Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware doctor infection?


  • This topic is locked This topic is locked
3 replies to this topic

#1 urbn

urbn

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 15 June 2010 - 12:42 PM

Good morning everyone, or at least I wish it was!

Yesterday I was hit with what I think was antimalware doctor. I thought I killed it off fast enough but I could only be so lucky. I have spent the last 16 hours trying to clean my system with no luck so I need to turn to the professionals smile.gif

situation: Browsing though firefox, saw the popup of a new application, pulled out my ethernet cable and started killing processes, installed too quickly. I noticed my DNS settings were changed and changed them back I then started to notice tons of files being downloaded (when I was downloading avg/spybot/malware bytes).

Manually cleaned out all the files and reg settingsI could fine, deleted all non important exe's. Ran several sans of malware bytes, and spybot as well as AVG.

Here are the log files that are normally requested. Please let me know if you need anymore information or instruct me further in any steps you think can help with this infection.

OTL LOGS




Computer Name: LAPPY5000
Current User Name: urbn
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2425220323-3962641459-3882516173-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0E85F641-7537-40C4-883A-04137780C34E}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{0EF1C208-8477-4E62-BE21-37B7043D60E2}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{1D109506-3423-4E2D-9AE0-F5C0D8DD447E}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{371351DE-EED0-4CE9-A329-0CBEEEE0DB8A}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{50BF1988-8AF1-4696-A999-F186C6E29DBC}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{5536F771-0A52-4934-93CC-5C6C38D212D3}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{6537E3CD-88D3-4B4F-9977-7E5BB1EF2428}" = lport=10244 | protocol=6 | dir=in | app=system |
"{68A9974A-7C7E-4EBE-9D05-790FD4F0DC60}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{6B0ABAA3-D168-40F0-95A0-E03A6AEE5152}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{7236EFC6-C636-40FD-B74B-1B206C872D27}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{76EECEF8-96CA-4C7C-AB78-86A6E75D71B2}" = lport=3390 | protocol=6 | dir=in | app=system |
"{7C983317-0882-4D4D-992C-DB434FE447C7}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{7D8B6903-168B-4763-8745-344C5DDB312B}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{89A107A6-1BCB-41A1-BF51-F243318DA7D4}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{8EC2B926-9E8A-4D30-B05C-668F2C71ABF5}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{91A52090-C3E7-42B2-BFC4-9B7CB0B8F44C}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{98D80D56-3CF4-41A7-AC0E-099BFDB686CB}" = rport=10244 | protocol=6 | dir=out | app=system |
"{9C78F0ED-207E-4A70-951F-C828C334F690}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{AD027ACA-A920-430E-8241-9FCDDE6F00D9}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |
"{B60D1BB7-5BC2-4B18-B5F3-1C90DDA15E71}" = lport=2869 | protocol=6 | dir=in | app=system |
"{C69EC2DC-7AF7-4263-A190-10E8B9B71A19}" = lport=3390 | protocol=6 | dir=in | app=system |
"{D8AAA6AC-8EB4-406D-B733-7057A7940B5E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{DFC6BC8B-507D-47A5-B1ED-6EACBB7A990E}" = rport=10244 | protocol=6 | dir=out | app=system |
"{F84F8CC7-88AA-42B4-B842-8AE18C41436E}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{FB63595B-7C98-47AE-87F0-4AC5394A3B8B}" = lport=10244 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{011334B5-973E-438A-9E46-A4266D24B643}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{0C8C6CBE-9B47-44A9-B78C-62B377AEAB0D}" = protocol=6 | dir=in | app=c:\program files\aim\aim.exe |
"{1660FE17-E82F-475D-8C4A-16F03AA7AEF4}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe |
"{1706D7E1-D067-49DD-B2A5-1851CBB39DBE}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{2F3A1970-B766-451D-B1E2-F7FD23E9915A}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{3F617A15-DC21-4D65-B152-CB3844F2CAF6}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{6C38FB21-F4E3-4E7F-AE1E-ED0C420B9F5A}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{6C97F437-AAED-4920-BCB6-C7BA2D9365A3}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{6F6E2EB3-E417-4784-9CF4-4BC7352C2A7F}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{9386C630-C4D7-46AC-AAE2-9D056BFCF9C6}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{992B6E79-4B5A-4A89-B529-14B7F9A2EDB4}" = protocol=17 | dir=in | app=c:\program files\aim\aim.exe |
"{9DEDF455-AA50-44A1-80A5-6C3AD1443050}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{9F27A999-19AB-4679-A16A-17D9217563DA}" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"{9F761158-361C-45AA-96E1-CC2E62E6AA9B}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{AD530740-70B6-42E9-8585-C58452C5FA6E}" = protocol=17 | dir=in | app=c:\program files\dell video chat\dellvideochat.exe |
"{AF8CC52D-8275-41C7-BAB8-5A4A718E4BA2}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe |
"{BEA4AF40-9968-4DBE-B4CA-9F0E4D7E9E58}" = protocol=6 | dir=in | app=c:\program files\dell video chat\dellvideochat.exe |
"{C2FB8096-C9FB-45AF-BD4A-4E72C32DC17C}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{E321AD42-C975-49B6-99B5-F6EBEB0F8633}" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"{F6B5D38C-14FC-4ED9-A2BB-76B65FBAE33B}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{F869ED62-CDBF-48B7-8156-D3A6966E35DF}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{FE53A1D3-F07A-4EC4-942E-B68395D998DD}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"TCP Query User{00D953B6-B0D8-4A8C-9C8C-05FA86BA5249}C:\program files\bittornado\btdownloadgui.exe" = protocol=6 | dir=in | app=c:\program files\bittornado\btdownloadgui.exe |
"TCP Query User{011BF5BD-C724-41D4-9E17-E97B89C941CE}C:\program files\microsoft visual studio 8\common7\ide\devenv.exe" = protocol=6 | dir=in | app=c:\program files\microsoft visual studio 8\common7\ide\devenv.exe |
"TCP Query User{0CDC4C36-098C-4DCA-90C8-B16BB64E92D2}C:\program files\bittornado\btdownloadgui.exe" = protocol=6 | dir=in | app=c:\program files\bittornado\btdownloadgui.exe |
"TCP Query User{115AFA2E-3A7B-426D-9F58-22848BEA4430}C:\program files\microsoft visual studio 8\common7\ide\devenv.exe" = protocol=6 | dir=in | app=c:\program files\microsoft visual studio 8\common7\ide\devenv.exe |
"TCP Query User{17842065-FE80-45C3-A9B5-486B867A6DD9}C:\program files\steam\steamapps\common\dawn of war 2\dow2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe |
"TCP Query User{1C5D14B7-CC56-4AF1-9E83-EFB3ECA1C857}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{48CBDBC2-A9CD-4F7B-9379-83D83A0049AC}D:\setup\easy_search.exe" = protocol=6 | dir=in | app=d:\setup\easy_search.exe |
"TCP Query User{7184A4DB-5876-49C3-BBCE-E8E0770A7B4B}C:\program files\aim\aim.exe" = protocol=6 | dir=in | app=c:\program files\aim\aim.exe |
"TCP Query User{B861A597-9EB6-4A14-84E5-45FCA1B0D080}C:\program files\thq\darkcrusade\darkcrusade.exe" = protocol=6 | dir=in | app=c:\program files\thq\darkcrusade\darkcrusade.exe |
"TCP Query User{BCE73D47-B933-4AB5-B835-B527516D2C0F}C:\program files\mirc\mirc.exe" = protocol=6 | dir=in | app=c:\program files\mirc\mirc.exe |
"TCP Query User{BF384C7E-BB7C-4B87-B959-39193C728138}C:\program files\macromedia\homesite 5\homesite5.exe" = protocol=6 | dir=in | app=c:\program files\macromedia\homesite 5\homesite5.exe |
"TCP Query User{C5F54602-D965-4344-BA96-DBE728586FF3}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"UDP Query User{0FEA66EC-6EB1-497F-BD8C-59F60EB075E0}C:\program files\aim\aim.exe" = protocol=17 | dir=in | app=c:\program files\aim\aim.exe |
"UDP Query User{3E4191E9-A610-48FD-A1C2-42B7A33FD9BF}C:\program files\mirc\mirc.exe" = protocol=17 | dir=in | app=c:\program files\mirc\mirc.exe |
"UDP Query User{4FDB47AE-1D2F-4DFD-B101-4D42B201E23C}D:\setup\easy_search.exe" = protocol=17 | dir=in | app=d:\setup\easy_search.exe |
"UDP Query User{856D6FD4-CB99-4D09-A9B1-9935C58CA68C}C:\program files\microsoft visual studio 8\common7\ide\devenv.exe" = protocol=17 | dir=in | app=c:\program files\microsoft visual studio 8\common7\ide\devenv.exe |
"UDP Query User{8A669B6B-EBF1-41FF-864E-C160C37A47FA}C:\program files\bittornado\btdownloadgui.exe" = protocol=17 | dir=in | app=c:\program files\bittornado\btdownloadgui.exe |
"UDP Query User{971950F4-077B-4453-AEDB-A1D9CCD9603D}C:\program files\bittornado\btdownloadgui.exe" = protocol=17 | dir=in | app=c:\program files\bittornado\btdownloadgui.exe |
"UDP Query User{A9B1C3AE-C164-4AD0-AEE0-2C0035E54398}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"UDP Query User{C02360FA-0AC3-4E07-9A07-535042F81919}C:\program files\microsoft visual studio 8\common7\ide\devenv.exe" = protocol=17 | dir=in | app=c:\program files\microsoft visual studio 8\common7\ide\devenv.exe |
"UDP Query User{C4E68096-412D-4038-B8B9-13141A3F5960}C:\program files\steam\steamapps\common\dawn of war 2\dow2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war 2\dow2.exe |
"UDP Query User{DAD236BB-06BD-4154-9274-636E9D981EAE}C:\program files\thq\darkcrusade\darkcrusade.exe" = protocol=17 | dir=in | app=c:\program files\thq\darkcrusade\darkcrusade.exe |
"UDP Query User{E4ABD752-CD4F-413A-A9B5-55E73C139DB9}C:\program files\macromedia\homesite 5\homesite5.exe" = protocol=17 | dir=in | app=c:\program files\macromedia\homesite 5\homesite5.exe |
"UDP Query User{FDB282AA-78F3-48F9-B0AE-33BEB87B4AD1}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01C5A10F-AD9B-405B-853A-6659841A1242}" = Microsoft SQL Server 2008 Policies
"{035400A4-29BD-3723-BEED-E2718A68CDE0}" = Microsoft Visual Studio 2010 Office Developer Tools (x86)
"{082BDF7B-4810-4599-BF0D-E3AC44EC8524}" = Microsoft ASP.NET 2.0 AJAX Extensions 1.0
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0DDCEC37-369C-484B-B16D-B4413FD42FB9}" = Microsoft SQL Server 2008 R2 Data-Tier Application Framework
"{0F37D969-1260-419E-B308-EF7D29ABDE20}" = Web Deployment Tool
"{112C23F2-C036-4D40-BED4-0CB47BF5555C}" = Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
"{1389C6A4-4965-4AEC-9175-08B54A10FA48}" = Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
"{140BF0D0-E848-405C-9A01-D3256B918B6D}" = AuthenTec Fingerprint System
"{14DD7530-CCD2-3798-B37D-3839ED6A441C}" = Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F7FB4E3-09DA-E30D-1B68-05322B088C17}" = Catalyst Control Center Core Implementation
"{2012098D-EEE9-4769-8DD3-B038050854D4}" = Microsoft Silverlight 3 SDK
"{2020045B-8DCF-4449-8D5C-EB5BA37440F1}" = Microsoft SQL Server 2008 Management Studio
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{28F33104-29EE-D8E1-A7AF-C80EBDCDE93B}" = Catalyst Control Center Graphics Light
"{2A2F3AE8-246A-4252-BB26-1BEB45627074}" = Microsoft SQL Server System CLR Types
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2DCEFEFF-7831-4D79-BC28-11D1B8D7E076}" = Dell 5530 Wireless Broadband Package
"{39B49784-F8CE-B333-1105-C4D01DE40956}" = Catalyst Control Center Graphics Full Existing
"{3A9FC03D-C685-4831-94CF-4EDFD3749497}" = Microsoft SQL Server Compact 3.5 SP2 ENU
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3BB19A2B-B9C5-3872-8FDF-3047CC9F9841}" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{40416836-56CC-4C0E-A6AF-5C34BADCE483}" = Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
"{41B31ABE-5A6E-498A-8F28-3BA3B8779A41}" = Dotfuscator Software Services - Community Edition
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{437AB8E0-FB69-4222-B280-A64F3DE22591}" = Microsoft Visual Studio 2005 Professional Edition - ENU
"{43918518-4955-2631-EAAA-D96CD57460B5}" = ATI Catalyst Install Manager
"{44D4AF75-6870-41F5-9181-662EA05507E1}" = Microsoft Document Explorer 2005
"{451207CF-BDFE-3719-896D-EBFAB7614589}" = Microsoft Visual Studio 2010 SDK
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{47C39E4A-28F2-33B1-B9B7-97F24E52D917}" = Microsoft Help Viewer 1.0
"{4C9D82EB-9001-4E59-8F64-0BEEE5F4A30A}" = SQL Server 2008 R2 Database Engine Shared
"{4CA09BF7-1CFC-44B8-80EA-7B4D15D12DC5}" = Catalyst Control Center - Branding
"{4E968D9C-21A7-4915-B698-F7AEB913541D}" = Microsoft SQL Server 2008 R2 Management Objects
"{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}" = Cisco Systems VPN Client 5.0.04.0300
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{57F09CA4-E9CE-B17C-4E91-5E142F73F056}" = CCC Help English
"{60055595-7588-5911-7174-77CAC584317E}" = Catalyst Control Center Graphics Previews Common
"{625386A4-B6B6-4911-A6E8-23189C3F2D15}" = Microsoft .NET Compact Framework 2.0
"{6387EC83-B90B-3E84-3DBF-95FF7503EC51}" = Catalyst Control Center InstallProxy
"{64CDE8F2-3791-46F5-BAD2-72FFF5252FAB}" = Microsoft SQL Server Compact 3.5 SP1 Query Tools English
"{655B98B3-3531-FD75-D8DB-BF3001ECE619}" = Skins
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{6A86554B-8928-30E4-A53C-D7337689134D}" = Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
"{6C531060-84FB-4F96-8F33-29DF020632EB}" = Microsoft .NET Compact Framework 1.0 SP3 Developer
"{6CDEAD7E-F8D8-37F7-AB6F-1E22716E30F3}" = Microsoft Visual Studio Macro Tools
"{6D3963B0-E13B-4FC3-B0FF-506A304BB043}" = Cisco EAP-FAST Module
"{6D416A71-90F5-4237-9A94-08A3BB96EC04}" = AnkhSVN 2.1.7444.278
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6ED37A91-7710-3183-BE50-AB043FF6689E}" = Microsoft Team Foundation Server 2010 Object Model - ENU
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72DE3C67-FB48-450E-8BEA-4EB1B3B5355D}" = Microsoft SQL Server 2008 R2 Setup (English)
"{74307C3F-EBD4-11D4-A4D9-0010A4C3AFF0}" = Macromedia HomeSite 5
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{78B75C6D-E53C-424C-BF83-4B63BD4A6682}" = Microsoft Device Emulator version 1.0 - ENU
"{78C3657E-742C-40B1-9F53-E5A921D40F17}" = Microsoft SQL Server 2008 R2 Transact-SQL Language Service
"{7C8EAD2B-A954-4F73-AAFC-C3EC60D49ADA}" = Microsoft SQL Server 2008 R2 RsFx Driver
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E63EB03-A4F3-4A68-1ED3-9292BA8A19D3}" = Creeper World
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{8FB1B528-E260-451E-9B55-E9152F94B80B}" = Microsoft Games for Windows - LIVE Redistributable
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{93998800-1608-403F-9A51-420A77D23C25}" = Sql Server Customer Experience Improvement Program
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{979F123B-9E26-4E20-BDC0-BF043F72B431}" = KWRemote
"{97CE8B73-AA5A-4987-A1BE-50DD1A187478}" = Microsoft Sync Framework SDK v1.0 SP1
"{9AF0B106-56F1-461B-A270-95BC1682E282}" = Broadcom Gigabit NetLink Controller
"{9C19FFB1-25FC-43FC-AC78-919E5E2A6DD0}" = TortoiseSVN 1.6.6.17493 (32 bit)
"{9F3F9881-7744-6878-A174-2AE85D22FDFE}" = Catalyst Control Center Graphics Previews Vista
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A4512736-8D63-4298-9271-5329931FA46B}" = Microsoft SQL Server Management Studio Express
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}" = Microsoft Visual Studio Tools for Applications 2.0 - ENU
"{AC41D924-8C68-4BD5-A7A1-0AE4176C31A6}" = Crystal Reports for Visual Studio
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{ACE28263-76A4-4BF5-B6F4-8BD719595969}" = Microsoft SQL Server Database Publishing Wizard 1.4
"{B3DAF54F-DB25-4586-9EF1-96D24BB14088}" = Windows Movie Maker 2.6
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B67C01B3-8502-4BE7-AEAB-BBDE910AD3EE}" = Microsoft Web Platform Installer 2.0
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{B7E38540-E355-3503-AFD7-635B2F2F76E1}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C5478934-7F74-5968-5D44-8134DFA195B7}" = ccc-utility
"{C6DD625F-4B61-4561-8286-87CA0275CEA1}" = Microsoft Sync Framework Runtime v1.0 SP1 (x86)
"{CACEA8C8-3D38-4F51-953D-1E6FC3346FEF}" = SQL Server 2008 R2 Common Files
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF9F2817-55FE-4740-B3D7-5E9A230AEF70}_is1" = Netstop 5.0.0.361
"{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}" = Microsoft .NET Framework 4 Multi-Targeting Pack
"{D441BD04-E548-4F8E-97A4-1B66135BAAA8}" = Microsoft SQL Server 2008 Setup Support Files
"{D6B15AE6-B052-363E-B6BB-C4714CBA6509}" = Microsoft Visual Studio 2010 Professional - ENU
"{D9D937B0-E842-4130-9588-B948E876904A}" = Microsoft SQL Server 2008 Native Client
"{DC3D6AFB-78B4-489F-81D7-30B66E0C2417}" = Microsoft Sync Services for ADO.NET v2.0 SP1 (x86)
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E5AE9031-79A5-4627-9641-BEFA82819B08}" = Microsoft SQL Server 2008 R2 Data-Tier Application Project
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EBCF3A03-71D6-9173-BE8B-7050C0B83E18}" = Catalyst Control Center Graphics Full New
"{EF2D9642-210A-5BDB-5488-9B9363B6EBE1}" = ccc-core-static
"{F021CC0C-21C3-4038-AA4A-6E3CBC669CE8}" = SQL Server 2008 R2 Database Engine Shared
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F97E3841-CA9D-4964-9D64-26066241D26F}" = Microsoft Games for Windows - LIVE
"{F990B526-8F7C-46E0-B1F1-6C893A8B478F}" = Microsoft Sync Framework Services v1.0 SP1 (x86)
"{FA9C3624-C693-4423-8A8B-2BC2B9F607AB}" = Microsoft SQL Server 2008 Management Studio
"{FC835376-FF3B-4CAA-83E0-2148B3FB7C98}" = SQL Server 2008 R2 Common Files
"60F2A1BE41869540DC68466F8713A3DD3659D58D" = Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (02/26/2008 8.0.10.100)
"Adobe AIR" = Adobe AIR
"Aspell English Dictionary_is1" = Aspell English Dictionary-0.50-2
"AVG9Uninstall" = AVG Free 9.0
"BitTornado" = BitTornado 0.3.17
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card Utility
"Continuum_is1" = Continuum 0.40
"FileZilla Client" = FileZilla Client 3.2.7
"GNU Aspell_is1" = GNU Aspell 0.50-3
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Document Explorer 2005" = Microsoft Document Explorer 2005
"Microsoft Help Viewer 1.0" = Microsoft Help Viewer 1.0
"Microsoft SQL Server 10" = Microsoft SQL Server 2008
"Microsoft SQL Server 10 Release" = Microsoft SQL Server 2008
"Microsoft Team Foundation Server 2010 Object Model - ENU" = Microsoft Team Foundation Server 2010 Object Model - ENU
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"Microsoft Visual Studio 2010 Professional - ENU" = Microsoft Visual Studio 2010 Professional - ENU
"Microsoft Visual Studio 2010 Tools for Office Runtime (x86)" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"Microsoft Visual Studio Macro Tools" = Microsoft Visual Studio Macro Tools
"mIRC" = mIRC
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
"Pidgin" = Pidgin
"roguescanfix_setup_is1" = roguescanfix 1.5
"Streamripper" = Streamripper (Remove only)
"TopStyle Lite (Version 3.0)" = TopStyle Lite (Version 3.0)
"VLC media player" = VLC media player 0.9.8a
"Winamp" = Winamp
"WinLiveSuite_Wave3" = Windows Live Essentials
"zMUD" = zMUD 7.21.0.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/15/2010 2:20:22 AM | Computer Name = lappy5000 | Source = EventSystem | ID = 4609
Description =

Error - 6/15/2010 2:21:18 AM | Computer Name = lappy5000 | Source = WinMgmt | ID = 10
Description =

Error - 6/15/2010 4:49:59 AM | Computer Name = lappy5000 | Source = Application Error | ID = 1000
Description = Faulting application SpybotSD.exe, version 1.6.2.46, time stamp 0x2a425e19,
faulting module SpybotSD.exe, version 1.6.2.46, time stamp 0x2a425e19, exception
code 0xc0000005, fault offset 0x0001eba2, process id 0x5c4, application start time
0x01cb0c65b391a8b0.

Error - 6/15/2010 4:58:38 AM | Computer Name = lappy5000 | Source = Application Error | ID = 1000
Description = Faulting application SpybotSD.exe, version 1.6.2.46, time stamp 0x2a425e19,
faulting module SpybotSD.exe, version 1.6.2.46, time stamp 0x2a425e19, exception
code 0xc0000005, fault offset 0x0001eba2, process id 0x6f8, application start time
0x01cb0c67e780a200.

Error - 6/15/2010 5:00:45 AM | Computer Name = lappy5000 | Source = Application Error | ID = 1000
Description = Faulting application SpybotSD.exe, version 1.6.2.46, time stamp 0x2a425e19,
faulting module SpybotSD.exe, version 1.6.2.46, time stamp 0x2a425e19, exception
code 0xc0000005, fault offset 0x0001eba2, process id 0x6d0, application start time
0x01cb0c68f7e05ae0.

Error - 6/15/2010 5:46:42 AM | Computer Name = lappy5000 | Source = Software Licensing Service | ID = 12291
Description = Key Management Service (KMS) failed to start. Info: hr=0xC004D301

Error - 6/15/2010 5:47:07 AM | Computer Name = lappy5000 | Source = WinMgmt | ID = 10
Description =

Error - 6/15/2010 11:14:11 AM | Computer Name = lappy5000 | Source = WinMgmt | ID = 10
Description =

Error - 6/15/2010 11:50:11 AM | Computer Name = lappy5000 | Source = Steam Client Service | ID = 1
Description =

Error - 6/15/2010 12:50:44 PM | Computer Name = lappy5000 | Source = Application Hang | ID = 1002
Description = The program OTL.exe version 3.2.6.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Problem Reports and Solutions control panel. Process
ID: f30 Start Time: 01cb0caac60c4a42 Termination Time: 16

[ Broadcom Wireless LAN Events ]
Error - 6/7/2010 1:23:48 PM | Computer Name = lappy5000 | Source = WLAN-Tray | ID = 0
Description = 10:23:48, Mon, Jun 07, 10 Error - User "" does not have administrative
privileges on this system

Error - 6/9/2010 5:59:56 AM | Computer Name = lappy5000 | Source = WLAN-Tray | ID = 0
Description = 02:59:56, Wed, Jun 09, 10 Error - User "" does not have administrative
privileges on this system

Error - 6/9/2010 5:59:56 AM | Computer Name = lappy5000 | Source = WLAN-Tray | ID = 0
Description = 02:59:56, Wed, Jun 09, 10 Error - User "" does not have administrative
privileges on this system

Error - 6/11/2010 6:22:45 AM | Computer Name = lappy5000 | Source = WLAN-Tray | ID = 0
Description = 03:22:45, Fri, Jun 11, 10 Error - User "" does not have administrative
privileges on this system

Error - 6/11/2010 6:22:45 AM | Computer Name = lappy5000 | Source = WLAN-Tray | ID = 0
Description = 03:22:45, Fri, Jun 11, 10 Error - User "" does not have administrative
privileges on this system

Error - 6/13/2010 11:12:50 PM | Computer Name = lappy5000 | Source = WLAN-Tray | ID = 0
Description = 20:12:50, Sun, Jun 13, 10 Error - User "" does not have administrative
privileges on this system

Error - 6/13/2010 11:12:50 PM | Computer Name = lappy5000 | Source = WLAN-Tray | ID = 0
Description = 20:12:50, Sun, Jun 13, 10 Error - User "" does not have administrative
privileges on this system

Error - 6/15/2010 12:35:34 AM | Computer Name = lappy5000 | Source = WLAN-Tray | ID = 0
Description = 21:35:34, Mon, Jun 14, 10 Error - User "" does not have administrative
privileges on this system

Error - 6/15/2010 2:18:35 AM | Computer Name = lappy5000 | Source = WLAN-Tray | ID = 0
Description = 23:18:35, Mon, Jun 14, 10 Error - User "" does not have administrative
privileges on this system

Error - 6/15/2010 11:07:52 AM | Computer Name = lappy5000 | Source = WLAN-Tray | ID = 0
Description = 08:07:52, Tue, Jun 15, 10 Error - User "" does not have administrative
privileges on this system

[ Media Center Events ]
Error - 8/8/2009 12:12:15 AM | Computer Name = lappy5000 | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 8/13/2009 8:23:09 PM | Computer Name = lappy5000 | Source = Mcx2Dvcs | ID = 405
Description =

Error - 3/1/2010 4:55:04 AM | Computer Name = lappy5000 | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 6/15/2010 12:47:04 PM | Computer Name = lappy5000 | Source = Service Control Manager | ID = 7001
Description =

Error - 6/15/2010 12:47:41 PM | Computer Name = lappy5000 | Source = Service Control Manager | ID = 7001
Description =

Error - 6/15/2010 12:47:42 PM | Computer Name = lappy5000 | Source = Service Control Manager | ID = 7001
Description =

Error - 6/15/2010 12:47:44 PM | Computer Name = lappy5000 | Source = Service Control Manager | ID = 7001
Description =

Error - 6/15/2010 12:47:44 PM | Computer Name = lappy5000 | Source = Service Control Manager | ID = 7001
Description =

Error - 6/15/2010 12:48:03 PM | Computer Name = lappy5000 | Source = Service Control Manager | ID = 7001
Description =

Error - 6/15/2010 12:48:03 PM | Computer Name = lappy5000 | Source = Service Control Manager | ID = 7001
Description =

Error - 6/15/2010 12:48:04 PM | Computer Name = lappy5000 | Source = Service Control Manager | ID = 7001
Description =

Error - 6/15/2010 12:54:42 PM | Computer Name = lappy5000 | Source = Service Control Manager | ID = 7001
Description =

Error - 6/15/2010 12:54:42 PM | Computer Name = lappy5000 | Source = Service Control Manager | ID = 7001
Description =


< End of report >



HijackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:37:05 AM, on 6/15/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: nmklo
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: KWRemote - Unknown owner - C:\Program Files\KioskLogix\KWRemote\kwrsvc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: Netstop Print Service (NetstopPrintingService) - Kiosk Logix Inc - C:\Program Files\NetStopPro\ShellProServices.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SQL Server Browser (SQLBrowser) - Unknown owner - C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (file missing)
O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 5837 bytes



GMER LOGS

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-15 10:41:02
Windows 6.0.6002 Service Pack 2
Running: el1b2mow.exe; Driver: C:\Users\urbn\AppData\Local\Temp\fftyipoc.sys


---- System - GMER 1.0.15 ----

INT 0x52 ? 853B8F00
INT 0x62 ? 853B8F00
INT 0x62 ? 853B8F00
INT 0x62 ? 853B8F00
INT 0x72 ? 853B8F00
INT 0x72 ? 853B8F00
INT 0x72 ? 853B8F00
INT 0x72 ? 853B8F00
INT 0xA2 ? 8531DBF8
INT 0xA2 ? 8531DBF8
INT 0xA2 ? 8531DBF8
INT 0xA2 ? 8531DBF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spzu.sys The system cannot find the path specified. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8EE01000, 0x213FE7, 0xE8000020]
.text USBPORT.SYS!DllUnload 8F6CC41B 5 Bytes JMP 853B84E0
.text atm3vv4d.SYS 8BBAB000 22 Bytes [82, A3, 5C, 82, 6C, A2, 5C, ...]
.text atm3vv4d.SYS 8BBAB017 181 Bytes [00, 32, 27, 79, 80, 3D, 25, ...]
.text atm3vv4d.SYS 8BBAB0CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text atm3vv4d.SYS 8BBAB0DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]
.text atm3vv4d.SYS 8BBAB0E7 714 Bytes [00, F0, 0E, 00, 00, 00, 00, ...]
.text ...
? C:\Program Files\DAEMON Tools Lite\Engine.dll The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1448] ntdll.dll!NtProtectVirtualMemory 77A44D34 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1448] ntdll.dll!NtWriteVirtualMemory 77A45674 5 Bytes JMP 0094000A
.text C:\Windows\system32\svchost.exe[1448] ntdll.dll!KiUserExceptionDispatcher 77A45DC8 5 Bytes JMP 0091000A
.text C:\Windows\system32\svchost.exe[1448] ole32.dll!CoCreateInstance 77769EA6 5 Bytes JMP 009B000A
.text C:\Windows\system32\svchost.exe[1448] USER32.dll!GetCursorPos 76360B88 5 Bytes JMP 00F5000A
.text C:\Windows\Explorer.EXE[3960] ntdll.dll!NtProtectVirtualMemory 77A44D34 5 Bytes JMP 016B000A
.text C:\Windows\Explorer.EXE[3960] ntdll.dll!NtWriteVirtualMemory 77A45674 5 Bytes JMP 016C000A
.text C:\Windows\Explorer.EXE[3960] ntdll.dll!KiUserExceptionDispatcher 77A45DC8 5 Bytes JMP 016A000A
.text C:\Windows\system32\wuauclt.exe[3976] ntdll.dll!NtProtectVirtualMemory 77A44D34 5 Bytes JMP 0014000A
.text C:\Windows\system32\wuauclt.exe[3976] ntdll.dll!NtWriteVirtualMemory 77A45674 5 Bytes JMP 0015000A
.text C:\Windows\system32\wuauclt.exe[3976] ntdll.dll!KiUserExceptionDispatcher 77A45DC8 5 Bytes JMP 0013000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4252] ntdll.dll!NtProtectVirtualMemory 77A44D34 5 Bytes JMP 00AD000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4252] ntdll.dll!NtWriteVirtualMemory 77A45674 5 Bytes JMP 00AE000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4252] ntdll.dll!KiUserExceptionDispatcher 77A45DC8 5 Bytes JMP 008F000A
.text C:\Windows\explorer.exe[4816] ntdll.dll!NtProtectVirtualMemory 77A44D34 5 Bytes JMP 006D000A
.text C:\Windows\explorer.exe[4816] ntdll.dll!NtWriteVirtualMemory 77A45674 5 Bytes JMP 006E000A
.text C:\Windows\explorer.exe[4816] ntdll.dll!KiUserExceptionDispatcher 77A45DC8 5 Bytes JMP 006C000A
? C:\Windows\TEMP\smov.tmp\svchost.exe[5336] number of sections mismatch; time/date stamp mismatch; unknown module: comdlg32.dllunknown module: COMCTL32.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806966D6] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80696042] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80696800] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806960C0] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069613E] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A5B90] \SystemRoot\System32\Drivers\spzu.sys
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortNotification] CC358B04
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortWritePortUchar] 838BBD1F
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] [100D8BA5] \Program Files\DAEMON Tools Lite\Engine.dll
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F8BBCF0
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortStallExecution] 54771129
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortMoveMemory] 8B108910
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortInitialize] B18D0502
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8
IAT \SystemRoot\System32\Drivers\atm3vv4d.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [USER32.dll!AppendMenuW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [USER32.dll!PostMessageW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [USER32.dll!GetClientRect] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [USER32.dll!SetWindowLongA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [USER32.dll!EndDialog] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [USER32.dll!DefWindowProcA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [USER32.dll!SetCursor] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [USER32.dll!LoadStringW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [USER32.dll!BeginPaint] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [USER32.dll!GetDesktopWindow] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!InterlockedExchange] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FindResourceA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!LCMapStringW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetLocaleInfoA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SetFileAttributesW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!WriteFile] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetSystemTime] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!ExitProcess] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FreeEnvironmentStringsW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!IsBadWritePtr] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!LCMapStringA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateFileMappingA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SystemTimeToFileTime] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetUserDefaultLCID] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!lstrcpyW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!lstrcpyA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!IsValidCodePage] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!HeapDestroy] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FindFirstFileW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!lstrcpynW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!TlsGetValue] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetCurrentProcess] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateEventA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateMutexA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SetLastError] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetCPInfo] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetProcessHeap] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetStringTypeW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!VirtualQuery] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetConsoleOutputCP] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!lstrcatW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetFileAttributesW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SizeofResource] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!LoadLibraryA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SetEndOfFile] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FindClose] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetACP] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!LoadLibraryW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetThreadLocale] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!lstrcmpiW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FindNextFileW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!InterlockedDecrement] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateMutexW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateFileW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetSystemDirectoryA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateProcessA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateDirectoryW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CloseHandle] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!TlsAlloc] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetOEMCP] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetFileSize] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!LockResource] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetSystemDirectoryW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!LocalAlloc] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetConsoleMode] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GlobalUnlock] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!WaitForMultipleObjects] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!OutputDebugStringA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GlobalFree] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!VirtualProtect] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetVersionExA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetCurrentDirectoryW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!TlsFree] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FindFirstFileA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!RaiseException] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FormatMessageW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetModuleHandleW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!DeviceIoControl] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetFileAttributesA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetWindowsDirectoryA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!ResetEvent] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetCurrentThread] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!LoadResource] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetStringTypeA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!lstrcmpW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!DisableThreadLibraryCalls] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!HeapFree] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SetErrorMode] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!ReleaseMutex] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetEnvironmentStringsW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetWindowsDirectoryW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetCommandLineA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetVersionExW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetLocalTime] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateProcessW] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetModuleHandleA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetModuleFileNameA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GlobalAlloc] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!InterlockedIncrement] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CompareStringA] 00006194
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!ReadFile] 0000616E
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetTickCount] 00006160
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GlobalLock] 000061A6
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FreeLibrary] 000061B6
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!lstrcmpiA] 000061C6
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FreeEnvironmentStringsA] 000061D8
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetSystemInfo] 000061E6
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!TerminateProcess] 00006182
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!lstrcmpA] 00000000
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CompareStringW] 00005F2A
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!DuplicateHandle] 00005F1A
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!MultiByteToWideChar] 00005F08
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!VirtualAlloc] 00005EF2
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateThread] 00005EE2
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!LoadLibraryExW] 00005ED2
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!lstrlenW] 00005EBC
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FileTimeToSystemTime] 00005E9E
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetLocaleInfoW] 00005E8E
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!DeleteFileW] 00005E78
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!MulDiv] 00005E70
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!lstrcpynA] 00005E5C
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetVersion] 00005E48
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!TlsSetValue] 00005E34
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!IsBadReadPtr] 00005E24
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!UnmapViewOfFile] 00005E12
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateEventW] 00005F40
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 00005DF2
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!LocalFree] 00005FF2
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SetFilePointer] 00006014
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 00006022
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!InitializeCriticalSectionAndSpinCount] 00006032
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!HeapCreate] 0000604A
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SetHandleCount] 00006056
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetProcAddress] 00006076
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetEnvironmentStrings] 00006086
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!WaitForSingleObject] 000060A2
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!CreateFileA] 000060BA
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!MapViewOfFile] 000060C6
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SetStdHandle] 000060D4
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!SetEvent] 00005F60
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetModuleFileNameW] 00005F6E
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetLastError] 00005F7A
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FormatMessageA] 00005F8A
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetFileType] 00005F9A
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!Sleep] 00005FB6
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!GetStartupInfoA] 00005FC6
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!FindResourceW] 00005FD4
IAT C:\Windows\TEMP\smov.tmp\svchost.exe[5336] @ C:\Windows\TEMP\smov.tmp\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 00005E02

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85CB81F8
Device \FileSystem\fastfat \FatCdrom 880561F8
Device \Driver\volmgr \Device\VolMgrControl 85CB31F8
Device \Driver\usbuhci \Device\USBPDO-0 86B721F8
Device \Driver\usbuhci \Device\USBPDO-1 86B721F8
Device \Driver\usbehci \Device\USBPDO-2 86B7C1F8
Device \Driver\usbuhci \Device\USBPDO-3 86B721F8
Device \Driver\usbuhci \Device\USBPDO-4 86B721F8

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 86B721F8
Device \Driver\usbehci \Device\USBPDO-6 86B7C1F8
Device \Driver\volmgr \Device\HarddiskVolume1 85CB31F8
Device \Driver\volmgr \Device\HarddiskVolume2 85CB31F8
Device \Driver\cdrom \Device\CdRom0 8704B1F8
Device \Driver\cdrom \Device\CdRom1 8704B1F8
Device \Driver\atapi \Device\Ide\IdePort0 85CB51F8
Device \Driver\atapi \Device\Ide\IdePort1 85CB51F8
Device \Driver\atapi \Device\Ide\IdePort2 85CB51F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 85CB51F8
Device \Driver\msahci \Device\Ide\PciIde0Channel0 85CB61F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 85CB61F8
Device \Driver\msahci \Device\Ide\PciIde0Channel2 85CB61F8
Device \Driver\volmgr \Device\HarddiskVolume3 85CB31F8
Device \Driver\volmgr \Device\HarddiskVolume4 85CB31F8
Device \Driver\netbt \Device\NetBt_Wins_Export 877111F8
Device \Driver\netbt \Device\NetBT_Tcpip_{5753E5BD-0005-4563-8553-1CA8E03A796D} 877111F8
Device \Driver\Smb \Device\NetbiosSmb 877131F8
Device \Driver\iScsiPrt \Device\RaidPort0 874401F8
Device \Driver\PCI_PNP4246 \Device\0000005c spzu.sys

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 86B721F8
Device \Driver\sptd \Device\760370272 spzu.sys
Device \Driver\usbuhci \Device\USBFDO-1 86B721F8
Device \Driver\usbehci \Device\USBFDO-2 86B7C1F8
Device \Driver\usbuhci \Device\USBFDO-3 86B721F8
Device \Driver\usbuhci \Device\USBFDO-4 86B721F8
Device \Driver\usbuhci \Device\USBFDO-5 86B721F8
Device \Driver\usbehci \Device\USBFDO-6 86B7C1F8
Device \Driver\atm3vv4d \Device\Scsi\atm3vv4d1Port4Path0Target0Lun0 870551F8
Device \Driver\atm3vv4d \Device\Scsi\atm3vv4d1 870551F8
Device \FileSystem\fastfat \Fat 880561F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 8597B1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x1B 0x70 0xD6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEE 0x6D 0x63 0x72 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD4 0xE2 0xFB 0x2E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x1B 0x70 0xD6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEE 0x6D 0x63 0x72 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD4 0xE2 0xFB 0x2E ...

---- EOF - GMER 1.0.15 ----









BC AdBot (Login to Remove)

 


#2 urbn

urbn
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 15 June 2010 - 01:42 PM

I decided to run codefix on my system. I'm not sure if it has helped though. It did find a few files it did not like but I think this was related to daemon tools lite.

Here is the combofix.txt log file:

CODE
ComboFix 10-06-15.01 - urbn 06/15/2010  11:02:34.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3581.2805 [GMT -7:00]
Running from: c:\users\urbn\Downloads\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\st325881.dll
c:\windows\system32\st326162.dll

Infected copy of c:\windows\system32\drivers\mountmgr.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-05-15 to 2010-06-15  )))))))))))))))))))))))))))))))
.
2010-06-15 16:46 . 2010-06-15 16:47    --------    d-----w-    c:\program files\roguescanfix
2010-06-15 15:56 . 2010-06-15 15:56    --------    d-----w-    c:\users\urbn\AppData\Local\AVG Security Toolbar
2010-06-15 15:35 . 2010-06-15 16:27    --------    d-----w-    c:\users\urbn\AppData\Local\VirtualStore
2010-06-15 15:10 . 2010-06-15 15:10    --------    d-----w-    C:\found.000
2010-06-15 10:22 . 2010-06-15 10:22    --------    d-----w-    c:\users\urbn\AppData\Roaming\Malwarebytes
2010-06-15 10:22 . 2010-04-29 22:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-15 10:22 . 2010-06-15 10:22    --------    d-----w-    c:\programdata\Malwarebytes
2010-06-15 10:22 . 2010-06-15 10:22    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-06-15 10:22 . 2010-04-29 22:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-06-15 09:57 . 2010-06-15 09:57    388096    ----a-r-    c:\users\urbn\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-15 09:57 . 2010-06-15 09:57    --------    d-----w-    c:\program files\Trend Micro
2010-06-15 09:48 . 2010-06-15 09:48    --------    d-----w-    c:\users\urbn\AppData\Local\ATI
2010-06-15 08:24 . 2010-06-15 08:24    --------    d-----w-    c:\users\urbn\AppData\Local\Deployment
2010-06-15 08:24 . 2010-06-15 08:24    --------    d-----w-    c:\users\urbn\AppData\Local\Apps
2010-06-15 07:03 . 2010-06-15 07:03    680    ----a-w-    c:\users\urbn\AppData\Local\d3d9caps.dat
2010-06-15 04:53 . 2010-06-15 04:53    --------    d-----w-    C:\$AVG
2010-06-15 04:33 . 2010-06-15 04:33    29512    ----a-w-    c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-15 04:33 . 2010-06-15 04:33    242896    ----a-w-    c:\programdata\avg9\update\backup\avgtdix.sys
2010-06-15 04:19 . 2010-06-15 04:19    12464    ----a-w-    c:\windows\system32\avgrsstx.dll
2010-06-15 04:19 . 2010-06-15 04:33    242896    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2010-06-15 04:19 . 2010-06-15 04:19    216200    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2010-06-15 04:19 . 2010-06-15 04:33    29584    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2010-06-15 04:19 . 2010-06-15 15:26    --------    d-----w-    c:\windows\system32\drivers\Avg
2010-06-15 04:19 . 2010-06-15 04:32    --------    d-----w-    c:\programdata\AVG Security Toolbar
2010-06-15 04:14 . 2010-06-15 04:14    --------    d-----w-    c:\program files\AVG
2010-06-15 04:14 . 2010-06-15 04:14    --------    d-----w-    c:\programdata\avg9
2010-06-14 21:06 . 2010-06-14 21:20    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2010-06-13 23:41 . 2010-06-13 23:41    1201    ----a-w-    c:\users\urbn\AppData\Roaming\.purple\certificates\x509\tls_peers\login.facebook.com
2010-06-13 22:24 . 2010-06-13 22:24    2157    ----a-w-    c:\users\urbn\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-06-13 22:24 . 2010-06-13 22:24    2095    ----a-w-    c:\users\urbn\AppData\Roaming\.purple\certificates\x509\tls_peers\login.live.com
2010-06-13 22:23 . 2010-06-13 22:23    1691    ----a-w-    c:\users\urbn\AppData\Roaming\.purple\certificates\x509\tls_peers\api.screenname.aol.com
2010-06-13 22:23 . 2010-06-13 22:23    1073    ----a-w-    c:\users\urbn\AppData\Roaming\.purple\certificates\x509\tls_peers\talk.google.com
2010-06-10 21:24 . 2010-05-01 14:13    2037248    ----a-w-    c:\windows\system32\win32k.sys
2010-06-08 19:13 . 2010-06-08 19:13    --------    d-----w-    c:\users\urbn\VSWebCache
2010-06-07 10:15 . 2010-06-07 10:15    --------    d-----w-    c:\program files\Windows Portable Devices
2010-06-06 21:25 . 2009-09-25 01:49    1554432    ----a-w-    c:\windows\system32\xpsservices.dll
2010-06-06 21:24 . 2009-10-08 21:07    4096    ----a-w-    c:\windows\system32\oleaccrc.dll
2010-06-06 21:24 . 2009-10-08 21:08    555520    ----a-w-    c:\windows\system32\UIAutomationCore.dll
2010-06-06 21:24 . 2009-10-08 21:08    234496    ----a-w-    c:\windows\system32\oleacc.dll
2010-06-06 20:55 . 2010-01-06 15:39    1696256    ----a-w-    c:\windows\system32\gameux.dll
2010-06-06 20:55 . 2010-01-06 15:38    28672    ----a-w-    c:\windows\system32\Apphlpdm.dll
2010-06-06 20:55 . 2010-01-06 13:30    4240384    ----a-w-    c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-06 20:32 . 2010-06-06 20:32    --------    d-----w-    c:\windows\system32\ca-ES
2010-06-06 20:32 . 2010-06-06 20:32    --------    d-----w-    c:\windows\system32\eu-ES
2010-06-06 20:32 . 2010-06-06 20:32    --------    d-----w-    c:\windows\system32\vi-VN
2010-06-06 20:26 . 2010-06-06 20:26    --------    d-----w-    c:\windows\system32\SPReview
2010-06-06 20:18 . 2009-04-11 06:28    928768    ----a-w-    c:\windows\system32\scavenge.dll
2010-06-06 20:16 . 2009-04-11 06:28    627712    ----a-w-    c:\windows\system32\user32.dll
2010-06-06 20:15 . 2010-06-06 20:15    --------    d-----w-    c:\windows\system32\EventProviders
2010-06-06 03:03 . 2010-06-06 03:05    --------    d-----w-    c:\program files\Microsoft Visual Studio 2010 SDK
2010-06-06 02:58 . 2010-06-06 02:58    --------    d-----w-    c:\users\urbn\AppData\Roaming\SnippetDesigner
2010-06-06 00:09 . 2010-06-06 00:09    348256    ----a-w-    c:\programdata\Microsoft\VSTAHost\SSIS_ScriptComponent\9.0\1033\ResourceCache.dll
2010-06-06 00:08 . 2010-06-06 00:08    348256    ----a-w-    c:\programdata\Microsoft\VSTAHost\SSIS_ScriptTask\9.0\1033\ResourceCache.dll
2010-06-06 00:04 . 2010-06-06 00:04    416    ----a-w-    c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-06-05 23:26 . 2010-06-05 23:26    --------    d-----w-    c:\users\urbn\AppData\Roaming\Microsoft Corporation
2010-06-05 23:14 . 2010-06-06 00:01    --------    d-----w-    c:\program files\Microsoft SQL Server
2010-06-05 23:13 . 2010-06-05 23:13    --------    d-----w-    c:\program files\Microsoft Sync Framework
2010-06-05 23:13 . 2010-06-05 23:13    --------    d-----w-    c:\program files\Microsoft SQL Server Compact Edition
2010-06-05 23:08 . 2010-06-05 23:08    --------    d-----w-    c:\program files\IIS
2010-06-05 23:07 . 2010-06-05 23:07    18368    ----a-w-    c:\programdata\Microsoft\VSA\9.0\1033\ResourceCache.dll
2010-06-05 23:07 . 2010-06-05 23:19    1920288    ----a-w-    c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2010-06-05 23:03 . 2010-06-06 00:02    --------    d-----w-    c:\windows\system32\1033
2010-06-05 23:02 . 2010-06-05 23:14    --------    d-----w-    c:\program files\Microsoft SDKs
2010-06-05 23:02 . 2010-06-05 23:12    --------    d-----w-    c:\program files\Microsoft Visual Studio 10.0
2010-06-05 23:02 . 2010-06-05 23:02    --------    d-----w-    c:\program files\Microsoft Help Viewer
2010-06-05 22:29 . 2009-11-08 17:55    99176    ----a-w-    c:\windows\system32\PresentationHostProxy.dll
2010-06-05 22:29 . 2009-11-08 17:55    49472    ----a-w-    c:\windows\system32\netfxperf.dll
2010-06-05 22:29 . 2009-11-08 17:55    297808    ----a-w-    c:\windows\system32\mscoree.dll
2010-06-05 22:29 . 2009-11-08 17:55    295264    ----a-w-    c:\windows\system32\PresentationHost.exe
2010-06-05 22:29 . 2009-11-08 17:55    1130824    ----a-w-    c:\windows\system32\dfshim.dll
2010-06-05 22:09 . 2010-06-05 22:09    --------    d-----w-    c:\programdata\DAEMON Tools Lite
2010-06-05 20:02 . 2010-06-05 20:02    --------    d-----w-    c:\users\urbn\AppData\Local\Microsoft_Corporation
2010-06-05 19:54 . 2010-06-05 19:54    --------    d-----w-    c:\windows\system32\RsFx
2010-06-04 03:24 . 2010-06-04 03:24    --------    d-----w-    c:\program files\Microsoft Synchronization Services
2010-06-04 03:22 . 2010-06-04 03:22    --------    d-----w-    c:\program files\Microsoft Analysis Services
2010-06-04 03:21 . 2010-06-04 03:21    --------    d-----r-    C:\MSOCache
2010-05-26 06:49 . 2010-04-23 14:13    2048    ----a-w-    c:\windows\system32\tzres.dll
2010-05-17 15:46 . 2010-05-17 15:46    --------    d-----w-    c:\users\urbn\AppData\Roaming\streamripper
2010-05-17 15:45 . 2010-05-17 15:45    --------    d-----w-    c:\program files\Streamripper
2010-05-16 20:09 . 2010-05-16 20:10    --------    d-----w-    C:\eZship

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 18:09 . 2010-06-15 09:54    7346    ----a-w-    c:\windows\system32\PerfStringBackup.TMP
2010-06-15 16:21 . 2009-10-14 00:32    --------    d-----w-    c:\users\urbn\AppData\Roaming\Turbine
2010-06-15 09:47 . 2009-05-02 06:33    --------    d-----w-    c:\program files\Google
2010-06-15 09:28 . 2010-05-15 18:21    --------    d-----w-    c:\program files\Winamp
2010-06-14 21:37 . 2009-07-27 22:59    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-06-14 03:09 . 2010-04-04 16:43    --------    d-----w-    c:\users\urbn\AppData\Roaming\.purple
2010-06-11 10:22 . 2006-11-02 11:18    --------    d-----w-    c:\program files\Windows Mail
2010-06-08 01:39 . 2009-08-13 18:26    --------    d-----w-    c:\users\urbn\AppData\Roaming\FileZilla
2010-06-07 10:15 . 2006-11-02 10:25    665600    ----a-w-    c:\windows\inf\drvindex.dat
2010-06-07 10:15 . 2010-06-07 10:15    0    ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-06-07 10:15 . 2010-06-07 10:15    0    ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-06-07 03:37 . 2009-12-16 07:13    --------    d-----w-    c:\users\urbn\AppData\Roaming\mIRC
2010-06-07 03:31 . 2010-05-13 19:31    --------    d-----w-    c:\program files\mIRC
2010-06-06 20:32 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Sidebar
2010-06-06 20:32 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Calendar
2010-06-06 20:32 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Photo Gallery
2010-06-06 20:32 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Defender
2010-06-06 03:05 . 2009-07-20 22:56    --------    d-----w-    c:\programdata\Microsoft Help
2010-06-05 23:11 . 2006-11-02 12:37    --------    d-----w-    c:\program files\MSBuild
2010-06-05 23:08 . 2010-01-08 03:17    --------    d-----w-    c:\program files\Microsoft ASP.NET
2010-06-05 23:03 . 2009-07-20 22:57    --------    d-----w-    c:\program files\Common Files\Merge Modules
2010-06-05 22:29 . 2009-07-20 22:57    --------    d-----w-    c:\program files\Microsoft.NET
2010-06-05 22:10 . 2009-05-27 02:47    691696    ----a-w-    c:\windows\system32\drivers\sptd.sys
2010-06-05 18:58 . 2009-08-17 19:01    --------    d-----w-    c:\program files\Microsoft
2010-06-04 22:26 . 2009-01-31 01:24    83896    ----a-w-    c:\users\urbn\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-04 20:25 . 2009-07-30 16:50    21504    ----a-w-    c:\windows\system32\drivers\NSKbFiltrVista.sys
2010-06-04 20:25 . 2009-07-30 16:49    --------    d-----w-    c:\program files\NetstopPro
2010-06-04 02:28 . 2009-07-24 16:20    --------    d-----w-    c:\program files\Common Files\Adobe
2010-05-26 17:06 . 2010-06-10 21:25    34304    ----a-w-    c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 21:25    289792    ----a-w-    c:\windows\system32\atmfd.dll
2010-05-20 17:41 . 2010-04-21 19:36    --------    d-----w-    c:\users\urbn\AppData\Roaming\gtk-2.0
2010-05-20 02:11 . 2010-05-15 18:21    --------    d-----w-    c:\users\urbn\AppData\Roaming\Winamp
2010-05-18 18:38 . 2009-09-25 07:11    --------    d-----w-    c:\program files\zMUD
2010-05-15 18:21 . 2010-05-15 18:21    --------    d-----w-    c:\program files\Common Files\PX Storage Engine
2010-05-14 17:40 . 2010-05-13 19:34    104584    ---ha-w-    c:\windows\system32\mlfcache.dat
2010-05-12 18:21 . 2009-10-09 00:01    221568    ------w-    c:\windows\system32\MpSigStub.exe
2010-05-05 05:04 . 2010-05-05 05:04    1791    ----a-w-    c:\users\urbn\AppData\Roaming\.purple\certificates\x509\tls_peers\bos.oscar.aol.com
2010-05-05 05:04 . 2010-05-05 05:04    1505    ----a-w-    c:\users\urbn\AppData\Roaming\.purple\certificates\x509\tls_peers\slogin.oscar.aol.com
2010-05-04 05:59 . 2010-06-10 21:25    916480    ----a-w-    c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 21:25    71680    ----a-w-    c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-10 21:25    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-10 21:25    133632    ----a-w-    c:\windows\system32\ieUnatt.exe
2010-05-01 08:06 . 2010-05-01 08:06    --------    d-----w-    c:\users\urbn\AppData\Roaming\Aivea
2010-04-29 02:33 . 2010-04-29 02:33    --------    d-----w-    c:\program files\Microsoft Games for Windows - LIVE
2010-04-29 00:46 . 2010-04-14 02:11    --------    d-----w-    c:\program files\KnuckleCracker
2010-04-27 21:45 . 2010-04-27 21:45    72856    ----a-w-    c:\windows\system32\xliveinstallhost.exe
2010-04-27 21:45 . 2010-04-27 21:45    187544    ----a-w-    c:\windows\system32\xliveinstall.dll
2010-04-23 20:10 . 2010-04-23 20:10    690952    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-22 04:18 . 2010-04-04 16:42    --------    d-----w-    c:\program files\Pidgin
2010-04-17 21:15 . 2010-04-14 02:11    --------    d-----w-    c:\users\urbn\AppData\Roaming\CreeperWorld
2010-04-09 17:19 . 2010-04-09 17:19    38784    ----a-w-    c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-09 17:19 . 2009-07-24 16:20    38784    ----a-w-    c:\users\urbn\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-05 17:01 . 2010-06-10 21:25    67072    ----a-w-    c:\windows\system32\asycfilt.dll
2010-04-03 18:55 . 2010-04-03 18:55    31072    ----a-w-    c:\windows\system32\DTSPipelinePerf100.dll
2010-04-03 18:02 . 2010-04-03 18:02    240608    ----a-w-    c:\windows\system32\drivers\RsFx0150.sys
2010-04-03 00:17 . 2010-04-03 00:17    15426200    ----a-w-    c:\windows\system32\xlive.dll
2010-04-03 00:17 . 2010-04-03 00:17    13642904    ----a-w-    c:\windows\system32\xlivefnt.dll
2010-03-26 17:33 . 2010-05-01 04:58    1496064    ----a-w-    c:\users\urbn\AppData\Roaming\Mozilla\Firefox\Profiles\fogc435d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 17:33 . 2010-05-01 04:58    43008    ----a-w-    c:\users\urbn\AppData\Roaming\Mozilla\Firefox\Profiles\fogc435d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 17:33 . 2010-05-01 04:58    339456    ----a-w-    c:\users\urbn\AppData\Roaming\Mozilla\Firefox\Profiles\fogc435d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 17:32 . 2010-05-01 04:58    346112    ----a-w-    c:\users\urbn\AppData\Roaming\Mozilla\Firefox\Profiles\fogc435d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-19 06:21 . 2010-03-19 06:21    269144    ----a-w-    c:\windows\system32\vsjitdebugger.exe
2010-03-18 23:47 . 2010-03-18 23:47    17760    ----a-w-    c:\windows\system32\aspnet_counters.dll
2010-03-18 20:16 . 2010-03-18 20:16    771424    ----a-w-    c:\windows\system32\msvcr100_clr0400.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-02-28 09:20    561552    ----a-w-    c:\progra~1\MICROS~4\Office14\URLREDIR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55    85768    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55    85768    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55    85768    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55    85768    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55    85768    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55    85768    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55    85768    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55    85768    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55    85768    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-03-13 3563520]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483428]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-15 2065248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):20,fc,f8,e8,b8,05,cb,01

R0 a347bus;a347bus;c:\windows\system32\DRIVERS\a347bus.sys [2004-08-23 158720]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-02-29 548352]
R3 automap;Automap MIDI Driver Service;c:\windows\system32\DRIVERS\automap.sys [2009-06-29 7168]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-04-19 430152]
R3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\DRIVERS\nvnusbaudio.sys [2009-08-10 29184]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-06-05 691696]
S0 a347scsi;a347scsi;c:\windows\System32\Drivers\a347scsi.sys [2004-04-30 5248]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-06-15 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-06-15 242896]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-17 81920]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-02-29 1053944]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-06-15 308064]
S2 KWRemote;KWRemote;c:\program files\KioskLogix\KWRemote\kwrsvc.exe [2008-09-09 40960]
S2 NetstopPrintingService;Netstop Print Service;c:\program files\NetStopPro\ShellProServices.exe [2009-05-13 593408]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-03-08 62496]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-01-30 203264]
S3 NetStopKBFiltr;NetStopKBFiltr;c:\windows\System32\Drivers\NSKbFiltrVista.sys [2010-06-04 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>
Trusted Zone: localhost
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\users\urbn\AppData\Roaming\Mozilla\Firefox\Profiles\fogc435d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\urbn\AppData\Roaming\Mozilla\Firefox\Profiles\fogc435d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-15 11:12
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-15  11:15:53
ComboFix-quarantined-files.txt  2010-06-15 18:15
Pre-Run: 13,267,906,560 bytes free
Post-Run: 13,213,945,856 bytes free

- - End Of File - - 9BC2FFAEA6B0C11365792DDAC211C965


EDIT: Moved from Vista to Malware Removal Logs ~ Hamluis.

Edited by hamluis, 15 June 2010 - 02:09 PM.


#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:58 AM

Posted 21 June 2010 - 02:11 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:58 AM

Posted 24 June 2010 - 10:50 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users