Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Haxdoor.hm (trojan) [RESOLVED]


  • This topic is locked This topic is locked

#31
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
C:\cleanup.bat is in the Malwarebytes quarantine file. It saw it as Trojan.Agent
  • 0

Advertisements


#32
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Kaspersky is finding a few things on a Rootkit Scan.
detected: Trojan program Backdoor.Win32.Hupigon.dckd File: C:\HaxFix.exe//UPX

detected: Trojan program Backdoor.Win32.Hupigon.dckd File: C:\HaxFix.exe//UPX//8//UPX

detected: virus Heur.Invader (modification) File: C:\Documents and Settings\Kelly\Desktop\haxfix.exe//UPX//0

detected: Trojan program Backdoor.Win32.Hupigon.dckd File: C:\Documents and Settings\Kelly\Desktop\haxfix.exe//UPX//8//UPX

detected: virus Heur.Invader (modification) File: C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\1B854364d01//UPX//0


detected: Trojan program Backdoor.Win32.Hupigon.dckd File: C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\1B854364d01//UPX//8//UPX


detected: virus Heur.Invader (modification) File: C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\6D952C06d01//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe

detected: virus Heur.Invader (modification) File: C:\HaxFix\catchme.exe

detected: Trojan program Backdoor.Win32.Hupigon.dckd File: C:\HaxFix\swsc.exe//UPX

not found: virus Heur.Invader (modification) File: C:\HaxFix.exe//UPX//0

This is so far, the scan is not through yet.

It may be all a false positive on the haxfix....
detected: Trojan program Backdoor.Win32.Hupigon.dckd Do I have a backdoor trojan again? I had one before. I am wondering if this same person has hacked into my computer again.

Edited by kelkay, 05 August 2008 - 01:55 PM.

  • 0

#33
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

It seems the CFScript didn't go through properly, there was a bug in CF. What I would like you to do is delete your current copy of ComboFix and download it from here http://subs.geekstogo.com/ComboFix.exe

Then follow the previous instructions on how to make and use a CFScript, but with the following one.
File::
C:\WINDOWS\system32\70C.tmp
C:\WINDOWS\system32\6AB.tmp
C:\WINDOWS\system32\699.tmp
C:\WINDOWS\system32\698.tmp
C:\zip.exe
C:\cleanup.exe

Let's get an online scan as well.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Edited by Mike, 05 August 2008 - 01:21 PM.
Re-did instructions

  • 0

#34
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
For the kaspersky results - they are false positives as far as I can see

catchme.cfexe <- related to combofix
HaxFix <- related to haxfix of course.
swsc.exe <- Bobbi Fleckmans improved SC.exe.

And for the FireFox, we just need to empty your cache. If possible do this before the Kaspersky part.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
  • 0

#35
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
ComboFix 08-08-05.02 - Kelly 2008-08-06 11:09:47.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.409 [GMT -5:00]
Running from: C:\Documents and Settings\Kelly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kelly\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\cleanup.exe
C:\WINDOWS\system32\698.tmp
C:\WINDOWS\system32\699.tmp
C:\WINDOWS\system32\6AB.tmp
C:\WINDOWS\system32\70C.tmp
C:\zip.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
C:\WINDOWS\system32\698.tmp
C:\WINDOWS\system32\699.tmp
C:\WINDOWS\system32\6AB.tmp
C:\WINDOWS\system32\70C.tmp
C:\zip.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-05 11:26 . 2008-08-05 11:35 <DIR> d-------- C:\HaxFix
2008-08-05 11:26 . 2008-08-05 12:19 466,502 --a------ C:\HaxFix.exe
2008-08-03 16:37 . 2008-08-03 16:37 <DIR> d-------- C:\Deckard
2008-07-29 14:12 . 2008-07-29 14:12 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-07-29 14:11 . 2008-07-29 14:14 <DIR> d-------- C:\Program Files\ATT
2008-07-29 10:20 . 2008-07-29 10:21 492 --a------ C:\Documents and Settings\Kelly\Application Data\wklnhst.dat
2008-07-26 13:57 . 2008-07-26 13:57 <DIR> d-------- C:\Program Files\ERUNT
2008-07-26 13:43 . 2008-07-28 15:24 <DIR> d-------- C:\Program Files\Trillian
2008-07-26 13:24 . 2008-07-26 13:24 <DIR> d-------- C:\Program Files\InterMute
2008-07-26 01:07 . 2008-08-06 09:42 38,400 --a------ C:\WINDOWS\system32\pcdhdm.cpl
2008-07-26 00:01 . 2008-07-26 01:07 <DIR> d-------- C:\Program Files\PC-Doctor 5 for Windows
2008-07-22 20:51 . 2008-07-22 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-19 14:37 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-17 21:50 . 2008-07-17 21:51 <DIR> d-------- C:\Program Files\FlySim
2008-07-15 09:08 . 2008-07-15 09:08 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-15 09:08 . 2008-08-06 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 09:08 . 2008-08-06 11:11 36,786,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-15 09:08 . 2008-08-06 01:25 493,244 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-15 09:08 . 2008-08-06 11:12 274,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-15 09:08 . 2008-07-24 08:58 96,559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-15 09:08 . 2008-07-24 08:58 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-15 09:08 . 2008-08-06 01:25 26,516 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-15 09:06 . 2008-07-15 09:06 <DIR> d-------- C:\kav
2008-07-11 10:24 . 2008-07-11 10:24 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\abelhadigital.com
2008-07-11 10:24 . 2008-07-11 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\abelhadigital.com
2008-07-11 10:21 . 2008-08-04 14:56 6,735,942 --a------ C:\backup.reg
2008-07-09 18:45 . 2008-07-09 18:45 <DIR> d-------- C:\Program Files\Tall Emu
2008-07-09 18:45 . 2008-08-06 11:08 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\OnlineArmor
2008-07-09 18:45 . 2008-08-06 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-07-09 18:45 . 2008-07-09 19:05 75,776 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-07-09 18:45 . 2008-04-17 05:22 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-07-09 18:45 . 2008-07-09 19:05 25,600 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-07-09 09:55 . 2008-06-20 06:51 361,600 --------- C:\WINDOWS\system32\drivers\tcpip.sys
2008-07-09 09:55 . 2008-06-20 06:08 225,856 --------- C:\WINDOWS\system32\drivers\tcpip6.sys
2008-07-09 09:55 . 2008-06-20 06:40 138,496 --------- C:\WINDOWS\system32\drivers\afd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 20:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 20:35 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-04 17:35 --------- d-----w C:\Program Files\Lavasoft
2008-08-02 18:06 --------- d-----w C:\Program Files\Paltalk Messenger
2008-07-31 23:00 --------- d-----w C:\Program Files\Java
2008-07-31 22:50 --------- d-----w C:\Program Files\Common Files\Real
2008-07-31 18:15 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 18:12 --------- d-----w C:\Program Files\SpywareGuard
2008-07-31 01:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 20:17 --------- d-----w C:\Program Files\TVK - CoolText Extreme
2008-07-26 03:13 --------- d-----w C:\Program Files\SpeedFan
2008-07-25 21:04 --------- d-----w C:\Program Files\OpenTalk
2008-07-21 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-16 10:29 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2008-07-16 10:29 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2008-07-15 14:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-10 02:00 --------- d-----w C:\Program Files\HP
2008-07-10 01:52 --------- d-----w C:\Program Files\kontiki
2008-07-10 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-04 19:02 --------- d-----w C:\Program Files\HostsMan
2008-07-04 03:34 --------- d-----w C:\Program Files\HD Tune
2008-07-02 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-02 16:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-29 23:15 --------- d-----w C:\Program Files\Napster
2008-06-29 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\RunOff
2008-06-29 15:55 --------- d-----w C:\Program Files\MSECache
2008-06-28 22:03 --------- d-----w C:\Program Files\Yahoo!
2008-06-28 22:03 --------- d-----w C:\Program Files\SureThing
2008-06-28 22:03 --------- d-----w C:\Program Files\QuickTime
2008-06-28 22:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 22:02 --------- d-----w C:\Program Files\Logitech
2008-06-28 22:02 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-28 22:02 --------- d-----w C:\Program Files\GemMaster
2008-06-28 22:02 --------- d-----w C:\Program Files\Common Files\aolshare
2008-06-28 22:02 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-28 22:02 --------- d-----w C:\Program Files\CD to MP3 Freeware
2008-06-28 22:02 --------- d-----w C:\Program Files\BitComet
2008-06-28 22:02 --------- d-----w C:\Program Files\Audible
2008-06-28 19:40 --------- d-----w C:\Program Files\ESET
2008-06-28 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-06-28 19:34 --------- d-----w C:\Documents and Settings\Kelly\Application Data\SUPERAntiSpyware.com
2008-06-28 19:24 --------- d-----w C:\Program Files\DrWeb
2008-06-28 17:09 --------- d-----w C:\Program Files\WinUpdatesList
2008-06-28 16:59 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-06-28 05:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-28 04:32 --------- d-----w C:\Program Files\Common Files\Java
2008-06-24 23:57 --------- d-----w C:\Program Files\Shockwave.com
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-16 20:01 2,869,536 ----a-w C:\spywareblastersetup41.exe
2008-06-16 02:31 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-16 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 20:36 --------- d-----w C:\Program Files\iTunes
2008-06-12 20:36 --------- d-----w C:\Documents and Settings\Kelly\Application Data\Apple Computer
2008-06-12 20:35 --------- d-----w C:\Program Files\iPod
2008-06-12 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-12 20:29 --------- d-----w C:\Program Files\Apple Software Update
2008-06-12 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-06 13:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-06 13:55 23,454,528 ----a-w C:\AdbeRdr812_en_US.exe
2008-06-06 04:32 --------- d-----w C:\Documents and Settings\Kelly\Application Data\Malwarebytes
2008-06-06 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 04:30 1,756,760 ----a-w C:\mbam-setup.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-12-17 15:57 1,646 ----a-w C:\Documents and Settings\Kayla\Application Data\wklnhst.dat
2006-11-28 05:00 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot_2008-08-04_15.29.43.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-5-2008\ERDNT.EXE
+ 2008-08-05 20:06:57 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-5-2008\Users\00000001\NTUSER.DAT
+ 2008-08-05 20:06:58 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-5-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-6-2008\ERDNT.EXE
+ 2008-08-06 14:43:50 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-6-2008\Users\00000001\NTUSER.DAT
+ 2008-08-06 14:43:50 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-6-2008\Users\00000002\UsrClass.dat
- 2008-07-31 15:15:03 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-06 14:38:43 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-31 15:15:03 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-06 14:38:43 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-31 15:15:03 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-06 14:38:43 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostsMan"="C:\Program Files\HostsMan\hm.exe" [2008-06-16 04:19 2847232]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2006-11-28 12:47 1040832]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 17:12 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 17:50 7311360]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-04-17 05:22 5606464]
"PCDrProfiler"="C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" [2006-04-06 13:17 53248]
"PCDrSmartMonitor"="C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" [2006-05-10 17:44 376832]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-04-17 14:51 1870592]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 00:14 237568]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"PwrUpTweakMe"="C:\WINDOWS\system32\PuXpTwks.exe" [2005-09-12 11:36 45056]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 00:34 249856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 01:19 77312 C:\WINDOWS\arpwrmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 19:12 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Kayla\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-07-31 20:44:35 27136]

C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1164757353\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\kontiki\\KService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20566:TCP"= 20566:TCP:BitComet 20566 TCP
"20566:UDP"= 20566:UDP:BitComet 20566 UDP

R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-07-09 19:05]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-07-09 19:05]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 05:22]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [2006-05-10 17:26]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 13:47]
S2 SvcOnlineArmor;Online Armor;C:\Program Files\Tall Emu\Online Armor\oasrv.exe [2008-04-17 05:22]
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 11:12:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc22.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PCD5SRVC{8A863ACB-F5F6CC6A-05010004}]
"ImagePath"="\??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms"
.
Completion time: 2008-08-06 11:13:28
ComboFix-quarantined-files.txt 2008-08-06 16:13:23
ComboFix2.txt 2008-08-05 17:13:39
ComboFix3.txt 2008-08-04 20:30:37
ComboFix4.txt 2008-07-26 00:52:46
ComboFix5.txt 2008-08-06 16:09:11

Pre-Run: 192,262,774,784 bytes free
Post-Run: 192,243,101,696 bytes free

266 --- E O F --- 2008-07-09 18:55:03
  • 0

#36
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
How is the kaspersky scan coming along? If you have any problems just shout :)
  • 0

#37
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
:) The Kaspersky scan showed no virus. I keep getting alerts from my regular Kaspersky though....odd. It is always telling me something, and sometimes I have no idea what to do about things it wants me to decide on.

These files are in backup by Kaspersky KAV7.0

Infected: adware not-a-virus:AdWare.Win32.SearchIt.t c:\program files\common files\aolback\comps\toolbar\toolbr.exe 599.1 KB

Infected: riskware not-a-virus:RemoteAdmin.Win32.WinVNC-based.b c:\att_sst_installer.exe 23.1 MB (THIS ONE I AM NOT SURE about, may be a false positive)

I will be doing some scanning until I hear from you. :)

Edited by kelkay, 06 August 2008 - 02:25 PM.

  • 0

#38
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
I would rather not have you do scans lol, it can make this process rather confusing :)

Anyways, from here your logs look good - any problems? If so could you describe them for me?
  • 0

#39
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I cannot think of any particular problems. My computer seems to be running slower than normal. Here are two things that Malwarebyte's found. So you think I am clear then? Should I post another HiJack This to make sure?

Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 3

5:15:41 PM 8/6/2008
mbam-log-8-6-2008 (17-15-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 178447
Time elapsed: 1 hour(s), 2 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0


Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2


Files Infected:
C:\Program Files\WordWeb\wweb32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Program Files\WordWeb\wwnotray.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

I am showing two hidden registry keys on Sophos Anti Rootkit.
Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-21-3792878029-4271234764-2959189486-1009
Removable: No
Notes: (no more detail available)

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-21-3792878029-4271234764-2959189486-500
Removable: No
Notes: (no more detail available)

I was just doing the scans to try to make sure the computer is clean. I am concerned a hacker has gotten into my computer. I had a backdoor trojan recently. I don't understand this because I use lots of programs to try and keep my computer virus free, malware free etc...

Edited by kelkay, 06 August 2008 - 09:12 PM.

  • 0

#40
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Let's do one more in depth scan.
Please download OTScanIt.exe to your Desktop.
Double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close all other programs.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program
  • (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • In the File created within section select 60 Days
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and attach the file in your next post, do not try to copy/paste it into the post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

And let's get a full RootKit scan in,

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
  • 0

Advertisements


#41
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Alrighty, I am posting the scan log now.

Attached Files


  • 0

#42
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-07 12:40:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwAllocateVirtualMemory [0xF3DD1270]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwAssignProcessToJobObject [0xF3DD16A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwClose [0xF3D3E370]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwConnectPort [0xF3D3C420]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateFile [0xF3DD2CC0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateKey [0xF3D2F7A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreatePort [0xF3DD0A20]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xF3D3E0A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xF3D3E210]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xF3D3EE70]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF3D3E940]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateThread [0xF3D3F7B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDebugActiveProcess [0xF3DD03F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDeleteFile [0xF3DD3320]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDeleteKey [0xF3D2F8A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDeleteValueKey [0xF3D2F920]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDuplicateObject [0xF3D3E510]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateKey [0xF3D2F9B0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateValueKey [0xF3D2FA60]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwFlushKey [0xF3D2FB10]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwInitializeRegistry [0xF3D2FB90]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xF3D3BFD0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadKey [0xF3D30590]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadKey2 [0xF3D2FBB0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwNotifyChangeKey [0xF3D2FC80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenFile [0xF3DD3080]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenKey [0xF3D2FD60]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenProcess [0xF3D3DE90]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xF3D3ECA0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenThread [0xF3DCFF40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwProtectVirtualMemory [0xF3DD13E0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryKey [0xF3D2FE30]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryMultipleValueKey [0xF3D2FEE0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xF3D3F460]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryValueKey [0xF3D2FF90]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwReplaceKey [0xF3D30040]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwRequestWaitReplyPort [0xF3D3CA00]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwRestoreKey [0xF3D300D0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xF3D3F760]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSaveKey [0xF3D302D0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xF3D3FAE0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xF3D400A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationKey [0xF3D30360]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xF3D3AC20]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSystemInformation [0xF3D3EB20]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetValueKey [0xF3D30400]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwShutdownSystem [0xF3DD1020]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSuspendProcess [0xF3DD08E0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xF3D3F710]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xF3D3C2E0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwTerminateProcess [0xF3D3F300]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwTerminateThread [0xF3DD0130]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwUnloadKey [0xF3D30550]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwWriteVirtualMemory [0xF3D3E3D0]

Code \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess + 3 804EAF77 2 Bytes [ 85, 73 ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504508 12 Bytes [ 20, 0A, DD, F3, A0, E0, D3, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D48 805045D4 12 Bytes [ D0, BF, D3, F3, 90, 05, D3, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [ E0, 08, DD, F3, 10, F7, D3, ... ]
? C:\WINDOWS\TEMP\mc21.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\CTsvcCDA.exe[252] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\CTsvcCDA.exe[252] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\eHome\ehRecvr.exe[268] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\eHome\ehRecvr.exe[268] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\system32\wscntfy.exe[292] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\wscntfy.exe[292] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\system32\wscntfy.exe[292] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\WINDOWS\eHome\ehSched.exe[324] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\eHome\ehSched.exe[324] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[412] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[412] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\system32\nvsvc32.exe[464] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\nvsvc32.exe[464] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\system32\HPZipm12.exe[684] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\HPZipm12.exe[684] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe[744] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe[744] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\system32\svchost.exe[820] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? c:\windows\system\hpsysdrv.exe[916] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text c:\windows\system\hpsysdrv.exe[916] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text c:\windows\system\hpsysdrv.exe[916] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text c:\windows\system\hpsysdrv.exe[916] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text c:\windows\system\hpsysdrv.exe[916] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\WINDOWS\ehome\mcrdsvc.exe[924] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\ehome\mcrdsvc.exe[924] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\system32\csrss.exe[1036] C:\WINDOWS\system32\KERNEL32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\winlogon.exe[1064] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\services.exe[1108] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\lsass.exe[1120] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\lsass.exe[1120] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\WINDOWS\system32\lsass.exe[1120] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
? C:\WINDOWS\system32\svchost.exe[1256] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\svchost.exe[1376] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\svchost.exe[1376] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\WINDOWS\system32\svchost.exe[1376] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
? C:\WINDOWS\System32\svchost.exe[1432] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\svchost.exe[1624] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\svchost.exe[1624] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\WINDOWS\system32\svchost.exe[1624] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
? C:\WINDOWS\system32\spoolsv.exe[1876] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1980] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[2008] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[2008] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\arservice.exe[2024] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\arservice.exe[2024] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[2036] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[2036] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\Mozilla Firefox\firefox.exe[2160] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\Program Files\Mozilla Firefox\firefox.exe[2160] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
? C:\Program Files\Mozilla Firefox\firefox.exe[2160] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!StrStrW + FFE286FC 7C9C5128 4 Bytes [ 80, 00, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!StrStrW + FFE28708 7C9C5134 4 Bytes [ F0, 00, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!StrStrW + FFE2A5AC 7C9C6FD8 4 Bytes [ 40, 02, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!StrStrW + FFE2A6C4 7C9C70F0 4 Bytes [ B0, 02, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!StrStrW + FFE2A6E4 7C9C7110 4 Bytes [ 40, 09, 1E, 7D ]
.text ...
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!ILFindChild + 3D4 7C9F18C0 4 Bytes [ 30, 0D, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!DllGetClassObject + 50B 7C9F2DC4 4 Bytes [ 60, 08, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!DllGetClassObject + 52B 7C9F2DE4 4 Bytes [ 10, 07, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!DllGetClassObject + 563 7C9F2E1C 4 Bytes [ A0, 06, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!SHTestTokenMembership + E5 7CA05644 4 Bytes [ 00, 0B, 1E, 7D ]
? C:\WINDOWS\system32\dllhost.exe[2236] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\dllhost.exe[2236] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\HP\KBD\KBD.EXE[2420] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\HP\KBD\KBD.EXE[2420] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\HP\KBD\KBD.EXE[2420] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\HP\KBD\KBD.EXE[2420] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\HP\KBD\KBD.EXE[2420] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
.text C:\HP\KBD\KBD.EXE[2420] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
? C:\HP\KBD\KBD.EXE[2420] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\WINDOWS\Explorer.EXE[2648] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\Explorer.EXE[2648] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\Explorer.EXE[2648] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\Explorer.EXE[2648] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\Explorer.EXE[2648] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
.text C:\WINDOWS\Explorer.EXE[2648] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
? C:\WINDOWS\Explorer.EXE[2648] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\WINDOWS\ARPWRMSG.EXE[3284] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\ARPWRMSG.EXE[3284] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\ARPWRMSG.EXE[3284] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\WINDOWS\System32\alg.exe[3304] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\System32\alg.exe[3304] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
? C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] SHELL32.dll!StrStrW + FFE286FC 7C9C5128 4 Bytes [ 80, 00, 1E, 7D ]
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] SHELL32.dll!StrStrW + FFE28708 7C9C5134 4 Bytes [ F0, 00, 1E, 7D ]
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] SHELL32.dll!StrStrW + FFE2BBCC 7C9C85F8 4 Bytes [ D0, 01, 1E, 7D ]
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] SHELL32.dll!StrStrW + FFE2BC14 7C9C8640 4 Bytes [ 60, 01, 1E, 7D ]
? C:\Documents and Settings\Kelly\Desktop\gmer\gmer.exe[3836] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Documents and Settings\Kelly\Desktop\gmer\gmer.exe[3836] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Documents and Settings\Kelly\Desktop\gmer\gmer.exe[3836] C:\WINDOWS\system32\USER32.DLL time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
? C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F77F3410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter]
  • 0

#43
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-07 12:40:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwAllocateVirtualMemory [0xF3DD1270]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwAssignProcessToJobObject [0xF3DD16A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwClose [0xF3D3E370]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwConnectPort [0xF3D3C420]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreateFile [0xF3DD2CC0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateKey [0xF3D2F7A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwCreatePort [0xF3DD0A20]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xF3D3E0A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xF3D3E210]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xF3D3EE70]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF3D3E940]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateThread [0xF3D3F7B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDebugActiveProcess [0xF3DD03F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwDeleteFile [0xF3DD3320]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDeleteKey [0xF3D2F8A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDeleteValueKey [0xF3D2F920]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDuplicateObject [0xF3D3E510]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateKey [0xF3D2F9B0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateValueKey [0xF3D2FA60]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwFlushKey [0xF3D2FB10]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwInitializeRegistry [0xF3D2FB90]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xF3D3BFD0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadKey [0xF3D30590]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadKey2 [0xF3D2FBB0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwNotifyChangeKey [0xF3D2FC80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenFile [0xF3DD3080]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenKey [0xF3D2FD60]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenProcess [0xF3D3DE90]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xF3D3ECA0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwOpenThread [0xF3DCFF40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwProtectVirtualMemory [0xF3DD13E0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryKey [0xF3D2FE30]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryMultipleValueKey [0xF3D2FEE0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xF3D3F460]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryValueKey [0xF3D2FF90]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwReplaceKey [0xF3D30040]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwRequestWaitReplyPort [0xF3D3CA00]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwRestoreKey [0xF3D300D0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xF3D3F760]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSaveKey [0xF3D302D0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xF3D3FAE0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xF3D400A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationKey [0xF3D30360]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xF3D3AC20]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSystemInformation [0xF3D3EB20]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetValueKey [0xF3D30400]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwShutdownSystem [0xF3DD1020]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwSuspendProcess [0xF3DD08E0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xF3D3F710]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xF3D3C2E0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwTerminateProcess [0xF3D3F300]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwTerminateThread [0xF3DD0130]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwUnloadKey [0xF3D30550]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwWriteVirtualMemory [0xF3D3E3D0]

Code \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess + 3 804EAF77 2 Bytes [ 85, 73 ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504508 12 Bytes [ 20, 0A, DD, F3, A0, E0, D3, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D48 805045D4 12 Bytes [ D0, BF, D3, F3, 90, 05, D3, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [ E0, 08, DD, F3, 10, F7, D3, ... ]
? C:\WINDOWS\TEMP\mc21.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\CTsvcCDA.exe[252] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\CTsvcCDA.exe[252] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\eHome\ehRecvr.exe[268] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\eHome\ehRecvr.exe[268] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\system32\wscntfy.exe[292] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\wscntfy.exe[292] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\system32\wscntfy.exe[292] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\system32\wscntfy.exe[292] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\WINDOWS\eHome\ehSched.exe[324] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\eHome\ehSched.exe[324] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[412] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[412] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\system32\nvsvc32.exe[464] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\nvsvc32.exe[464] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\system32\HPZipm12.exe[684] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\HPZipm12.exe[684] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe[744] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe[744] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\system32\svchost.exe[820] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? c:\windows\system\hpsysdrv.exe[916] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text c:\windows\system\hpsysdrv.exe[916] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text c:\windows\system\hpsysdrv.exe[916] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text c:\windows\system\hpsysdrv.exe[916] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text c:\windows\system\hpsysdrv.exe[916] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text c:\windows\system\hpsysdrv.exe[916] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\WINDOWS\ehome\mcrdsvc.exe[924] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\ehome\mcrdsvc.exe[924] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\system32\csrss.exe[1036] C:\WINDOWS\system32\KERNEL32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\winlogon.exe[1064] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\services.exe[1108] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\lsass.exe[1120] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\lsass.exe[1120] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\WINDOWS\system32\lsass.exe[1120] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
? C:\WINDOWS\system32\svchost.exe[1256] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\svchost.exe[1376] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\svchost.exe[1376] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\WINDOWS\system32\svchost.exe[1376] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
? C:\WINDOWS\System32\svchost.exe[1432] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\svchost.exe[1476] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\svchost.exe[1624] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\svchost.exe[1624] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\WINDOWS\system32\svchost.exe[1624] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
? C:\WINDOWS\system32\spoolsv.exe[1876] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1980] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[2008] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[2008] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\arservice.exe[2024] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\arservice.exe[2024] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[2036] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[2036] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\Mozilla Firefox\firefox.exe[2160] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\Program Files\Mozilla Firefox\firefox.exe[2160] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
? C:\Program Files\Mozilla Firefox\firefox.exe[2160] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!StrStrW + FFE286FC 7C9C5128 4 Bytes [ 80, 00, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!StrStrW + FFE28708 7C9C5134 4 Bytes [ F0, 00, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!StrStrW + FFE2A5AC 7C9C6FD8 4 Bytes [ 40, 02, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!StrStrW + FFE2A6C4 7C9C70F0 4 Bytes [ B0, 02, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!StrStrW + FFE2A6E4 7C9C7110 4 Bytes [ 40, 09, 1E, 7D ]
.text ...
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!ILFindChild + 3D4 7C9F18C0 4 Bytes [ 30, 0D, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!DllGetClassObject + 50B 7C9F2DC4 4 Bytes [ 60, 08, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!DllGetClassObject + 52B 7C9F2DE4 4 Bytes [ 10, 07, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!DllGetClassObject + 563 7C9F2E1C 4 Bytes [ A0, 06, 1E, 7D ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2160] SHELL32.dll!SHTestTokenMembership + E5 7CA05644 4 Bytes [ 00, 0B, 1E, 7D ]
? C:\WINDOWS\system32\dllhost.exe[2236] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\system32\dllhost.exe[2236] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\HP\KBD\KBD.EXE[2420] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\HP\KBD\KBD.EXE[2420] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\HP\KBD\KBD.EXE[2420] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\HP\KBD\KBD.EXE[2420] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\HP\KBD\KBD.EXE[2420] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
.text C:\HP\KBD\KBD.EXE[2420] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
? C:\HP\KBD\KBD.EXE[2420] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\HP\KBD\KBD.EXE[2420] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\WINDOWS\Explorer.EXE[2648] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\Explorer.EXE[2648] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\Explorer.EXE[2648] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\Explorer.EXE[2648] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\WINDOWS\Explorer.EXE[2648] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
.text C:\WINDOWS\Explorer.EXE[2648] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
? C:\WINDOWS\Explorer.EXE[2648] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\Explorer.EXE[2648] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[3092] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\WINDOWS\ARPWRMSG.EXE[3284] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\ARPWRMSG.EXE[3284] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\WINDOWS\ARPWRMSG.EXE[3284] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\ARPWRMSG.EXE[3284] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\WINDOWS\System32\alg.exe[3304] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\WINDOWS\System32\alg.exe[3304] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3336] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A
? C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
? C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] SHELL32.dll!StrStrW + FFE286FC 7C9C5128 4 Bytes [ 80, 00, 1E, 7D ]
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] SHELL32.dll!StrStrW + FFE28708 7C9C5134 4 Bytes [ F0, 00, 1E, 7D ]
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] SHELL32.dll!StrStrW + FFE2BBCC 7C9C85F8 4 Bytes [ D0, 01, 1E, 7D ]
.text C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe[3576] SHELL32.dll!StrStrW + FFE2BC14 7C9C8640 4 Bytes [ 60, 01, 1E, 7D ]
? C:\Documents and Settings\Kelly\Desktop\gmer\gmer.exe[3836] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Documents and Settings\Kelly\Desktop\gmer\gmer.exe[3836] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Documents and Settings\Kelly\Desktop\gmer\gmer.exe[3836] C:\WINDOWS\system32\USER32.DLL time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, 7F, E2 ]
? C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] C:\WINDOWS\system32\USER32.dll time/date stamp mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F310F5A
? C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] C:\WINDOWS\system32\SHELL32.dll time/date stamp mismatch; unknown module: WINMM.dllunknown module: msi.dllunknown module: DEVMGR.DLLunknown module: urlmon.dllunknown module: OLEAUT32.dllunknown module: OLEACC.dllunknown module: VERSION.dllunknown module: MPR.dllunknown module: CSCDLL.dllunknown module: UxTheme.dllunknown module: credui.dllunknown module: RASAPI32.dllunknown module: MSGINA.dllunknown module: POWRPROF.dllunknown module: SHDOCVW.dllunknown module: BROWSEUI.dllunknown module: EFSADU.dllunknown module: LINKINFO.dllunknown module: MSIMG32.dllunknown module: DUSER.dllunknown module: PRINTUI.dllunknown module: CdfView.dllunknown module: SETUPAPI.dllunknown module: appHelp.dllunknown module: query.dllunknown module: gdiplus.dllunknown module: IMM32.dllunknown module: msvcrt.dll
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!select 71AB30A8 6 Bytes JMP 5F130F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 5F160F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F100F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F220F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F250F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[4060] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 5F190F5A

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F77F3410] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter]
  • 0

#44
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
hi there,

The rootkit scan came out clean :)

Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.


[Driver Services - Non-Microsoft Only]
YY -> (MEMSWEEP2) MEMSWEEP2 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\731.tmp
[Registry - Non-Microsoft Only]
< Drives - Autoruns > -> 
NY -> AUTOEXEC.BAT [PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | ] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ]
NY -> autorun.inf [[autorun] | open=Start.exe | icon=SIMSCD.ICO | ] -> E:\autorun.inf [ CDFS ]
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4722 domain(s) found.
YN -> 44 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found.
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 26939 domain(s) found.
YN -> www.bannerfarm.ace_advertising.com [https] -> Trusted sites
YN -> objects_aol.com [*] -> Out of zone range - ( 5 )
YN -> www_revsci.net [https] -> Trusted sites
YN -> www_websidestory.com [https] -> Trusted sites
YN -> us.f834.mail_yahoo.com [https] -> Trusted sites
YN -> 321 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 1233 range(s) found.
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{D554D8FC-B36D-4BB4-93DB-4A3394D505E3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {E2D4D26B-0180-43a4-B05F-462D6D54C789}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Internet Connection Help]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{E2D4D26B-0180-43a4-B05F-462D6D54C789} [HKEY_LOCAL_MACHINE] -> [Internet Connection Help]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &D&ownload &with BitComet -> Reg Error: Value  does not exist or could not be read.
YN -> &D&ownload all video with BitComet -> Reg Error: Value  does not exist or could not be read.
YN -> &D&ownload all with BitComet -> Reg Error: Value  does not exist or could not be read.
YN -> Download with Star Downloader -> Reg Error: Value  does not exist or could not be read.
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {639658F3-B141-4D6B-B936-226F75A5EAC3}[HKEY_LOCAL_MACHINE] -> http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab[CPlayFirstDinerDash2Control Object]
YN -> {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}[HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DinerDash2.1.0.0.67.dll\ -> 
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DinerDash2.1.0.0.67.dll\\.Owner -> {639658F3-B141-4D6B-B936-226F75A5EAC3}
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DinerDash2.1.0.0.67.dll\\{639658F3-B141-4D6B-B936-226F75A5EAC3} -> 
[Files/Folders - Created Within 60 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> spywareblastersetup41.exe -> %SystemDrive%\spywareblastersetup41.exe
NY -> 8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Regfix.zip:Zone.Identifier
NY -> Sophos Anti-Rootkit.lnk -> %UserProfile%\Desktop\Sophos Anti-Rootkit.lnk
NY -> ERUNT AutoBackup.lnk -> %UserProfile%\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> 8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> zllictbl.dat -> %SystemRoot%\System32\zllictbl.dat
NY -> ZoneLabs -> %SystemRoot%\System32\ZoneLabs
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> data.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\data.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 158 bytes -> %AllUsersProfile%\Application Data\TEMP:0AA21473
NY -> @Alternate Data Stream - 116 bytes -> %AllUsersProfile%\Application Data\TEMP:2C321309
NY -> @Alternate Data Stream - 142 bytes -> %AllUsersProfile%\Application Data\TEMP:3EA7510F
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
NY -> @Alternate Data Stream - 137 bytes -> %AllUsersProfile%\Application Data\TEMP:82ED8454
NY -> @Alternate Data Stream - 163 bytes -> %AllUsersProfile%\Application Data\TEMP:96FAC731
NY -> @Alternate Data Stream - 111 bytes -> %AllUsersProfile%\Application Data\TEMP:9E1C306C
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\Application Data\TEMP:A98B12D4
NY -> @Alternate Data Stream - 136 bytes -> %AllUsersProfile%\Application Data\TEMP:CBCF563D
NY -> @Alternate Data Stream - 159 bytes -> %AllUsersProfile%\Application Data\TEMP:D1B5B4F1
NY -> @Alternate Data Stream - 26 bytes -> %UserProfile%\Desktop\Regfix.zip:Zone.Identifier
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#45
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
It did a reboot but did not give me a message after that. I will look for another txt message. I did a search for the OTScanit.txt and only came up with the scan from a few hours earlier. It ran after the reboot because I got something from either the firewall or the Kapsersky saying it wanted to run, and I allowed it. No message after that.

Edited by kelkay, 07 August 2008 - 03:59 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP