Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapy.sys rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 Leonord

Leonord

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 29 April 2010 - 11:57 AM

I was infeccted with the atapy.rootkit, the avg detected it and also GMER. I did a few investigation and after running ComboFix the atapy.sys dissapeared from the GMER log and the problems seem to be gone.
Can anyone please confirm me that i´ve done well please.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Beamer at 18:07:59,09 on 29/04/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.43.3082.18.3063.1920 [GMT 2:00]


============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\nvvsvc.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Motorola Media Link\NServiceEntry.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\Users\Beamer\Desktop\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=es&source=iglk
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRunOnce: [UniblueRegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &Enviar a OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: E&xportar a Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\beamer\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
Hosts: 85.25.76.160 nProtect.lineage2.com
Hosts: 85.25.71.196 L2authd.lineage2.com
Hosts: 89.149.249.198 www.google.de
Hosts: 89.149.249.198 www.google.fr
Hosts: 89.149.249.198 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\users\beamer\appdata\roaming\mozilla\firefox\profiles\rdzw0lkp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2010-4-20 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-20 52872]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-4-20 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-20 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-20 29512]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-20 242896]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-10-1 20384]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-20 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-20 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-4-20 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-20 5888008]
R2 DeviceMonitorService;DeviceMonitorService;c:\program files\motorola media link\NServiceEntry.exe [2009-10-12 87336]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-1-11 240232]
R3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2010-4-20 122376]
R3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2010-4-20 30216]
R3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2010-4-20 20488]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-1-4 201896]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-3-11 66664]
S2 zxjgpklm;Microsoft IPv6 Protocol Helper;c:\windows\system32\svchost.exe -k netsvcs [2009-7-14 20992]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 DNIMp50;DNIMp50 NDIS Protocol Driver;c:\windows\system32\drivers\DNIMP50.sys [2006-11-16 21504]
S3 DNISp50;DNISp50 NDIS Protocol Driver;c:\windows\system32\drivers\DNISP50.sys [2006-11-16 20480]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wn111v2\jswpsapi.exe [2008-2-29 942080]
S3 netr73;RT73 USB-Drahtlos-LAN-Kartentreiber für Vista;c:\windows\system32\drivers\netr73.sys [2009-6-10 545792]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2v.sys [2009-1-13 453120]

=============== Created Last 30 ================

2010-04-29 11:50:35 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-29 11:42:12 20 ----a-w- c:\users\beamer\defogger_reenable
2010-04-29 11:22:52 98816 ----a-w- c:\windows\sed.exe
2010-04-29 11:22:52 77312 ----a-w- c:\windows\MBR.exe
2010-04-29 11:22:52 256512 ----a-w- c:\windows\PEV.exe
2010-04-29 11:22:52 161792 ----a-w- c:\windows\SWREG.exe
2010-04-29 10:32:22 0 d-----w- c:\users\beamer\appdata\roaming\Uniblue
2010-04-29 10:32:17 0 d-----w- c:\program files\Uniblue
2010-04-28 14:12:45 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-23 20:07:52 0 d-----w- c:\program files\IKEA HomePlanner
2010-04-22 10:56:17 0 d-----w- c:\program files\CCleaner
2010-04-20 10:52:54 0 d-----w- c:\users\beamer\appdata\roaming\AVG9
2010-04-20 06:30:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-20 06:20:43 0 d-----w- C:\$AVG
2010-04-20 06:20:28 25096 ----a-w- c:\windows\system32\drivers\AVGIDSwx.sys
2010-04-20 06:20:19 0 d-----w- c:\programdata\avg9
2010-04-20 05:58:50 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-20 05:58:49 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-20 05:58:45 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-20 05:58:43 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-20 05:58:06 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-04-20 05:58:06 0 d-----w- c:\program files\AVG
2010-04-20 05:58:05 0 d-----w- c:\programdata\avg8
2010-04-20 05:36:59 0 d-----w- c:\windows\pss
2010-04-16 20:34:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUsb_01007.Wdf
2010-04-16 20:24:45 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-04-16 20:24:45 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-04-16 20:20:34 0 d-----w- c:\users\beamer\.android
2010-04-16 20:18:19 0 d-----w- C:\Android_stuff
2010-04-14 20:42:45 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 20:42:45 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 20:42:45 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 20:42:43 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 20:42:42 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 20:42:42 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 15:02:53 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 15:02:49 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-11 14:04:01 524288 --sha-w- c:\users\beamer\ntuser.dat{075d22e5-4573-11df-a850-888888888788}.TMContainer00000000000000000002.regtrans-ms
2010-04-11 14:04:00 65536 --sha-w- c:\users\beamer\ntuser.dat{075d22e5-4573-11df-a850-888888888788}.TM.blf
2010-04-11 14:04:00 524288 --sha-w- c:\users\beamer\ntuser.dat{075d22e5-4573-11df-a850-888888888788}.TMContainer00000000000000000001.regtrans-ms
2010-04-11 13:56:29 524288 --sha-w- c:\users\beamer\ntuser.dat{f9f368e5-4571-11df-875d-888888888788}.TMContainer00000000000000000002.regtrans-ms
2010-04-11 13:56:28 65536 --sha-w- c:\users\beamer\ntuser.dat{f9f368e5-4571-11df-875d-888888888788}.TM.blf
2010-04-11 13:56:28 524288 --sha-w- c:\users\beamer\ntuser.dat{f9f368e5-4571-11df-875d-888888888788}.TMContainer00000000000000000001.regtrans-ms
2010-04-07 23:30:28 36 ----a-w- c:\windows\johncast.bat
2010-04-07 23:30:27 720896 ----a-w- c:\windows\iun6002ev.exe
2010-04-07 23:30:27 0 d-----w- c:\program files\Johnny Castaway
2010-04-07 21:40:07 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-07 21:40:07 0 d-----w- c:\program files\iPod
2010-04-07 21:37:52 0 d-----w- c:\program files\Bonjour
2010-03-31 03:25:44 977920 ----a-w- c:\windows\system32\wininet.dll

==================== Find3M ====================

2010-04-29 16:06:19 641530 ----a-w- c:\windows\system32\perfh007.dat
2010-04-29 16:06:19 125870 ----a-w- c:\windows\system32\perfc007.dat
2010-04-29 10:36:54 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-24 21:17:25 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-03-14 00:22:56 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-03-14 00:22:56 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-03-01 08:20:26 286720 ------w- c:\windows\Setup1.exe
2010-03-01 08:20:24 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-25 20:13:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 20:29:32 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfd.dat
2010-02-24 20:29:32 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfc.dat
2010-02-24 20:29:32 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfi.dat
2010-02-24 20:29:32 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfh.dat
2010-02-24 08:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-12 09:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 09:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-11 07:10:14 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-04 09:01:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 09:01:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 09:01:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 09:01:14 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 08:47:32 38104 ----a-w- c:\windows\inf\perflib\0407\perfd.dat
2009-07-14 08:47:32 38104 ----a-w- c:\windows\inf\perflib\0407\perfc.dat
2009-07-14 08:47:32 295922 ----a-w- c:\windows\inf\perflib\0407\perfi.dat
2009-07-14 08:47:32 295922 ----a-w- c:\windows\inf\perflib\0407\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:08:14,79 ===============











GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 18:38:21
Windows 6.1.7600
Running: 1qzvydh0.exe; Driver: C:\Users\Beamer\AppData\Local\Temp\ufryipoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwOpenProcess [0x82A96730]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateProcess [0x82A967E0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateThread [0x82A96880]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwWriteVirtualMemory [0x82A96920]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83640AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83640104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 836403F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 836292D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83628898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 836401DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83640958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 836406F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83640F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 836411A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83259599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8327DF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 832859F8 4 Bytes [30, 67, A9, 82]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 83285CC8 8 Bytes [E0, 67, A9, 82, 80, 68, A9, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 83285D3C 4 Bytes [20, 69, A9, 82]
.text peauth.sys 9DA14C9D 28 Bytes [D5, 8D, 2B, 48, 9B, 23, A8, ...]
.text peauth.sys 9DA14CC1 28 Bytes [D5, 8D, 2B, 48, 9B, 23, A8, ...]
PAGE peauth.sys 9DA1AB9B 72 Bytes JMP 6FB47621
PAGE peauth.sys 9DA1ABEC 111 Bytes [19, C0, CF, 6E, DD, 9D, C8, ...]
PAGE peauth.sys 9DA1AE20 101 Bytes [0B, F7, 61, E1, CF, AC, 71, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!LockResource 7674345C 3 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!LockResource + 4 76743460 1 Byte [B1]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!CreateEventA 76743A2B 3 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!CreateEventA + 4 76743A2F 1 Byte [B1]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!FindResourceW 7674922F 3 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!FindResourceW + 4 76749233 1 Byte [B1]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!SizeofResource 7674924D 3 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!SizeofResource + 4 76749251 1 Byte [B1]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!FindResourceExW 7674A7EF 3 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!FindResourceExW + 4 7674A7F3 1 Byte [B1]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!LoadResource 7674D3B0 3 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!LoadResource + 4 7674D3B4 1 Byte [B1]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!FindResourceExA 7674D4AD 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!FindResourceA 7674D575 3 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] kernel32.dll!FindResourceA + 4 7674D579 1 Byte [B1]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] ADVAPI32.dll!CryptDecrypt 77DC2140 5 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] ADVAPI32.dll!CryptDeriveKey 77DC2150 5 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] USER32.dll!SetWindowPlacement 76378169 5 Bytes JMP 28005E10 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] USER32.dll!CreateDialogParamW 76379BFF 5 Bytes JMP 28006090 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] USER32.dll!SetWindowRgn 7637B29A 7 Bytes JMP 28005F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] USER32.dll!CreateWindowExW 76380E51 5 Bytes JMP 28003C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] USER32.dll!LoadIconW 76381431 5 Bytes JMP 280068D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] USER32.dll!LoadImageW 76382323 5 Bytes JMP 280066E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] USER32.dll!GetWindowLongW 763883A9 7 Bytes JMP 28006A70 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] USER32.dll!PeekMessageW 763891B5 5 Bytes JMP 28004630 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] USER32.dll!TrackPopupMenuEx 763A5F72 5 Bytes JMP 28004F10 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] USER32.dll!MessageBoxIndirectW 763CE9C3 5 Bytes JMP 28006280 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] WS2_32.dll!closesocket 77E23BED 5 Bytes JMP 2800B8A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] WS2_32.dll!recv 77E247DF 5 Bytes JMP 2800B0C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] WS2_32.dll!WSASend 77E268A7 5 Bytes JMP 2800B660 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] WS2_32.dll!WSARecv 77E2C29F 5 Bytes JMP 2800B260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] WS2_32.dll!send 77E2C4C8 5 Bytes JMP 2800B480 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] SHELL32.dll!Shell_NotifyIconW 767FFBA1 5 Bytes JMP 280033B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] ole32.dll!CoRegisterClassObject 77AE11F5 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] ole32.dll!CoInitializeEx 77B10804 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] ole32.dll!CoCreateInstance 77B257FC 1 Byte [E9]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] ole32.dll!CoCreateInstance 77B257FC 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] WININET.dll!InternetCloseHandle 7744C87E 5 Bytes JMP 2800A220 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] WININET.dll!InternetReadFile 7744E2A4 5 Bytes JMP 2800A070 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] WININET.dll!HttpOpenRequestA 7745043A 5 Bytes JMP 28009EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] WININET.dll!HttpSendRequestA 774C014C 1 Byte [E9]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[508] WININET.dll!HttpSendRequestA 774C014C 5 Bytes JMP 2800A150 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Internet Explorer\iexplore.exe[4244] USER32.dll!CreateWindowExW 76380E51 5 Bytes JMP 6B8980F7 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4244] USER32.dll!DialogBoxIndirectParamW 763A4AA7 5 Bytes JMP 6B9BF218 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4244] USER32.dll!DialogBoxParamW 763A564A 5 Bytes JMP 6B7B4B7F C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4244] USER32.dll!DialogBoxParamA 763BCF6A 5 Bytes JMP 6B9BF1B5 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4244] USER32.dll!DialogBoxIndirectParamA 763BD29C 5 Bytes JMP 6B9BF27B C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4244] USER32.dll!MessageBoxIndirectA 763CE8C9 5 Bytes JMP 6B9BF14A C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4244] USER32.dll!MessageBoxIndirectW 763CE9C3 5 Bytes JMP 6B9BF0DF C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4244] USER32.dll!MessageBoxExA 763CEA29 5 Bytes JMP 6B9BF07D C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4244] USER32.dll!MessageBoxExW 763CEA4D 5 Bytes JMP 6B9BF01B C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!UnhookWindowsHookEx 7637CC7B 5 Bytes JMP 6B8A82FA C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!CallNextHookEx 7637CC8F 5 Bytes JMP 6B889D00 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!CreateWindowExW 76380E51 5 Bytes JMP 6B8980F7 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!SetWindowsHookExW 7638210A 5 Bytes JMP 6B8445DB C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!DialogBoxIndirectParamW 763A4AA7 5 Bytes JMP 6B9BF218 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!DialogBoxParamW 763A564A 5 Bytes JMP 6B7B4B7F C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!DialogBoxParamA 763BCF6A 5 Bytes JMP 6B9BF1B5 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!DialogBoxIndirectParamA 763BD29C 5 Bytes JMP 6B9BF27B C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!MessageBoxIndirectA 763CE8C9 5 Bytes JMP 6B9BF14A C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!MessageBoxIndirectW 763CE9C3 5 Bytes JMP 6B9BF0DF C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!MessageBoxExA 763CEA29 5 Bytes JMP 6B9BF07D C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] USER32.dll!MessageBoxExW 763CEA4D 5 Bytes JMP 6B9BF01B C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] ole32.dll!OleLoadFromStream 77AD5B88 5 Bytes JMP 6B9BF576 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4572] ole32.dll!CoCreateInstance 77B257FC 5 Bytes JMP 6B898BE5 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!UnhookWindowsHookEx 7637CC7B 5 Bytes JMP 6B8A82FA C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!CallNextHookEx 7637CC8F 5 Bytes JMP 6B889D00 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!CreateWindowExW 76380E51 5 Bytes JMP 6B8980F7 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!SetWindowsHookExW 7638210A 5 Bytes JMP 6B8445DB C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!DialogBoxIndirectParamW 763A4AA7 5 Bytes JMP 6B9BF218 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!DialogBoxParamW 763A564A 5 Bytes JMP 6B7B4B7F C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!DialogBoxParamA 763BCF6A 5 Bytes JMP 6B9BF1B5 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!DialogBoxIndirectParamA 763BD29C 5 Bytes JMP 6B9BF27B C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!MessageBoxIndirectA 763CE8C9 5 Bytes JMP 6B9BF14A C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!MessageBoxIndirectW 763CE9C3 5 Bytes JMP 6B9BF0DF C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!MessageBoxExA 763CEA29 5 Bytes JMP 6B9BF07D C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] USER32.dll!MessageBoxExW 763CEA4D 5 Bytes JMP 6B9BF01B C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] ole32.dll!OleLoadFromStream 77AD5B88 5 Bytes JMP 6B9BF576 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5280] ole32.dll!CoCreateInstance 77B257FC 5 Bytes JMP 6B898BE5 C:\windows\system32\IEFRAME.dll (Explorador de Internet/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI_HAL \Device\00000056 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB2 0x64 0xB2 0xEE ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x1C 0x54 0x81 0x7D ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x81 0x4A 0x7A 0xB5 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xEB 0xEC 0x1C 0xCC ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB2 0x64 0xB2 0xEE ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x1C 0x54 0x81 0x7D ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x81 0x4A 0x7A 0xB5 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xEB 0xEC 0x1C 0xCC ...
Reg HKCU\Software\Microsoft\Windows Live\Communications Clients\Shared\3723290610\Groups@3\xb7 AnimeDensou 0
Reg HKCU\Software\Microsoft\Windows Live\Communications Clients\Shared\3723290610\Groups@4\xb7 ExDensous 1

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:16 PM

Posted 03 May 2010 - 12:34 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 PM

Posted 09 May 2010 - 07:45 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users