

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657ec24

#: 025 Function Name: NtClose
Status: Hooked by "d347bus.sys" at address 0xb7f8e818

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657fc6c

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657f528

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb65800bc

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "d347bus.sys" at address 0xb7f82a20

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657ed6e

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657edf0

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657f34c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e4c8

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb65801be

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb65823e8

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "d347bus.sys" at address 0xb7f832a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "d347bus.sys" at address 0xb7f8e910

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb6580310

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb65807c4

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657f43c

#: 119 Function Name: NtOpenKey
Status: Hooked by "d347bus.sys" at address 0xb7f8e794

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb658217a

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657f26c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb6582294

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e7c4

#: 160 Function Name: NtQueryKey
Status: Hooked by "d347bus.sys" at address 0xb7f832c8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "d347bus.sys" at address 0xb7f8e866

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657ecc6

#: 199 Function Name: NtRequestPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657fcfc

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657fab8

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657fe86

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e5b8

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e9ca

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "d347bus.sys" at address 0xb7f8e0b0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e726

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e688

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657eb82

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb65820de

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb65824f6

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e3c6

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a2ea1b8 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x88e739d0 Size: 11

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x89f64ca0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89f64900 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLOSE]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_READ]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_WRITE]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_EA]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLEANUP]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_POWER]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_PNP]
Process: System Address: 0x8a01f650 Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8a1a86b0 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x8a05ba70 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a1a8870 Size: 11

Object: Hidden Code [Driver: Npfs؅卆浩؁ఐ卆浩, IRP_MJ_READ]
Process: System Address: 0x8a1b2a68 Size: 11

Object: Hidden Code [Driver: MsfsЅఅ浗灩MofResourceN, IRP_MJ_READ]
Process: System Address: 0x8a1aa378 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x8a1b7188 Size: 11

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_READ]
Process: System Address: 0x8a1a6f70 Size: 11

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e1e8

#: 347 Function Name: NtUserDdeSetQualityOfService
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e17c

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657e13a

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657dffc

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657dfb6

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657dd3a

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657dbc4

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657dc18

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657dd98

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657db8a

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657d536

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb657d84a

==EOF==


After it restarted i still cant use Gmail or be able to use google without it changing what im click on to search8. Please assistance would be wonderful. sad.gif

Attached Files

  • Attached File  log.txt   25.33KB   12 downloads

Edited by killerderk, 09 January 2010 - 11:43 PM.


BC AdBot (Login to Remove)

 


#2 killerderk

killerderk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 09 January 2010 - 09:52 PM

Sorry for the bump but i really need this solved mellow.gif

#3 killerderk

killerderk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 10 January 2010 - 12:18 AM

getting worse as i wait :\


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 10 January 2010 - 08:53 AM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:26 AM

Posted 15 January 2010 - 06:49 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users