Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

smss32.exe fake alert trojan and lingering 41.exe trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 external_mind

external_mind

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 28 January 2010 - 10:30 AM

Running XP on a lenovo W700 with up-to-date- McAfee. There was a breach through a PDF open in IE temp. smss32.exe got into system32 and started changing registries and disabling things which alerted McAfee which was trying to block changes (was not fast enough in blocking as it soon disabled desktop backgrounds, tsk manager, and I'm not sure what else). At the very first McAffe alert and the other "fake" warning alerts I put the computer in lockdown mode and disabled radio. I found specific removal software with my other computer and used the cleaning software (followed these steps http://www.myantispyware.com/2010/01/07/ho...-spyware-alert/ ). McAfee complete 2 full scans since then and found 0 threats yesterday. Today I did a quick scan and it found system32/41.exe and said it was a trojan... Now its time for expert help to get rid of anything lingering. Everything at the moment seems stable and clean... I have corrected the few registries I found altered and it does not seem to be changing back... yet?

Here are the latest logs and scan results though...

I really appreciate everyone that helps out it fixing problems like mine. You guys are amazing, really.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Bret at 9:19:02.03 on Thu 01/28/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2554.1335 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\DTS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\AtService.exe
C:\WINDOWS\system32\FpLogonServ.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\XRite\hueyPRO\hueyPROTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\SafeConnect\scClient.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\SafeConnect\scManager.sys
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\WINDOWS\system32\Pen_Tablet.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Java\jre1.5.0_16\bin\jucheck.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\Bret\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://externalmind.com/
mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/welcome/thinkpad
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_16\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_16\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Wlikiyi] rundll32.exe "c:\windows\afesubukaqibiyov.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hueypr~1.lnk - c:\program files\xrite\hueypro\hueyPROTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\safeco~1.lnk - c:\program files\safeconnect\scClient.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_16\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
LSA: Notification Packages = scecli SC71C7.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bret\applic~1\mozilla\firefox\profiles\3m1auca2.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\bret\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: c:\program files\java\jre1.5.0_16\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_IEGetPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {A32149C6-7846-457F-859A-31CDC65CE4F7} - c:\documents and settings\bret\local settings\application data\{A32149C6-7846-457F-859A-31CDC65CE4F7}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-26 207792]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-10-23 13480]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-10-26 1676536]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-26 112592]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2008-10-26 98304]
R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2008-10-26 118784]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-9 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-9 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-9-9 144704]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-8-19 53248]
R2 SCManager;SafeConnect Manager;c:\program files\safeconnect\scmanager.sys servicestart --> c:\program files\safeconnect\scManager.sys servicestart [?]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-8-19 3399976]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-12-17 62320]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-11-24 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9 360448]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-8-19 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-8-19 482176]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-8-19 243856]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-9-9 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-9 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-9 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-9 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-9 40552]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
R3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [2009-8-19 10536]
S2 gupdate1ca28fc9bd48f0;Google Update Service (gupdate1ca28fc9bd48f0);c:\program files\google\update\GoogleUpdate.exe [2009-8-29 133104]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-5-21 45424]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-10-26 106496]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-26 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-26 1141712]

=============== Created Last 30 ================

2010-01-28 13:35:02 1892 ----a-w- c:\windows\owugomukedom.dll
2010-01-28 13:33:54 1024 ----a-w- C:\.rnd
2010-01-27 14:18:03 1892 ----a-w- c:\windows\Mragedu.dat
2010-01-27 14:18:03 0 ----a-w- c:\windows\Erarurara.bin
2010-01-26 17:15:04 0 d-----w- c:\program files\Spyware Doctor
2010-01-26 17:15:04 0 d-----w- c:\program files\common files\PC Tools
2010-01-26 17:15:04 0 d-----w- c:\docume~1\bret\applic~1\PC Tools
2010-01-26 17:15:04 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-26 17:09:29 0 ----a-w- c:\windows\system32\19169.exe
2010-01-26 16:49:29 0 ----a-w- c:\windows\system32\26500.exe
2010-01-26 16:29:17 25088 ----a-w- c:\windows\system32\helper32.dll
2010-01-26 16:25:09 26624 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-26 16:25:09 1 ----a-w- C:\s
2010-01-13 02:23:07 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-27 12:26:04 2828 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-20 17:44:44 34068 ----a-w- c:\windows\fonts\Wild Script.ttf
2009-12-15 15:25:40 162548 ----a-w- c:\windows\system32\nvModes.dat
2009-11-28 15:45:50 87608 ----a-w- c:\docume~1\bret\applic~1\inst.exe
2009-11-28 15:45:50 47360 ----a-w- c:\docume~1\bret\applic~1\pcouffin.sys
2009-11-10 15:28:16 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-10 15:28:10 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-10 15:28:10 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-10 15:26:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-08-19 23:46:16 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-08-20 00:59:18 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081920090820\index.dat
2009-08-20 15:07:45 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082020090821\index.dat
2009-08-20 15:07:52 16384 --sh--w- c:\windows\temp\cookies\index.dat
2009-08-20 15:07:52 16384 --sh--w- c:\windows\temp\history\history.ie5\index.dat
2009-08-20 15:07:52 16384 --sh--w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 9:19:55.10 ===============












here is the rootrepeal log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/28 09:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA9D4F000 Size: 897024 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA73B8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\RRbackups
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\common
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\common\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\common\backups.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\bt0.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\css.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\mnd.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\regcerts.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\restore.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\rr.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\SAM
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\secpolicy.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\settings.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\system.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\tvtcmn.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\usersids.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Bret
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\FR\KernelFileDigest.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UpdatingFiles.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Bret\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Bret\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\FR\UF\boot.ini
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\documents and settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\NTDETECT.COM
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\NTLDR
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Bret\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Bret\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Bret\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\documents and settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\FR\UF\documents and settings\default user
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\FR\UF\WINDOWS\explorer.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Bret\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Bret\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Bret\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Bret\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Bret\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Bret\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\documents and settings\default user\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\FR\UF\documents and settings\default user\ntuser.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\Fonts\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\mangal.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\marlett.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\micross.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\mvboli.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\vgaoem.fon
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\system32\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\FR\UF\WINDOWS\system32\advapi32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\advpack.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\authz.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\autochk.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\basesrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\bootvid.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\browseui.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\chkdsk.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cmd.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\comctl32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\comdlg32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\config
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\crypt32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cryptdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cryptui.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cscdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\csrsrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\csrss.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\c_1252.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\c_936.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\dnsapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\doskey.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\dpcdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\drivers
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\duser.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\eventlog.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\faultrep.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\feclient.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\filemgmt.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fldrclnr.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fltlib.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fmifs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fontext.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fontsub.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\framebuf.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fsusd.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fwcfg.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\gdi32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\hal.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\imagehlp.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\imm32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\iphlpapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\kdcom.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\kernel32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\licdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\locale.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\logonui.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\lsasrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\lsass.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\lz32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\l_intl.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mfc42.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mfc42u.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mmc.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mobsync.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msasn1.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msgina.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msimg32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msprivs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msv1_0.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msvcp60.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msvcrt.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ncobjapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\nddeapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\netapi32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\netrap.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\notepad.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntdsapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntoskrnl.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntsdexts.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\odbc32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\odbcint.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oembios.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oembios.sig
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ole32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oleacc.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oleaccrc.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oleaut32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\profmap.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\psapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\regapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rpcrt4.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rpcss.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rsaenh.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rundll32.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\samlib.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\samsrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\scesrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\secupd.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\secupd.sig
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\services.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\setupapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sfc.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sfc_os.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shdocvw.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shell32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shfolder.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shgina.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shlwapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shsvcs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\smss.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sortkey.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sorttbls.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\svchost.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sxs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\umpnpmgr.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\unicode.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\usbmon.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ctype.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ftsrch.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mpr.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oembios.bin
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\secur32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\usbui.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\user32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\userenv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\userinit.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\uxtheme.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\version.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\vga.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\vga.drv
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\watchdog.sys
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\win32k.sys
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wininet.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winlogon.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winmm.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winspool.drv
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winspool.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winsrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winsta.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winstrm.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wintrust.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wldap32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ws2help.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ws2_32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wsock32.dll
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\WinSxS\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\enroll.ini
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1988834804-1027624400-2157039504-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-206126511-420427235-3933589299-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2964323708-1664903977-84007191-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Bret\Application Data\Lenovo\Client Security Solution\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Bret\Application Data\Lenovo\Client Security Solution\enroll.ini
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Bret\Application Data\Lenovo\Client Security Solution\hibernation.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Bret\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Bret\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Bret\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Bret\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Bret\Application Data\MicrosoSSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xba5f7e52

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xba5d8cde

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xba5d8ed0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xba5f8640

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xba5f88f4

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xba5f6b44

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xba5f8d60

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xba5f8112

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xba5d8984

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:47 PM

Posted 05 February 2010 - 03:24 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:47 PM

Posted 10 February 2010 - 06:49 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users