Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

virus hijacked rootkits [Solved] [Closed]


  • This topic is locked This topic is locked

#1
spiritboy3

spiritboy3

    Member

  • Member
  • PipPipPip
  • 136 posts
Hi, I've been infected with virus yesterday.At first it runs my java and after that i got infected, it gave me Antivirus Soft which i managed to removed it with MBAM. But whenever i search with google and click results sites it redirect me to other search sites(dating sites,pc related sites). I did one more scan and found out i could not remove rootkit.agent no matter how much times i tried to clear it with mbam.It is located in System32\Drivers\pdlxm.sys , which gmer also detected. The computer is currently slow while unable to click on sites searched, and my DNS seems to be affected by it too with a few BSOD.Also,OTL did not give me an Extra.txt,please instruct me to scan again if needed on my next post thx.

OTL log

OTL logfile created on: 5/5/2010 3:03:58 AM - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\darren\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.93 Gb Total Space | 168.20 Gb Free Space | 75.79% Space Free | Partition Type: NTFS
Drive D: | 10.95 Gb Total Space | 4.42 Gb Free Space | 40.33% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DARREN-PC
Current User Name: darren
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Users\darren\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe (Avira GmbH)
PRC - C:\Windows\System32\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Windows\System32\agrsmsvc.exe (Agere Systems)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\darren\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (wcsv) -- C:\Program Files\WebCompass\wcsv.dll ()
SRV - (ServiceLayer) -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (GoogleDesktopManager-110309-193829) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
SRV - (npggsvc) -- C:\Windows\System32\GameMon.des (INCA Internet Co., Ltd.)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe (Avira GmbH)
SRV - (antivirwebservice) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE (Avira GmbH)
SRV - (AntiVirMailService) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe (Avira GmbH)
SRV - (AntiVirScheduler) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe (Avira GmbH)
SRV - (AVEService) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe (Avira GmbH)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (STacSV) -- C:\Windows\System32\stacsv.exe (IDT, Inc.)
SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)


Gmer log
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-05 09:01:46
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\darren\AppData\Local\Temp\uxryrpob.sys


---- System - GMER 1.0.15 ----

SSDT A0132A3C ZwCreateThread
SSDT A0132A28 ZwOpenProcess
SSDT A0132A2D ZwOpenThread
SSDT A0132A37 ZwTerminateProcess
SSDT A0132A32 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 454 81CEBB18 4 Bytes [3C, 2A, 13, A0]
.text ntkrnlpa.exe!KeSetTimerEx + 624 81CEBCE8 4 Bytes [28, 2A, 13, A0]
.text ntkrnlpa.exe!KeSetTimerEx + 640 81CEBD04 4 Bytes [2D, 2A, 13, A0]
.text ntkrnlpa.exe!KeSetTimerEx + 854 81CEBF18 4 Bytes [37, 2A, 13, A0]
.text ntkrnlpa.exe!KeSetTimerEx + 8B4 81CEBF78 4 Bytes [32, 2A, 13, A0]
? System32\Drivers\pdlxm.sys A device attached to the system is not functioning. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E207340, 0x39BD97, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtProtectVirtualMemory 76FF8968 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtWriteVirtualMemory 76FF92A8 5 Bytes JMP 0023000A
.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!KiUserExceptionDispatcher 76FF99E8 5 Bytes JMP 0011000A
.text C:\Windows\system32\svchost.exe[1120] ole32.dll!CoCreateInstance 76BCE188 5 Bytes JMP 0161000A
.text C:\Windows\Explorer.EXE[1972] ntdll.dll!NtProtectVirtualMemory 76FF8968 5 Bytes JMP 0174000A
.text C:\Windows\Explorer.EXE[1972] ntdll.dll!NtWriteVirtualMemory 76FF92A8 5 Bytes JMP 0175000A
.text C:\Windows\Explorer.EXE[1972] ntdll.dll!KiUserExceptionDispatcher 76FF99E8 5 Bytes JMP 016F000A
.text C:\Windows\system32\wuauclt.exe[2428] ntdll.dll!NtProtectVirtualMemory 76FF8968 5 Bytes JMP 0015000A
.text C:\Windows\system32\wuauclt.exe[2428] ntdll.dll!NtWriteVirtualMemory 76FF92A8 5 Bytes JMP 0016000A
.text C:\Windows\system32\wuauclt.exe[2428] ntdll.dll!KiUserExceptionDispatcher 76FF99E8 5 Bytes JMP 000C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ntdll.dll!NtProtectVirtualMemory 76FF8968 5 Bytes JMP 0031000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ntdll.dll!NtWriteVirtualMemory 76FF92A8 5 Bytes JMP 0032000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ntdll.dll!KiUserExceptionDispatcher 76FF99E8 5 Bytes JMP 0030000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxIndirectParamW 75E3BD25 5 Bytes JMP 70C8076D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxParamW 75E51FD5 5 Bytes JMP 70C806F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxParamA 75E780B2 5 Bytes JMP 70C80732 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxIndirectParamA 75E783DD 5 Bytes JMP 70C807A8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxIndirectA 75E8D471 5 Bytes JMP 70C806B3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxIndirectW 75E8D56B 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxIndirectW 75E8D56B 5 Bytes JMP 70C8066F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxExA 75E8D5D1 5 Bytes JMP 70C80635 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxExW 75E8D5F5 5 Bytes JMP 70C805FB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ole32.dll!OleLoadFromStream 76B99726 5 Bytes JMP 70C8096A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!NtProtectVirtualMemory 76FF8968 5 Bytes JMP 0031000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!NtWriteVirtualMemory 76FF92A8 5 Bytes JMP 0032000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!KiUserExceptionDispatcher 76FF99E8 5 Bytes JMP 0030000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxIndirectParamW 75E3BD25 5 Bytes JMP 70C8076D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxParamW 75E51FD5 5 Bytes JMP 70C806F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxParamA 75E780B2 5 Bytes JMP 70C80732 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxIndirectParamA 75E783DD 5 Bytes JMP 70C807A8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectA 75E8D471 5 Bytes JMP 70C806B3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectW 75E8D56B 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectW 75E8D56B 5 Bytes JMP 70C8066F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxExA 75E8D5D1 5 Bytes JMP 70C80635 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxExW 75E8D5F5 5 Bytes JMP 70C805FB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ole32.dll!OleLoadFromStream 76B99726 5 Bytes JMP 70C8096A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----
  • 0

Advertisements


#2
jwang01

jwang01

    Trusted Helper

  • Malware Removal
  • 2,567 posts
Hello spiritboy3 and welcome to GeeksToGo. :)

I am jwang01 and I will be assisting you with your issue.

When we get to working on your computer you may want to print out or save my respones in notepad because there may be times were you will not be able to access them here.

Also, please don't attach your logs unless asked, as they can make them hard to read. Just post them as a reply.


Looks like you only posted part of the OTL and GMER logs. Please repost those logs. :)
  • 0

#3
spiritboy3

spiritboy3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
opps.
OTL log

OTL logfile created on: 5/5/2010 3:03:58 AM - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\darren\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.93 Gb Total Space | 168.20 Gb Free Space | 75.79% Space Free | Partition Type: NTFS
Drive D: | 10.95 Gb Total Space | 4.42 Gb Free Space | 40.33% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DARREN-PC
Current User Name: darren
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Users\darren\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe (Avira GmbH)
PRC - C:\Windows\System32\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Windows\System32\agrsmsvc.exe (Agere Systems)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\darren\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (wcsv) -- C:\Program Files\WebCompass\wcsv.dll ()
SRV - (ServiceLayer) -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (GoogleDesktopManager-110309-193829) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
SRV - (npggsvc) -- C:\Windows\System32\GameMon.des (INCA Internet Co., Ltd.)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe (Avira GmbH)
SRV - (antivirwebservice) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE (Avira GmbH)
SRV - (AntiVirMailService) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe (Avira GmbH)
SRV - (AntiVirScheduler) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe (Avira GmbH)
SRV - (AVEService) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe (Avira GmbH)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (STacSV) -- C:\Windows\System32\stacsv.exe (IDT, Inc.)
SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)


========== Driver Services (SafeList) ==========

DRV - (nmwcd) -- C:\Windows\System32\drivers\ccdcmb.sys (Nokia)
DRV - (NETw5v32) Intel® -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (pccsmcfd) -- C:\Windows\System32\drivers\pccsmcfd.sys (Nokia)
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgntflt.sys (Avira GmbH)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (NETw4v32) Intel® -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (RTSTOR) -- C:\Windows\System32\drivers\RTSTOR.sys (Realtek Semiconductor Corp.)
DRV - (Si3531) -- C:\Windows\system32\DRIVERS\Si3531.sys (Silicon Image, Inc)
DRV - (SiFilter) -- C:\Windows\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc.)
DRV - (SiRemFil) -- C:\Windows\system32\DRIVERS\SiRemFil.sys (Silicon Image, Inc.)
DRV - (UVCFTR) -- C:\Windows\System32\drivers\UVCFTR_S.SYS (Chicony Electronics Co., Ltd.)
DRV - (btwaudio) -- C:\Windows\System32\drivers\btwaudio.sys (Broadcom Corporation.)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgio.sys (Avira GmbH)
DRV - (btwavdt) -- C:\Windows\System32\drivers\btwavdt.sys (Broadcom Corporation.)
DRV - (btwrchid) -- C:\Windows\System32\drivers\btwrchid.sys (Broadcom Corporation.)
DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (ac97intc) Intel® 82801 Audio Driver Install Service (WDM) -- C:\Windows\System32\drivers\ac97intc.sys (Intel Corporation)
DRV - (NETw2v32) Intel® -- C:\Windows\System32\drivers\NETw2v32.sys (Intel® Corporation)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (StarOpen) -- C:\Windows\System32\drivers\StarOpen.sys ()
DRV - (sscdmdm) -- C:\Windows\System32\drivers\sscdmdm.sys (MCCI)
DRV - (sscdmdfl) -- C:\Windows\System32\drivers\sscdmdfl.sys (MCCI)
DRV - (sscdbus) SAMSUNG USB Composite Device driver (WDM) -- C:\Windows\System32\drivers\sscdbus.sys (MCCI)
DRV - (giveio) -- C:\Windows\system32\giveio.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...&M=P-6831FX

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.3

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/09/21 12:59:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/31 02:39:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/31 02:39:07 | 000,000,000 | ---D | M]

[2009/06/28 04:09:21 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\Mozilla\Extensions
[2010/05/05 03:00:34 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\Mozilla\Firefox\Profiles\81txr0cc.default\extensions
[2009/09/02 16:00:49 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\darren\AppData\Roaming\Mozilla\Firefox\Profiles\81txr0cc.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/05 03:00:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/04 18:51:05 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (Veoh Networks Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Gateway\traybar.exe (Chicony)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [LiveUpdate] C:\Program Files\Samsung\Samsung PC Studio 3\Update\Copyer.exe (TODO: <회사 이름>)
O4 - HKLM..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
O4 - HKLM..\Run: [NokiaMusic FastStart] C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe (Nokia)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla\4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6.4; Mozilla\4.0 ( File not found
O4 - Startup: C:\Users\darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 50pfo = C:\Users\darren\AppData\Local\Temp\uxq9by.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll (Installation Support)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zon...wn.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.nvidia.co.../sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://messenger.zon...mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zon...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} http://driveragent.c...driveragent.cab (Driver Agent ActiveX Control)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zon...er.cab56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\darren\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Users\darren\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/03/18 14:20:15 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 90 Days ==========

[2010/05/05 03:01:28 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Users\darren\Desktop\OTL.exe
[2010/05/04 18:53:35 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Local\vtktkglpl
[2010/04/19 17:06:03 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Suite
[2010/04/19 17:02:10 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Local\IsolatedStorage
[2010/04/19 17:02:09 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Roaming\PC Suite
[2010/04/19 17:01:27 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Roaming\Nokia
[2010/04/19 17:00:25 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Local\Nokia
[2010/04/19 17:00:10 | 000,000,000 | ---D | C] -- C:\ProgramData\NokiaMusic
[2010/04/19 16:59:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nokia
[2010/04/19 16:59:15 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2010/04/19 16:59:14 | 000,018,816 | ---- | C] (Nokia) -- C:\Windows\System32\drivers\pccsmcfd.sys
[2010/04/19 16:59:11 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2010/04/19 16:58:24 | 000,091,136 | ---- | C] (Nokia) -- C:\Windows\System32\nmwcdcls.dll
[2010/04/19 16:58:24 | 000,000,000 | ---D | C] -- C:\Program Files\Nokia
[2010/04/19 16:39:30 | 001,102,624 | ---- | C] (Nokia) -- C:\Users\darren\Desktop\SetupOviPlayer.exe
[2010/04/13 21:24:15 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Local\extuxobki
[2010/03/25 16:19:02 | 000,000,000 | ---D | C] -- C:\Program Files\WebCompass

========== Files - Modified Within 90 Days ==========

[2010/05/05 03:07:44 | 003,932,160 | -HS- | M] () -- C:\Users\darren\NTUSER.DAT
[2010/05/05 03:06:39 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\pdlxm.sys
[2010/05/05 03:01:20 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\darren\Desktop\OTL.exe
[2010/05/05 02:55:19 | 000,703,078 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/05 02:55:19 | 000,604,010 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/05 02:55:19 | 000,104,740 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/05 02:48:24 | 000,179,894 | ---- | M] () -- C:\Users\darren\AppData\Roaming\nvModes.001
[2010/05/05 02:47:20 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/05 02:47:17 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/05 02:47:14 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/05 02:47:07 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/05 02:46:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/05 02:46:15 | 3219,578,880 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/05 02:44:53 | 000,524,288 | -HS- | M] () -- C:\Users\darren\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/05/05 02:44:53 | 000,065,536 | -HS- | M] () -- C:\Users\darren\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/05/05 02:26:14 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/05/05 02:14:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/30 03:15:55 | 000,002,443 | ---- | M] () -- C:\Users\Public\Desktop\Nokia Ovi Player.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/28 17:24:01 | 000,313,760 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/23 03:53:15 | 005,534,283 | ---- | M] () -- C:\Users\darren\Documents\Big_Bang_-_Lies.mp3
[2010/04/19 17:05:30 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
[2010/04/19 17:02:13 | 000,075,336 | ---- | M] () -- C:\Users\darren\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/04/19 16:39:30 | 001,102,624 | ---- | M] (Nokia) -- C:\Users\darren\Desktop\SetupOviPlayer.exe
[2010/04/17 23:23:12 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

========== Files Created - No Company Name ==========

[2010/05/05 02:46:15 | 3219,578,880 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/04 18:50:20 | 000,823,808 | ---- | C] () -- C:\Windows\System32\drivers\pdlxm.sys
[2010/04/19 17:05:30 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
[2010/04/19 17:00:15 | 000,002,443 | ---- | C] () -- C:\Users\Public\Desktop\Nokia Ovi Player.lnk
[2010/04/17 23:23:12 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
[2009/05/29 22:56:19 | 000,000,124 | ---- | C] () -- C:\Windows\Peter's Go.ini
[2009/05/15 01:59:40 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2008/11/30 15:35:23 | 000,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2008/06/25 14:26:09 | 000,000,022 | ---- | C] () -- C:\Windows\msnmsgr.exe.ini
[2008/03/18 14:01:16 | 000,088,064 | ---- | C] () -- C:\Windows\System32\wiascanprofiles.dll
[2008/03/18 14:01:06 | 000,053,248 | ---- | C] () -- C:\Windows\System32\msident.dll
[2008/03/18 14:01:05 | 000,022,016 | ---- | C] () -- C:\Windows\System32\mtxdm.dll
[2008/03/18 14:01:02 | 000,008,704 | ---- | C] () -- C:\Windows\System32\rdpcfgex.dll
[2008/01/30 15:54:55 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2008/01/28 16:37:48 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini
[2008/01/16 16:32:54 | 000,000,031 | ---- | C] () -- C:\Windows\GunzLauncher.INI
[2007/12/14 21:58:02 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/05/17 14:38:25 | 000,003,584 | ---- | C] () -- C:\Windows\System32\wceprv.dll
[2007/03/29 15:42:38 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 07:34:33 | 000,062,976 | ---- | C] () -- C:\Windows\System32\dmcompos.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/11/14 16:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys

========== LOP Check ==========

[2008/03/26 20:54:39 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\Auslogics
[2009/03/20 01:50:51 | 000,000,000 | -H-D | M] -- C:\Users\darren\AppData\Roaming\ijjigame
[2010/04/19 17:01:27 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\Nokia
[2009/05/28 02:18:41 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\OpenOffice.org
[2010/04/19 17:02:09 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\PC Suite
[2008/01/15 18:55:05 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\SampleView
[2009/05/15 02:07:31 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\Samsung
[2008/07/24 18:10:31 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\Soldat
[2009/06/20 23:24:15 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\Spare Backup
[2008/03/26 21:22:06 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\wsInspector
[2010/05/05 02:26:14 | 000,032,642 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/09/18 16:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2008/01/19 02:45:45 | 000,333,203 | RHS- | M] () -- C:\bootmgr
[2006/06/11 19:36:06 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2009/03/20 00:53:27 | 000,001,419 | ---- | M] () -- C:\cmdline.txt
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010/05/05 02:46:15 | 3219,578,880 | -HS- | M] () -- C:\hiberfil.sys
[2008/04/29 18:05:27 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/12/14 21:46:15 | 000,000,165 | ---- | M] () -- C:\labelPrint.log
[2008/05/02 18:24:52 | 000,064,500 | ---- | M] () -- C:\log.txt
[2008/07/24 18:12:43 | 000,000,000 | R--- | M] () -- C:\logwmemory.bin
[2010/05/04 21:06:39 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2008/04/29 18:05:27 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/05/05 02:46:11 | 3533,373,440 | -HS- | M] () -- C:\pagefile.sys
[2007/12/14 21:49:42 | 000,000,163 | ---- | M] () -- C:\power2go.log
[2009/07/19 20:28:49 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/09/20 02:22:00 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/10/21 08:41:38 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/10/22 08:39:35 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/10/23 08:48:24 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/10/23 20:17:49 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/10/26 18:38:11 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/10/27 08:39:37 | 000,000,280 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/10/28 03:05:51 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/10/29 08:36:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/10/30 08:41:29 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/11/02 09:41:05 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/11/03 09:37:15 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/11/04 09:38:13 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/11/05 09:43:00 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/11/06 09:42:09 | 000,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/11/10 09:36:30 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/11/11 09:38:28 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/11/26 22:50:59 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/11/27 01:31:55 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/07/19 20:28:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/09/20 02:22:00 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/10/21 08:41:38 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/10/22 08:39:35 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/10/23 08:48:24 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/10/23 20:17:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/10/26 18:38:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/10/27 08:39:37 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/10/28 03:05:51 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/10/29 08:36:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/10/30 08:41:29 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/11/02 09:41:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/11/03 09:37:15 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/11/04 09:38:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/11/05 09:43:00 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/11/06 09:42:09 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/11/10 09:36:30 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/11/11 09:38:28 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/11/26 22:50:59 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/11/27 01:31:55 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/19 02:38:03 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/01/19 02:36:10 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2010/02/20 16:18:40 | 000,411,136 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\http.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/02/23 06:32:31 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb.sys
[2010/02/23 06:32:36 | 000,212,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys
[2010/02/23 06:32:33 | 000,078,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb20.sys
[2010/05/05 03:11:58 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\pdlxm.sys
[2010/02/18 09:49:38 | 000,898,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpip.sys
[2010/02/18 06:52:00 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tunnel.sys

========== Files - Unicode (All) ==========
[2010/04/30 03:19:38 | 004,764,011 | ---- | M] ()(C:\Users\darren\Documents\??_-_???.mp3) -- C:\Users\darren\Documents\丁噹_-_我愛他.mp3
[2010/04/30 03:11:40 | 004,764,011 | ---- | C] ()(C:\Users\darren\Documents\??_-_???.mp3) -- C:\Users\darren\Documents\丁噹_-_我愛他.mp3
< End of report >


Gmer

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-05 09:01:46
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\darren\AppData\Local\Temp\uxryrpob.sys


---- System - GMER 1.0.15 ----

SSDT A0132A3C ZwCreateThread
SSDT A0132A28 ZwOpenProcess
SSDT A0132A2D ZwOpenThread
SSDT A0132A37 ZwTerminateProcess
SSDT A0132A32 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 454 81CEBB18 4 Bytes [3C, 2A, 13, A0]
.text ntkrnlpa.exe!KeSetTimerEx + 624 81CEBCE8 4 Bytes [28, 2A, 13, A0]
.text ntkrnlpa.exe!KeSetTimerEx + 640 81CEBD04 4 Bytes [2D, 2A, 13, A0]
.text ntkrnlpa.exe!KeSetTimerEx + 854 81CEBF18 4 Bytes [37, 2A, 13, A0]
.text ntkrnlpa.exe!KeSetTimerEx + 8B4 81CEBF78 4 Bytes [32, 2A, 13, A0]
? System32\Drivers\pdlxm.sys A device attached to the system is not functioning. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E207340, 0x39BD97, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtProtectVirtualMemory 76FF8968 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtWriteVirtualMemory 76FF92A8 5 Bytes JMP 0023000A
.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!KiUserExceptionDispatcher 76FF99E8 5 Bytes JMP 0011000A
.text C:\Windows\system32\svchost.exe[1120] ole32.dll!CoCreateInstance 76BCE188 5 Bytes JMP 0161000A
.text C:\Windows\Explorer.EXE[1972] ntdll.dll!NtProtectVirtualMemory 76FF8968 5 Bytes JMP 0174000A
.text C:\Windows\Explorer.EXE[1972] ntdll.dll!NtWriteVirtualMemory 76FF92A8 5 Bytes JMP 0175000A
.text C:\Windows\Explorer.EXE[1972] ntdll.dll!KiUserExceptionDispatcher 76FF99E8 5 Bytes JMP 016F000A
.text C:\Windows\system32\wuauclt.exe[2428] ntdll.dll!NtProtectVirtualMemory 76FF8968 5 Bytes JMP 0015000A
.text C:\Windows\system32\wuauclt.exe[2428] ntdll.dll!NtWriteVirtualMemory 76FF92A8 5 Bytes JMP 0016000A
.text C:\Windows\system32\wuauclt.exe[2428] ntdll.dll!KiUserExceptionDispatcher 76FF99E8 5 Bytes JMP 000C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ntdll.dll!NtProtectVirtualMemory 76FF8968 5 Bytes JMP 0031000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ntdll.dll!NtWriteVirtualMemory 76FF92A8 5 Bytes JMP 0032000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ntdll.dll!KiUserExceptionDispatcher 76FF99E8 5 Bytes JMP 0030000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxIndirectParamW 75E3BD25 5 Bytes JMP 70C8076D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxParamW 75E51FD5 5 Bytes JMP 70C806F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxParamA 75E780B2 5 Bytes JMP 70C80732 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxIndirectParamA 75E783DD 5 Bytes JMP 70C807A8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxIndirectA 75E8D471 5 Bytes JMP 70C806B3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxIndirectW 75E8D56B 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxIndirectW 75E8D56B 5 Bytes JMP 70C8066F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxExA 75E8D5D1 5 Bytes JMP 70C80635 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxExW 75E8D5F5 5 Bytes JMP 70C805FB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ole32.dll!OleLoadFromStream 76B99726 5 Bytes JMP 70C8096A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!NtProtectVirtualMemory 76FF8968 5 Bytes JMP 0031000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!NtWriteVirtualMemory 76FF92A8 5 Bytes JMP 0032000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!KiUserExceptionDispatcher 76FF99E8 5 Bytes JMP 0030000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxIndirectParamW 75E3BD25 5 Bytes JMP 70C8076D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxParamW 75E51FD5 5 Bytes JMP 70C806F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxParamA 75E780B2 5 Bytes JMP 70C80732 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxIndirectParamA 75E783DD 5 Bytes JMP 70C807A8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectA 75E8D471 5 Bytes JMP 70C806B3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectW 75E8D56B 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectW 75E8D56B 5 Bytes JMP 70C8066F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxExA 75E8D5D1 5 Bytes JMP 70C80635 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxExW 75E8D5F5 5 Bytes JMP 70C805FB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ole32.dll!OleLoadFromStream 76B99726 5 Bytes JMP 70C8096A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8718A650

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000070 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000006e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device -> \Driver\iaStor \Device\Harddisk0\DR0 89125EE4

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] pdlxm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\00197efbbb73
Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\00197efbd557
Reg HKLM\SYSTEM\CurrentControlSet\Services\pdlxm@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\pdlxm@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\pdlxm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\pdlxm@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\00197efbbb73 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\00197efbd557 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\pdlxm@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\pdlxm@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\pdlxm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\pdlxm@Group Boot Bus Extender
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

thanks
  • 0

#4
jwang01

jwang01

    Trusted Helper

  • Malware Removal
  • 2,567 posts
Hello,


Download Combofix from any of the links below but rename it to cf123.com before saving it to your desktop.

Link 1
Link 2
Link 3


Posted Image


==================================


Double click on the cf123.com ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • 0

#5
spiritboy3

spiritboy3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
i received an bsod while the combofix scan,i'll probably scan it again, thx , hope for respond soon :)
  • 0

#6
jwang01

jwang01

    Trusted Helper

  • Malware Removal
  • 2,567 posts
Hello,


If ComboFix is not running correctly in normal mode, go ahead and try it in safe mode. Here's how to get into Safe Mode:

  • Restart you computer
  • Right when your computer starts booting tap the F8 key until a boot menu appears. If you reach the normal Windows loading screen, you will have to restart and try again.
  • Select the option that says Safe Mode.
  • Then try to run ComboFix again and post the log back here. :)

  • 0

#7
spiritboy3

spiritboy3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
After a long time i managed to get this through,combofix asked me if i wanted to update and i agreed. And during scanning avira stated it detect viruses and i ignored them since i think its from combofix,hope it still useful, thanks.

ComboFix 10-05-05.06 - darren 05/06/2010 3:10.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1976 [GMT -5:00]
Running from: c:\users\darren\Desktop\cfc123.com
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\darren\AppData\Local\extuxobki
c:\users\darren\AppData\Local\extuxobki\wyjgttatssd.exe
c:\windows\system32\drivers\pdlxm.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_pdlxm
-------\Service_pdlxm


((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-06 08:23 . 2010-05-06 08:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-06 08:23 . 2010-05-06 08:27 -------- d-----w- c:\users\darren\AppData\Local\temp
2010-05-04 23:53 . 2010-05-05 02:23 -------- d-----w- c:\users\darren\AppData\Local\vtktkglpl
2010-04-19 22:06 . 2010-04-19 22:06 -------- d-----w- c:\programdata\PC Suite
2010-04-19 22:02 . 2010-04-19 22:02 -------- d-----w- c:\users\darren\AppData\Local\IsolatedStorage
2010-04-19 22:02 . 2010-04-19 22:02 -------- d-----w- c:\users\darren\AppData\Roaming\PC Suite
2010-04-19 22:01 . 2010-04-19 22:01 -------- d-----w- c:\users\darren\AppData\Roaming\Nokia
2010-04-19 22:00 . 2010-04-19 22:00 -------- d-----w- c:\users\darren\AppData\Local\Nokia
2010-04-19 22:00 . 2010-04-19 22:00 -------- d-----w- c:\programdata\NokiaMusic
2010-04-19 21:59 . 2010-04-19 22:00 -------- d-----w- c:\program files\Common Files\Nokia
2010-04-19 21:59 . 2010-04-19 21:59 -------- d-----w- c:\program files\DIFX
2010-04-19 21:59 . 2008-08-26 14:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-04-19 21:59 . 2010-04-19 21:59 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-19 21:58 . 2010-04-19 22:00 -------- d-----w- c:\program files\Nokia
2010-04-19 21:58 . 2009-12-30 16:30 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-04-14 23:20 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 23:20 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 23:17 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 23:17 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 23:17 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 23:17 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 23:07 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 23:07 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 23:07 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 05:52 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 05:27 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 08:24 . 2007-12-15 03:19 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-05 02:50 . 2010-03-10 00:32 439816 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-05-05 02:06 . 2009-06-06 07:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 02:05 . 2009-06-24 09:58 6153352 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-02 03:25 . 2010-05-02 03:25 13407072 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-04-29 20:39 . 2009-06-06 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-06-06 07:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 12:21 . 2010-03-25 21:19 -------- d-----w- c:\program files\WebCompass
2010-04-24 16:31 . 2010-04-24 16:31 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-19 22:05 . 2010-04-19 22:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-04-19 22:02 . 2008-01-15 21:17 75336 ----a-w- c:\users\darren\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-18 04:23 . 2010-04-18 04:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-04-15 12:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-15 08:02 . 2007-12-15 02:47 -------- d-----w- c:\programdata\Microsoft Help
2010-03-25 07:52 . 2010-03-25 07:51 20846064 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-10 08:34 . 2010-03-10 08:33 8405312 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-10 08:33 . 2010-03-10 08:33 149000 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-10 08:33 . 2010-03-10 08:33 283280 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-10 08:33 . 2010-03-10 08:33 181768 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-10 08:33 . 2010-03-10 08:33 79368 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\vista.exe
2010-03-10 08:32 . 2010-03-10 08:32 64000 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-10 08:32 . 2010-03-10 08:32 52288 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-10 08:32 . 2010-03-10 08:32 50688 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-10 08:32 . 2010-03-10 08:32 49152 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-10 08:32 . 2010-03-10 08:32 118784 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-09 16:28 . 2010-03-31 04:19 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-31 04:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-31 04:19 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-01 00:25 . 2009-12-17 00:19 439816 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-02-24 15:16 . 2009-10-02 20:52 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:39 . 2010-03-11 09:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 09:00 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 09:00 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-03 06:35 . 2009-12-03 06:35 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-02-25 07:57 . 2009-02-22 00:05 69984288 --sha-w- c:\windows\System32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-15 857648]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-03 30192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-11-09 409600]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-15 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-15 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-15 81920]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-07-18 266497]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-21 185896]
"LiveUpdate"="c:\program files\Samsung\Samsung PC Studio 3\\Update\Copyer.exe" [2009-06-06 270336]
"NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

c:\users\darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3710337376-2023892170-4260369935-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000002

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 135664]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-03 30192]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-11-12 3403420]
S2 AntiVirMailService;Avira AntiVir Premium MailGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-07-18 164097]
S2 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-07-18 258305]
S2 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-07-18 41217]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WebCompass REG_MULTI_SZ wcsv
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 00:59]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 00:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-6831FX
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: avsda.dll
FF - ProfilePath - c:\users\darren\AppData\Roaming\Mozilla\Firefox\Profiles\81txr0cc.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-kkksgtno - c:\users\darren\AppData\Local\extuxobki\wyjgttatssd.exe
MSConfigStartUp-Windows live Messenger - msn.com



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 03:26
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x88F3DEE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a7ad322
\Driver\ACPI -> acpi.sys @ 0x82296d4c
\Driver\atapi -> ataport.SYS @ 0x829d89a8
\Driver\iaStor -> iaStor.sys @ 0x82324c1a
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3416)
c:\windows\system32\avsda.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Premium\sched.exe
c:\windows\system32\agrsmsvc.exe
c:\windows\system32\conime.exe
c:\program files\Avira\AntiVir PersonalEdition Premium\avguard.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\STacSV.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnscfg.exe
.
**************************************************************************
.
Completion time: 2010-05-06 03:39:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 08:39

Pre-Run: 180,340,060,160 bytes free
Post-Run: 180,165,750,784 bytes free

- - End Of File - - 02E4DDB037DE227F9D2B80F01FBEF531
  • 0

#8
jwang01

jwang01

    Trusted Helper

  • Malware Removal
  • 2,567 posts
Hello,



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::
c:\users\darren\AppData\Local\vtktkglpl

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Next



Please run another scan with GMER and post the log in your next reply.
  • 0

#9
spiritboy3

spiritboy3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
i already posted a combofix log , or is this the next step for it ? thanks.
  • 0

#10
jwang01

jwang01

    Trusted Helper

  • Malware Removal
  • 2,567 posts
Hello,


You need to run the CF Script I posted in my last post. That will produce another ComboFix log. Then run GMER again and post that fresh log back here as well. :)
  • 0

Advertisements


#11
spiritboy3

spiritboy3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
i had to do the combofix scan in safemode due to the continous bsod.And i keep getting bsod during gmer scan with some iastor.sys thing,so should i do the gmer scan in safemode as well? thanks.


ComboFix 10-05-05.0D - darren 05/06/2010 16:36:22.9.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2642 [GMT -5:00]
Running from: c:\users\darren\Desktop\cfc123.com
Command switches used :: c:\users\darren\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\darren\AppData\Local\vtktkglpl

.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-06 21:44 . 2010-05-06 21:44 -------- d-----w- c:\users\darren\AppData\Local\temp
2010-05-06 21:44 . 2010-05-06 21:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-06 21:44 . 2010-05-06 21:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-06 21:44 . 2010-05-06 21:44 -------- d-----w- c:\users\AppData\AppData\Local\temp
2010-05-02 03:25 . 2010-05-02 03:25 13407072 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-04-24 16:31 . 2010-04-24 16:31 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-19 22:06 . 2010-04-19 22:06 -------- d-----w- c:\programdata\PC Suite
2010-04-19 22:02 . 2010-04-19 22:02 -------- d-----w- c:\users\darren\AppData\Local\IsolatedStorage
2010-04-19 22:02 . 2010-04-19 22:02 -------- d-----w- c:\users\darren\AppData\Roaming\PC Suite
2010-04-19 22:01 . 2010-04-19 22:01 -------- d-----w- c:\users\darren\AppData\Roaming\Nokia
2010-04-19 22:00 . 2010-04-19 22:00 -------- d-----w- c:\users\darren\AppData\Local\Nokia
2010-04-19 22:00 . 2010-04-19 22:00 -------- d-----w- c:\programdata\NokiaMusic
2010-04-19 21:59 . 2010-04-19 22:00 -------- d-----w- c:\program files\Common Files\Nokia
2010-04-19 21:59 . 2010-04-19 21:59 -------- d-----w- c:\program files\DIFX
2010-04-19 21:59 . 2008-08-26 14:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-04-19 21:59 . 2010-04-19 21:59 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-19 21:58 . 2010-04-19 22:00 -------- d-----w- c:\program files\Nokia
2010-04-19 21:58 . 2009-12-30 16:30 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-04-14 23:20 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 23:20 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 23:17 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 23:17 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 23:17 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 23:17 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 23:07 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 23:07 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 23:07 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 05:52 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 05:27 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 21:32 . 2007-12-15 03:19 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-05 02:50 . 2010-03-10 00:32 439816 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-05-05 02:06 . 2009-06-06 07:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 02:05 . 2009-06-24 09:58 6153352 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-29 20:39 . 2009-06-06 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-06-06 07:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 12:21 . 2010-03-25 21:19 -------- d-----w- c:\program files\WebCompass
2010-04-19 22:05 . 2010-04-19 22:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-04-19 22:02 . 2008-01-15 21:17 75336 ----a-w- c:\users\darren\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-18 04:23 . 2010-04-18 04:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-04-15 12:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-15 08:02 . 2007-12-15 02:47 -------- d-----w- c:\programdata\Microsoft Help
2010-03-25 07:52 . 2010-03-25 07:51 20846064 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-10 08:34 . 2010-03-10 08:33 8405312 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-10 08:33 . 2010-03-10 08:33 149000 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-10 08:33 . 2010-03-10 08:33 283280 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-10 08:33 . 2010-03-10 08:33 181768 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-10 08:33 . 2010-03-10 08:33 79368 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\vista.exe
2010-03-10 08:32 . 2010-03-10 08:32 64000 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-10 08:32 . 2010-03-10 08:32 52288 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-10 08:32 . 2010-03-10 08:32 50688 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-10 08:32 . 2010-03-10 08:32 49152 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-10 08:32 . 2010-03-10 08:32 118784 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-09 16:28 . 2010-03-31 04:19 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-31 04:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-31 04:19 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-01 00:25 . 2009-12-17 00:19 439816 ----a-w- c:\users\darren\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-02-24 15:16 . 2009-10-02 20:52 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:39 . 2010-03-11 09:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 09:00 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 09:00 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-03 06:35 . 2009-12-03 06:35 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-02-25 07:57 . 2009-02-22 00:05 69984288 --sha-w- c:\windows\System32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-15 857648]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-03 30192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-11-09 409600]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-15 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-15 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-15 81920]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-07-18 266497]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-21 185896]
"LiveUpdate"="c:\program files\Samsung\Samsung PC Studio 3\\Update\Copyer.exe" [2009-06-06 270336]
"NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

c:\users\darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3710337376-2023892170-4260369935-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000002

R2 AntiVirMailService;Avira AntiVir Premium MailGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-07-18 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-07-18 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-07-18 41217]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 135664]
R2 wcsv;WebCompass Updater Service;c:\windows\system32\svchost.exe [2008-01-19 21504]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-03 30192]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-11-12 3403420]
S0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\DRIVERS\Si3531.sys [2007-06-01 210736]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WebCompass REG_MULTI_SZ wcsv
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 00:59]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 00:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-6831FX
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: avsda.dll
FF - ProfilePath - c:\users\darren\AppData\Roaming\Mozilla\Firefox\Profiles\81txr0cc.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 16:44
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-06 16:49:12
ComboFix-quarantined-files.txt 2010-05-06 21:49
ComboFix2.txt 2010-05-06 08:39

Pre-Run: 183,417,376,768 bytes free
Post-Run: 183,354,822,656 bytes free

- - End Of File - - 5D093E0D83679C78E9BAA11632E82428
  • 0

#12
jwang01

jwang01

    Trusted Helper

  • Malware Removal
  • 2,567 posts
Hello,


Yes, go ahead and try it in safe mode. :)
  • 0

#13
spiritboy3

spiritboy3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
should i do a tfc clean next time to decrease time of scanning next time? thanks.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-06 18:05:13
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\darren\AppData\Local\Temp\uxryrpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\00197efbbb73
Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\00197efbd557
Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\00197efbbb73 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\00197efbd557 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----
  • 0

#14
jwang01

jwang01

    Trusted Helper

  • Malware Removal
  • 2,567 posts
Hello,


No need for TFC yet. I will empty your temp files with OTL after I see the next two logs. Are your search results still being redirected?


  • Please download mbr.exe from mbr.exe, and save it to your Desktop. Do not run it yet.
  • Now go to Start, then run and enter in "%userprofile%\desktop\mbr.exe" -f
  • Then press enter. When it is done scanning, it will produce a log for. Please post that back here in your next reply.



next



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    /md5start
    iaStor.sys
    /md5stop


  • Now hit the Run Scan button. Post the log that it produces in your next reply.

Edited by jwang01, 06 May 2010 - 06:11 PM.

  • 0

#15
spiritboy3

spiritboy3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 136 posts
well i tried google searching and clicking several sites, for my first one it redirects and the tray bar turns white like it used to and an pop up site came up.But after that try,every sites i click including the one that redirected me to another site worked without redirecting...pretty weird...

OTL

OTL logfile created on: 5/6/2010 7:22:41 PM - Run 4
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\darren\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.93 Gb Total Space | 167.83 Gb Free Space | 75.62% Space Free | Partition Type: NTFS
Drive D: | 10.95 Gb Total Space | 4.42 Gb Free Space | 40.33% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DARREN-PC
Current User Name: darren
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\darren\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe (Avira GmbH)
PRC - C:\Windows\System32\conime.exe (Microsoft Corporation)
PRC - C:\Windows\System32\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Windows\System32\agrsmsvc.exe (Agere Systems)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)


========== Modules (SafeList) ==========

MOD - C:\Users\darren\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (wcsv) -- C:\Program Files\WebCompass\wcsv.dll ()
SRV - (ServiceLayer) -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (GoogleDesktopManager-110309-193829) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
SRV - (npggsvc) -- C:\Windows\System32\GameMon.des (INCA Internet Co., Ltd.)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe (Avira GmbH)
SRV - (antivirwebservice) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE (Avira GmbH)
SRV - (AntiVirMailService) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe (Avira GmbH)
SRV - (AntiVirScheduler) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe (Avira GmbH)
SRV - (AVEService) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe (Avira GmbH)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (STacSV) -- C:\Windows\System32\stacsv.exe (IDT, Inc.)
SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)


========== Driver Services (SafeList) ==========

DRV - (nmwcd) -- C:\Windows\System32\drivers\ccdcmb.sys (Nokia)
DRV - (NETw5v32) Intel® -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (pccsmcfd) -- C:\Windows\System32\drivers\pccsmcfd.sys (Nokia)
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgntflt.sys (Avira GmbH)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (NETw4v32) Intel® -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (RTSTOR) -- C:\Windows\System32\drivers\RTSTOR.sys (Realtek Semiconductor Corp.)
DRV - (Si3531) -- C:\Windows\system32\DRIVERS\Si3531.sys (Silicon Image, Inc)
DRV - (SiFilter) -- C:\Windows\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc.)
DRV - (SiRemFil) -- C:\Windows\system32\DRIVERS\SiRemFil.sys (Silicon Image, Inc.)
DRV - (UVCFTR) -- C:\Windows\System32\drivers\UVCFTR_S.SYS (Chicony Electronics Co., Ltd.)
DRV - (btwaudio) -- C:\Windows\System32\drivers\btwaudio.sys (Broadcom Corporation.)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgio.sys (Avira GmbH)
DRV - (btwavdt) -- C:\Windows\System32\drivers\btwavdt.sys (Broadcom Corporation.)
DRV - (btwrchid) -- C:\Windows\System32\drivers\btwrchid.sys (Broadcom Corporation.)
DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (ac97intc) Intel® 82801 Audio Driver Install Service (WDM) -- C:\Windows\System32\drivers\ac97intc.sys (Intel Corporation)
DRV - (NETw2v32) Intel® -- C:\Windows\System32\drivers\NETw2v32.sys (Intel® Corporation)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (StarOpen) -- C:\Windows\System32\drivers\StarOpen.sys ()
DRV - (sscdmdm) -- C:\Windows\System32\drivers\sscdmdm.sys (MCCI)
DRV - (sscdmdfl) -- C:\Windows\System32\drivers\sscdmdfl.sys (MCCI)
DRV - (sscdbus) SAMSUNG USB Composite Device driver (WDM) -- C:\Windows\System32\drivers\sscdbus.sys (MCCI)
DRV - (giveio) -- C:\Windows\system32\giveio.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...&M=P-6831FX

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.3

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/09/21 12:59:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/31 02:39:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/31 02:39:07 | 000,000,000 | ---D | M]

[2009/06/28 04:09:21 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\Mozilla\Extensions
[2010/05/05 03:00:34 | 000,000,000 | ---D | M] -- C:\Users\darren\AppData\Roaming\Mozilla\Firefox\Profiles\81txr0cc.default\extensions
[2009/09/02 16:00:49 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\darren\AppData\Roaming\Mozilla\Firefox\Profiles\81txr0cc.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/05 03:00:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/06 03:26:18 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (Veoh Networks Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Gateway\traybar.exe (Chicony)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [LiveUpdate] C:\Program Files\Samsung\Samsung PC Studio 3\Update\Copyer.exe (TODO: <회사 이름>)
O4 - HKLM..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
O4 - HKLM..\Run: [NokiaMusic FastStart] C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe (Nokia)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla\4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6.4; Mozilla\4.0 ( File not found
O4 - Startup: C:\Users\darren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll (Installation Support)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zon...wn.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.nvidia.co.../sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://messenger.zon...mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zon...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} http://driveragent.c...driveragent.cab (Driver Agent ActiveX Control)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zon...er.cab56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\darren\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Users\darren\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/06 16:49:15 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/05/06 16:49:15 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Local\temp
[2010/05/06 16:47:50 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/05/06 16:34:49 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/05/06 02:33:02 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/05/06 02:33:01 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/05/06 02:33:01 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/05/06 02:31:14 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/05 03:01:28 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Users\darren\Desktop\OTL.exe
[2010/04/19 17:06:03 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Suite
[2010/04/19 17:02:10 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Local\IsolatedStorage
[2010/04/19 17:02:09 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Roaming\PC Suite
[2010/04/19 17:01:27 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Roaming\Nokia
[2010/04/19 17:00:25 | 000,000,000 | ---D | C] -- C:\Users\darren\AppData\Local\Nokia
[2010/04/19 17:00:10 | 000,000,000 | ---D | C] -- C:\ProgramData\NokiaMusic
[2010/04/19 16:59:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nokia
[2010/04/19 16:59:15 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2010/04/19 16:59:14 | 000,018,816 | ---- | C] (Nokia) -- C:\Windows\System32\drivers\pccsmcfd.sys
[2010/04/19 16:59:11 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2010/04/19 16:58:24 | 000,091,136 | ---- | C] (Nokia) -- C:\Windows\System32\nmwcdcls.dll
[2010/04/19 16:58:24 | 000,000,000 | ---D | C] -- C:\Program Files\Nokia
[2010/04/19 16:39:30 | 001,102,624 | ---- | C] (Nokia) -- C:\Users\darren\Desktop\SetupOviPlayer.exe
[2010/04/14 18:20:15 | 003,598,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/04/14 18:20:14 | 003,545,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/04/14 18:17:48 | 000,430,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/04/14 18:08:02 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm

========== Files - Modified Within 30 Days ==========

[2010/05/06 19:26:34 | 003,932,160 | -HS- | M] () -- C:\Users\darren\NTUSER.DAT
[2010/05/06 19:18:53 | 000,077,312 | ---- | M] () -- C:\Users\darren\Desktop\mbr.exe
[2010/05/06 19:14:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/06 18:22:24 | 000,703,078 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/06 18:22:24 | 000,604,010 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/06 18:22:24 | 000,104,740 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/06 18:11:24 | 000,179,894 | ---- | M] () -- C:\Users\darren\AppData\Roaming\nvModes.001
[2010/05/06 18:10:40 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/06 18:10:39 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/06 18:10:39 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/06 18:10:36 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/06 18:10:20 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/06 18:10:00 | 3219,578,880 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/06 18:05:36 | 000,524,288 | -HS- | M] () -- C:\Users\darren\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/05/06 18:05:36 | 000,065,536 | -HS- | M] () -- C:\Users\darren\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/05/06 17:20:26 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/05/06 17:01:47 | 228,817,557 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/05/06 16:44:51 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/05/06 15:47:36 | 003,683,491 | R--- | M] () -- C:\Users\darren\Desktop\cfc123.com
[2010/05/05 03:15:42 | 000,284,915 | ---- | M] () -- C:\Users\darren\Desktop\gmer.zip
[2010/05/05 03:01:20 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\darren\Desktop\OTL.exe
[2010/04/30 03:15:55 | 000,002,443 | ---- | M] () -- C:\Users\Public\Desktop\Nokia Ovi Player.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/28 17:24:01 | 000,313,760 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/04/23 03:53:15 | 005,534,283 | ---- | M] () -- C:\Users\darren\Documents\Big_Bang_-_Lies.mp3
[2010/04/19 17:05:30 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
[2010/04/19 17:02:13 | 000,075,336 | ---- | M] () -- C:\Users\darren\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/04/19 16:39:30 | 001,102,624 | ---- | M] (Nokia) -- C:\Users\darren\Desktop\SetupOviPlayer.exe
[2010/04/17 23:23:12 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

========== Files Created - No Company Name ==========

[2010/05/06 19:18:52 | 000,077,312 | ---- | C] () -- C:\Users\darren\Desktop\mbr.exe
[2010/05/06 18:10:00 | 3219,578,880 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/06 02:33:02 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/05/06 02:33:01 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/05/06 02:33:01 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/05/06 02:33:01 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/05/06 02:29:23 | 003,683,491 | R--- | C] () -- C:\Users\darren\Desktop\cfc123.com
[2010/05/05 03:19:35 | 228,817,557 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/05/05 03:15:41 | 000,284,915 | ---- | C] () -- C:\Users\darren\Desktop\gmer.zip
[2010/04/19 17:05:30 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
[2010/04/19 17:00:15 | 000,002,443 | ---- | C] () -- C:\Users\Public\Desktop\Nokia Ovi Player.lnk
[2010/04/17 23:23:12 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
[2009/05/29 22:56:19 | 000,000,124 | ---- | C] () -- C:\Windows\Peter's Go.ini
[2009/05/15 01:59:40 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2008/11/30 15:35:23 | 000,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2008/06/25 14:26:09 | 000,000,022 | ---- | C] () -- C:\Windows\msnmsgr.exe.ini
[2008/03/18 14:01:16 | 000,088,064 | ---- | C] () -- C:\Windows\System32\wiascanprofiles.dll
[2008/03/18 14:01:06 | 000,053,248 | ---- | C] () -- C:\Windows\System32\msident.dll
[2008/03/18 14:01:05 | 000,022,016 | ---- | C] () -- C:\Windows\System32\mtxdm.dll
[2008/03/18 14:01:02 | 000,008,704 | ---- | C] () -- C:\Windows\System32\rdpcfgex.dll
[2008/01/30 15:54:55 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2008/01/28 16:37:48 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini
[2008/01/16 16:32:54 | 000,000,031 | ---- | C] () -- C:\Windows\GunzLauncher.INI
[2007/12/14 21:58:02 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/05/17 14:38:25 | 000,003,584 | ---- | C] () -- C:\Windows\System32\wceprv.dll
[2007/03/29 15:42:38 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 07:34:33 | 000,062,976 | ---- | C] () -- C:\Windows\System32\dmcompos.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/11/14 16:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys

========== Custom Scans ==========



< MD5 for: IASTOR.SYS >
[2007/02/12 16:37:22 | 000,537,368 | ---- | M] (Intel Corporation) MD5=2EE127D5407DA3957EE54711C9AED6EC -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2007/02/12 16:36:54 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys
[2007/02/12 16:36:54 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\Windows\System32\drivers\iaStor.sys
[2007/02/12 16:36:54 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys

========== Files - Unicode (All) ==========
[2010/04/30 03:19:38 | 004,764,011 | ---- | M] ()(C:\Users\darren\Documents\??_-_???.mp3) -- C:\Users\darren\Documents\丁噹_-_我愛他.mp3
[2010/04/30 03:11:40 | 004,764,011 | ---- | C] ()(C:\Users\darren\Documents\??_-_???.mp3) -- C:\Users\darren\Documents\丁噹_-_我愛他.mp3
< End of report >

mbr

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !

thanks
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP