Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan.onlinegames.thx [RESOLVED]

Started by mbha , Mar 28 2008 01:49 PM

This topic is locked

#16
mbha

Posted 09 April 2008 - 02:55 PM

Member

Topic Starter
Member
19 posts

Continued GMER scan.....
-----------------------------
.text win32k.sys!XFORMOBJ_bApplyXform + 4C BF8FCC52 142 Bytes CALL BF8DD23D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XFORMOBJ_bApplyXform + DB BF8FCCE1 11 Bytes [ 80, 20, 02, 00, 00, 3B, C3, ... ]
.text win32k.sys!XFORMOBJ_bApplyXform + E7 BF8FCCED 13 Bytes CALL BF8DD23C \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_vGetInfo + 1C BF8FCE7A 31 Bytes [ 00, 00, 6A, 0C, 8D, 45, D8, ... ]
.text win32k.sys!FONTOBJ_vGetInfo + 3C BF8FCE9A 152 Bytes CALL BF8DD8F7 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_vGetInfo + D5 BF8FCF33 117 Bytes [ 12, 00, 00, 85, C0, 74, 41, ... ]
.text win32k.sys!FONTOBJ_vGetInfo + 14B BF8FCFA9 24 Bytes CALL BF80195A \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_vGetInfo + 165 BF8FCFC3 65 Bytes [ 00, 8B, 03, 8B, 80, B4, 02, ... ]
.text win32k.sys!FONTOBJ_cGetGlyphs + 34 BF8FD140 39 Bytes [ FF, 55, 8B, EC, 8B, 45, 08, ... ]
.text win32k.sys!FONTOBJ_cGetGlyphs + 5C BF8FD168 67 Bytes [ 89, 48, 08, 74, 20, 8B, 40, ... ]
.text win32k.sys!FONTOBJ_cGetGlyphs + A0 BF8FD1AC 90 Bytes [ 55, 8B, EC, 56, FF, 15, E0, ... ]
.text win32k.sys!STROBJ_bGetAdvanceWidths + 33 BF8FD207 4 Bytes JMP BF8FD2DC \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!STROBJ_bGetAdvanceWidths + 38 BF8FD20C 232 Bytes [ B9, 40, 42, 0F, 00, 3B, F9, ... ]
.text win32k.sys!STROBJ_bGetAdvanceWidths + 121 BF8FD2F5 38 Bytes [ 5A, D7, 32, 00, 7C, 07, B8, ... ]
.text win32k.sys!STROBJ_bGetAdvanceWidths + 148 BF8FD31C 7 Bytes [ FF, FF, 55, 8B, EC, FC, 53 ]
.text win32k.sys!STROBJ_bGetAdvanceWidths + 150 BF8FD324 109 Bytes [ 45, 0C, 99, 8B, DA, 33, C2, ... ]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 21 BF8FD4B9 19 Bytes [ F4, FF, 75, EC, FF, 75, E8, ... ]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 35 BF8FD4CD 53 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 6C BF8FD504 8 Bytes [ 57, 8B, 7D, 20, 0F, 85, 6F, ... ]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 76 BF8FD50E 28 Bytes [ 39, 5D, FC, 0F, 84, F7, 00, ... ]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 93 BF8FD52B 2 Bytes [ BC, 8B ]
.text win32k.sys!EngAllocUserMem + 34 BF8FDE5A 75 Bytes [ 2B, FB, 8B, 5D, FC, 81, E7, ... ]
.text win32k.sys!EngAllocUserMem + 80 BF8FDEA6 105 Bytes [ 08, 85, C0, 8B, F2, 0F, 84, ... ]
.text win32k.sys!EngAllocUserMem + EB BF8FDF11 51 Bytes [ CA, 8B, F3, F3, A5, 0F, B6, ... ]
.text win32k.sys!EngAllocUserMem + 11F BF8FDF45 11 Bytes [ 75, 1C, 8B, 7D, 14, 8B, 4D, ... ]
.text win32k.sys!EngAllocUserMem + 12B BF8FDF51 146 Bytes [ C3, 20, 3B, 5D, 10, 0F, 83, ... ]
.text win32k.sys!EngMarkBandingSurface + 8 BF8FE3F5 24 Bytes [ 2C, FF, 75, 28, FF, 75, 24, ... ]
.text win32k.sys!EngMarkBandingSurface + 21 BF8FE40E 44 Bytes [ FF, 50, FF, 75, 10, FF, 75, ... ]
.text win32k.sys!EngMarkBandingSurface + 4F BF8FE43C 15 Bytes [ 00, FE, 39, 7D, DC, 74, 08, ... ]
.text win32k.sys!EngMarkBandingSurface + 5F BF8FE44C 154 Bytes CALL BF800C62 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMarkBandingSurface + FA BF8FE4E7 9 Bytes [ 85, C0, 74, 29, 56, 8D, 45, ... ]
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 14 BF8FED03 292 Bytes [ 83, C6, 1C, 8D, 7D, EC, A5, ... ]
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 139 BF8FEE28 20 Bytes JMP BF8FEFD0 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 14E BF8FEE3D 72 Bytes JMP BF8FEF64 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 197 BF8FEE86 13 Bytes [ 5D, D4, 89, 5D, 08, FF, 75, ... ]
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 1A6 BF8FEE95 6 Bytes [ 89, 45, 0C, FF, 75, 10 ]
.text win32k.sys!EngStrokeAndFillPath + A BF9006ED 13 Bytes [ 89, 5D, FC, A1, E0, B7, 9A, ... ]
.text win32k.sys!EngStrokeAndFillPath + 18 BF9006FB 1 Byte [ 45 ]
.text win32k.sys!EngStrokeAndFillPath + 1A BF9006FD 62 Bytes [ 89, 45, E4, 6A, 06, 59, 8B, ... ]
.text win32k.sys!EngStrokeAndFillPath + 59 BF90073C 6 Bytes [ 0A, 3B, 4D, D8, 7D, 03 ]
.text win32k.sys!EngStrokeAndFillPath + 60 BF900743 2 Bytes [ 4D, D8 ]
.text win32k.sys!STROBJ_bEnum + D BF900BAE 54 Bytes [ 46, 04, 08, 89, 45, 08, 74, ... ]
.text win32k.sys!STROBJ_bEnum + 45 BF900BE6 82 Bytes [ 08, 8B, 09, 89, 4D, F0, 8A, ... ]
.text win32k.sys!STROBJ_bEnum + 98 BF900C39 2 Bytes [ 16, 01 ]
.text win32k.sys!STROBJ_bEnum + 9C BF900C3D 67 Bytes [ 88, 06, 88, 5E, 01, 88, 4E, ... ]
.text win32k.sys!STROBJ_bEnum + E1 BF900C82 60 Bytes [ 88, 46, 15, 88, 5E, 16, 88, ... ]
.text win32k.sys!EngCreateDriverObj + 1D BF908065 17 Bytes CALL 351C3255
.text win32k.sys!EngCreateDriverObj + 2F BF908077 26 Bytes CALL BF828F4E \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateDriverObj + 4A BF908092 52 Bytes [ 43, 04, 89, 45, F8, 56, 8D, ... ]
.text win32k.sys!EngCreateDriverObj + 7F BF9080C7 9 Bytes [ 00, 00, 3B, 75, E0, 0F, 8D, ... ]
.text win32k.sys!EngCreateDriverObj + 89 BF9080D1 82 Bytes [ 00, 8B, 45, FC, 3B, 45, 0C, ... ]
.text win32k.sys!EngLockDriverObj + 21 BF908223 55 Bytes [ 8B, 45, EC, 8B, 00, 8B, 00, ... ]
.text win32k.sys!EngDeleteDriverObj + 34 BF90825B 29 Bytes [ 75, 08, 8B, 06, FF, 30, E8, ... ]
.text win32k.sys!EngDeleteDriverObj + 52 BF908279 56 Bytes [ 00, 75, 18, 89, 55, FC, 56, ... ]
.text win32k.sys!EngDeleteDriverObj + 8C BF9082B3 3 Bytes [ 8B, FF, 55 ]
.text win32k.sys!EngDeleteDriverObj + 90 BF9082B7 10 Bytes [ EC, A1, 18, 4D, 9A, BF, 5D, ... ]
.text win32k.sys!EngDeleteDriverObj + 9C BF9082C3 22 Bytes [ 00, 90, 90, 90, 90, 90, 8B, ... ]
.text win32k.sys!EngGetCurrentProcessId + 5 BF908882 98 Bytes [ 75, 11, 03, 7D, D8, 03, 75, ... ]
.text win32k.sys!EngGetCurrentProcessId + 68 BF9088E5 92 Bytes [ 00, D3, FA, 6A, 08, 59, 2B, ... ]
.text win32k.sys!EngGetCurrentProcessId + C7 BF908944 28 Bytes CALL 48BCD7D4
.text win32k.sys!EngGetCurrentProcessId + E4 BF908961 94 Bytes [ FF, FF, 39, 55, 08, 74, 27, ... ]
.text win32k.sys!EngGetCurrentProcessId + 143 BF9089C0 123 Bytes [ 55, 8B, EC, A1, 18, 4D, 9A, ... ]
.text win32k.sys!PATHOBJ_bEnumClipLines + 6 BF90C61A 5 Bytes [ 89, 85, EC, FC, FF ]
.text win32k.sys!PATHOBJ_bEnumClipLines + C BF90C620 10 Bytes [ 8D, 9D, E4, FC, FF, FF, 89, ... ]
.text win32k.sys!PATHOBJ_bEnumClipLines + 17 BF90C62B 48 Bytes [ FF, 8D, 85, E4, FC, FF, FF, ... ]
.text win32k.sys!PATHOBJ_bEnumClipLines + 48 BF90C65C 17 Bytes [ 45, 08, 89, 43, 1C, 8B, 45, ... ]
.text win32k.sys!PATHOBJ_bEnumClipLines + 5A BF90C66E 15 Bytes [ 85, CC, FD, FF, FF, 8B, 30, ... ]
.text win32k.sys!EngMapFontFile + 4F BF90CFE6 91 Bytes [ 14, FF, 46, 04, FF, 75, 10, ... ]
.text win32k.sys!EngMapFontFile + AB BF90D042 77 Bytes [ 33, C9, 3B, F0, 0F, 94, C1, ... ]
.text win32k.sys!EngMapFontFile + F9 BF90D090 87 Bytes [ 75, 08, 83, C8, FF, E9, 7D, ... ]
.text win32k.sys!EngMapFontFile + 151 BF90D0E8 10 Bytes [ 18, 8B, 5D, 10, 89, 45, FC, ... ]
.text win32k.sys!EngMapFontFile + 15C BF90D0F3 50 Bytes [ 00, 3B, DF, 76, 27, 83, FB, ... ]
.text win32k.sys!EngUnmapFontFile + 8C BF90DE03 167 Bytes [ 4D, 08, 53, 56, 8B, 70, 78, ... ]
.text win32k.sys!EngUnmapFontFile + 134 BF90DEAB 1 Byte [ 0A ]
.text win32k.sys!EngUnmapFontFile + 136 BF90DEAD 51 Bytes [ C8, 8B, 00, 3B, C3, 74, 12, ... ]
.text win32k.sys!EngUnmapFontFile + 16A BF90DEE1 98 Bytes [ 17, 39, 58, 04, 7F, 19, 8B, ... ]
.text win32k.sys!EngUnmapFontFile + 1CD BF90DF44 56 Bytes [ 80, F8, 00, 00, 00, 89, 46, ... ]
.text win32k.sys!PALOBJ_cGetColors + 7 BF90E191 81 Bytes [ 85, E0, FD, FF, FF, 3B, C7, ... ]
.text win32k.sys!PALOBJ_cGetColors + 5A BF90E1E4 16 Bytes [ 8D, 8D, C4, FD, FF, FF, 51, ... ]
.text win32k.sys!PALOBJ_cGetColors + 6B BF90E1F5 11 Bytes [ 50, 8D, 8D, E4, FD, FF, FF, ... ]
.text win32k.sys!PALOBJ_cGetColors + 77 BF90E201 115 Bytes [ 8B, F8, EB, 42, 8B, 48, 58, ... ]
.text win32k.sys!PALOBJ_cGetColors + EB BF90E275 6 Bytes [ FF, 75, 18, FF, 75, 14 ]
.text win32k.sys!EngCreateClip + 1A BF910D00 55 Bytes CALL BF910A89 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateClip + 52 BF910D38 156 Bytes [ 3B, C1, 74, 43, 3D, F7, 00, ... ]
.text win32k.sys!EngCreateClip + EF BF910DD5 130 Bytes CALL BF804613 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateClip + 172 BF910E58 27 Bytes [ FF, 55, 8B, EC, 51, 89, 4D, ... ]
.text win32k.sys!EngCreateClip + 18E BF910E74 63 Bytes [ 00, 00, FF, 15, E4, C3, 98, ... ]
.text win32k.sys!EngSetPointerTag + 5 BF916075 41 Bytes [ 00, 00, EB, 1E, 90, 90, 90, ... ]
.text win32k.sys!EngSetPointerTag + 2F BF91609F 9 Bytes [ C2, 04, 00, 90, 90, 90, 90, ... ]
.text win32k.sys!EngSetPointerTag + 39 BF9160A9 60 Bytes [ 55, 8B, EC, 56, 8B, 75, 08, ... ]
.text win32k.sys!EngSetPointerTag + 76 BF9160E6 10 Bytes [ 55, 8B, EC, FF, 15, E8, C3, ... ]
.text win32k.sys!EngSetPointerTag + 81 BF9160F1 78 Bytes [ 15, 9C, C3, 98, BF, B9, 00, ... ]
.text win32k.sys!XFORMOBJ_iGetFloatObjXform + 23 BF933501 66 Bytes JMP B3536808
.text win32k.sys!FLOATOBJ_SetLong BF933547 166 Bytes [ 90, 8B, FF, 55, 8B, EC, 83, ... ]
.text win32k.sys!FLOATOBJ_Add + 9 BF9335EE 45 Bytes CALL BF804B28 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_SubFloat + 1B BF93361C 11 Bytes [ 8B, C6, 5E, 5D, C2, 04, 00, ... ]
.text win32k.sys!FLOATOBJ_SubFloat + 27 BF933628 30 Bytes [ 8B, FF, 55, 8B, EC, 56, E8, ... ]
.text win32k.sys!FLOATOBJ_SubLong + 1B BF933647 2 Bytes [ 4E, 04 ]
.text win32k.sys!FLOATOBJ_SubLong + 1E BF93364A 3 Bytes [ EE, 14, ED ]
.text win32k.sys!FLOATOBJ_SubLong + 22 BF93364E 5 Bytes [ 5E, 5D, C2, 04, 00 ]
.text win32k.sys!FLOATOBJ_Sub BF933657 66 Bytes [ 90, 8B, FF, 56, 33, F6, 39, ... ]
.text win32k.sys!FLOATOBJ_MulFloat + 29 BF93369C 35 Bytes [ A1, D0, 02, DF, FF, C1, E8, ... ]
.text win32k.sys!FLOATOBJ_MulLong + 22 BF9336C0 63 Bytes JMP BF94B018 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_DivFloat + 1B BF933700 42 Bytes [ 55, 8B, EC, 6A, 00, FF, 75, ... ]
.text win32k.sys!FLOATOBJ_DivLong + 1B BF93372B 39 Bytes [ FF, 75, 0C, 8D, 45, FC, 50, ... ]
.text win32k.sys!FLOATOBJ_Div + 1A BF933755 38 Bytes [ 8B, FF, 55, 8B, EC, A1, 18, ... ]
.text win32k.sys!FLOATOBJ_EqualLong + F BF93377C 123 Bytes [ FF, 55, 8B, EC, A1, 18, 4D, ... ]
.text win32k.sys!FLOATOBJ_LessThanLong BF9337F9 3 Bytes [ 90, 90, 90 ]
.text win32k.sys!FLOATOBJ_LessThanLong + 4 BF9337FD 32 Bytes [ FF, 55, 8B, EC, A1, 18, 4D, ... ]
.text win32k.sys!FLOATOBJ_LessThanLong + 25 BF93381E 21 Bytes [ A0, 8C, 01, 00, 00, 90, 90, ... ]
.text win32k.sys!FLOATOBJ_Equal + 2 BF933834 64 Bytes [ A0, 44, 01, 00, 00, 90, 90, ... ]
.text win32k.sys!FLOATOBJ_LessThan + 11 BF933875 3 Bytes [ FF, 60, 6C ]
.text win32k.sys!FLOATOBJ_LessThan + 1E BF933882 28 Bytes [ A1, 18, 4D, 9A, BF, 5D, FF, ... ]
.text win32k.sys!FLOATOBJ_LessThan + 3B BF93389F 83 Bytes [ 60, 0C, 90, 90, 90, 90, 90, ... ]
.text win32k.sys!FLOATOBJ_LessThan + 8F BF9338F3 18 Bytes [ FF, 55, 8B, EC, A1, 18, 4D, ... ]
.text win32k.sys!FLOATOBJ_LessThan + A2 BF933906 61 Bytes [ FF, 55, 8B, EC, A1, 18, 4D, ... ]
.text win32k.sys!EngGetCurrentThreadId + 8 BF933B93 39 Bytes [ 8B, FF, 55, 8B, EC, A1, 18, ... ]
.text win32k.sys!EngIsSemaphoreOwned BF933BBD 5 Bytes [ 90, 90, 8B, FF, 55 ]
.text win32k.sys!EngIsSemaphoreOwned + 6 BF933BC3 15 Bytes [ EC, A1, 18, 4D, 9A, BF, 5D, ... ]
.text win32k.sys!EngIsSemaphoreOwned + 18 BF933BD5 17 Bytes [ 8B, FF, 55, 8B, EC, A1, 18, ... ]
.text win32k.sys!EngDebugPrint BF933BE7 79 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text win32k.sys!EngDebugPrint + 53 BF933C3A 6 Bytes [ 8B, FF, 55, 8B, EC, 56 ]
.text win32k.sys!EngDebugPrint + 5B BF933C42 10 Bytes [ 08, 8D, 4D, 08, 33, F6, E8, ... ]
.text win32k.sys!EngDebugPrint + 66 BF933C4D 155 Bytes [ 39, 75, 08, 74, 1A, 8B, 45, ... ]
.text win32k.sys!EngAllocSectionMem + 51 BF933CEA 21 Bytes [ FC, 89, 7D, E4, 8B, 45, E4, ... ]
.text win32k.sys!EngAllocSectionMem + 67 BF933D00 35 Bytes [ 04, 83, C6, 04, 89, 75, DC, ... ]
.text win32k.sys!EngAllocSectionMem + 8B BF933D24 27 Bytes CALL BF8F8AAC \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFreeSectionMem + F BF933D40 61 Bytes [ 75, 08, 8D, 4D, 08, 33, F6, ... ]
.text win32k.sys!EngMapSection + 23 BF933D7E 54 Bytes [ 90, 90, 90, 8B, FF, 55, 8B, ... ]
.text win32k.sys!EngMapSection + 5A BF933DB5 8 Bytes [ 7D, 08, 8B, DF, F7, DB, 1B, ... ]
.text win32k.sys!EngMapSection + 63 BF933DBE 77 Bytes [ 45, C0, 8D, 47, F0, 23, D8, ... ]
.text win32k.sys!EngInitializeSafeSemaphore + D BF933E0C 5 Bytes [ 30, FF, 75, 2C, FF ]
.text win32k.sys!EngInitializeSafeSemaphore + 13 BF933E12 7 Bytes [ 28, FF, 75, 24, FF, 75, 20 ]
.text win32k.sys!EngInitializeSafeSemaphore + 1B BF933E1A 171 Bytes [ 75, 1C, FF, 75, 18, FF, 75, ... ]
.text win32k.sys!EngDeleteSafeSemaphore + 8B BF933EC6 86 Bytes [ 76, 04, 89, 7D, B8, 89, 75, ... ]
.text win32k.sys!EngDeleteSafeSemaphore + E2 BF933F1D 69 Bytes [ DC, 89, 75, F8, 8B, 7D, F4, ... ]
.text win32k.sys!EngDeleteSafeSemaphore + 128 BF933F63 13 Bytes [ 39, 45, C0, 89, 45, B0, C6, ... ]
.text win32k.sys!EngDeleteSafeSemaphore + 137 BF933F72 100 Bytes [ 0F, 84, A9, 00, 00, 00, 66, ... ]
.text win32k.sys!EngDeleteSafeSemaphore + 19C BF933FD7 89 Bytes [ 5F, 6B, 83, BF, 8B, 45, B0, ... ]
.text win32k.sys!EngAllocPrivateUserMem + 15 BF93438F 4 Bytes [ 00, 00, 77, 0E ]
.text win32k.sys!EngFreePrivateUserMem + 4 BF934394 110 Bytes [ CE, 69, C9, 50, 04, 00, 00, ... ]
.text win32k.sys!EngUnlockDirectDrawSurface + 31 BF934403 104 Bytes [ 6A, 02, FF, 75, F0, FF, 75, ... ]
.text win32k.sys!EngUnlockDirectDrawSurface + 9A BF93446C 131 Bytes [ FF, 45, F0, 8B, 45, F0, 81, ... ]
.text win32k.sys!EngUnlockDirectDrawSurface + 11E BF9344F0 40 Bytes CALL BF8969A5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnlockDirectDrawSurface + 147 BF934519 51 Bytes CALL BF8969A6 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnlockDirectDrawSurface + 17B BF93454D 119 Bytes [ 45, D4, 89, 3C, 88, EB, 0D, ... ]
.text win32k.sys!EngGetType1FontList + 29 BF934F1B 24 Bytes [ EB, 02, 33, C0, 53, 53, FF, ... ]
.text win32k.sys!EngGetType1FontList + 42 BF934F34 63 Bytes [ 53, 57, 8D, 4D, FC, E8, D3, ... ]
.text win32k.sys!EngGetType1FontList + 82 BF934F74 27 Bytes [ F0, 3B, F3, 74, CA, 83, FF, ... ]
.text win32k.sys!EngGetType1FontList + 9E BF934F90 32 Bytes CALL BF837697 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetType1FontList + C0 BF934FB2 186 Bytes [ 85, C0, 74, 05, 83, C0, 10, ... ]
.text win32k.sys!EngQueryLocalTime + 49 BF93506D 65 Bytes [ 75, F4, 89, 75, F8, F6, 00, ... ]
.text win32k.sys!EngQueryLocalTime + 8B BF9350AF 76 Bytes [ 8B, 03, 8B, 49, 10, 3B, 88, ... ]
.text win32k.sys!EngQueryLocalTime + D8 BF9350FC 28 Bytes [ 85, C9, 75, 05, 21, 4D, 08, ... ]
.text win32k.sys!EngQueryLocalTime + F5 BF935119 24 Bytes [ FC, 8D, B0, D8, 03, 00, 00, ... ]
.text win32k.sys!EngQueryLocalTime + 10E BF935132 91 Bytes [ 0B, 8B, 89, DC, 01, 00, 00, ... ]
.text win32k.sys!EngCheckAbort + 61 BF935312 10 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text win32k.sys!EngCheckAbort + 6C BF93531D 129 Bytes [ B8, 00, 00, 00, 53, 8B, 5D, ... ]
.text win32k.sys!EngCheckAbort + EE BF93539F 10 Bytes [ 4E, 1C, 50, 83, EC, 10, 81, ... ]
.text win32k.sys!EngCheckAbort + F9 BF9353AA 90 Bytes [ 00, 8B, FC, A5, A5, A5, 51, ... ]
.text win32k.sys!EngCheckAbort + 154 BF935405 97 Bytes [ 14, 6A, 0E, 33, C0, F6, 06, ... ]
.text win32k.sys!EngUnmapEvent + 12 BF936B95 29 Bytes [ 8B, 75, 24, 85, F6, 74, 13, ... ]
.text win32k.sys!EngSetEvent + 2 BF936BB3 53 Bytes [ 75, 28, 56, FF, 75, 20, FF, ... ]
.text win32k.sys!EngReadStateEvent + 2 BF936BE9 6 Bytes [ 75, 10, E8, 0F, 1D, F9 ]
.text win32k.sys!EngReadStateEvent + 9 BF936BF0 37 Bytes [ 8B, D8, 8B, 75, 0C, 8B, 55, ... ]
.text win32k.sys!EngReadStateEvent + 2F BF936C16 114 Bytes [ C3, 5B, C9, C2, 28, 00, 90, ... ]
.text win32k.sys!EngReadStateEvent + A2 BF936C89 22 Bytes [ 8B, F8, 85, FF, 75, 21, FF, ... ]
.text win32k.sys!EngReadStateEvent + BA BF936CA1 123 Bytes [ 1C, FF, 75, 18, 53, FF, 75, ... ]
.text win32k.sys!EngGetFileChangeTime + 2B BF936D1D 34 Bytes [ 8B, 45, 08, 83, C7, 38, A5, ... ]
.text win32k.sys!EngGetFileChangeTime + 4F BF936D41 27 Bytes [ 8D, B3, 9C, 00, 00, 00, A5, ... ]
.text win32k.sys!EngGetFileChangeTime + 6B BF936D5D 63 Bytes [ 08, 8B, 4D, 0C, 89, 48, 68, ... ]
.text win32k.sys!EngGetFileChangeTime + AB BF936D9D 62 Bytes [ 55, 8B, EC, FF, 75, 10, 8B, ... ]
.text win32k.sys!EngGetFileChangeTime + EA BF936DDC 55 Bytes [ 00, 8B, 75, 18, 89, 0E, 8B, ... ]
.text win32k.sys!EngDeleteFile + 7 BF936F77 105 Bytes [ FF, 5F, 8B, C6, 5E, 5B, C9, ... ]
.text win32k.sys!EngDeleteFile + 71 BF936FE1 12 Bytes [ 08, F7, C1, 00, 00, 00, 02, ... ]
.text win32k.sys!EngDeleteFile + 7E BF936FEE 118 Bytes [ FF, FD, 84, C9, 89, 08, 79, ... ]
.text win32k.sys!EngDeleteFile + F5 BF937065 15 Bytes [ 8B, 55, 0C, 8D, 5E, 04, 8B, ... ]
.text win32k.sys!EngDeleteFile + 105 BF937075 35 Bytes [ 0E, 8B, 55, 10, 8B, CB, E8, ... ]
.text win32k.sys!EngControlSprites + 37 BF93815F 25 Bytes [ 85, C0, 0F, 84, BF, 00, 00, ... ]
.text win32k.sys!EngControlSprites + 51 BF938179 98 Bytes [ FF, EB, 05, 83, E1, FD, 89, ... ]
.text win32k.sys!EngControlSprites + B4 BF9381DC 103 Bytes CALL 4503C86C
.text win32k.sys!EngControlSprites + 11C BF938244 134 Bytes [ 55, 8B, EC, 83, EC, 14, 8B, ... ]
.text win32k.sys!EngControlSprites + 1A3 BF9382CB 48 Bytes [ 48, 28, 3B, 4A, 28, 75, 28, ... ]
.text win32k.sys!EngMovePointer + 6 BF938A8E 88 Bytes [ E0, 0F, 89, 02, 39, 71, 14, ... ]
.text win32k.sys!EngMovePointer + 5F BF938AE7 30 Bytes [ 90, 90, 90, 90, 90, 8B, 49, ... ]
.text win32k.sys!EngMovePointer + 7E BF938B06 18 Bytes [ FF, 55, 8B, EC, 8B, 55, 10, ... ]
.text win32k.sys!EngMovePointer + 91 BF938B19 106 Bytes [ 31, 03, 75, 14, 83, C1, 08, ... ]
.text win32k.sys!EngMovePointer + FC BF938B84 2 Bytes [ 85, C0 ]
.text win32k.sys!EngSetPointerShape + 9F BF938CA9 15 Bytes CALL BF802B14 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSetPointerShape + AF BF938CB9 76 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text win32k.sys!EngSetPointerShape + FC BF938D06 3 Bytes [ 9B, 3D, FC ]
.text win32k.sys!EngSetPointerShape + 100 BF938D0A 30 Bytes [ 89, 45, F8, 33, D2, 8B, 03, ... ]
.text win32k.sys!EngSetPointerShape + 11F BF938D29 25 Bytes [ 75, 20, 8B, 4D, EC, FF, 75, ... ]
.text win32k.sys!EngQueryPalette + 1 BF9392A4 78 Bytes [ 80, 90, 00, 00, 00, 3B, 45, ... ]
.text win32k.sys!EngQueryPalette + 50 BF9392F3 1 Byte [ 0F ]
.text win32k.sys!EngQueryPalette + 52 BF9392F5 70 Bytes [ 0D, 60, 4D, 9A, BF, 89, 4B, ... ]
.text win32k.sys!EngQueryPalette + 99 BF93933C 22 Bytes CALL BF801943 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngQueryPalette + B0 BF939353 11 Bytes [ 00, 90, 90, 90, 90, 90, 8B, ... ]
.text win32k.sys!EngCreatePath BF9395B5 3 Bytes [ 90, 90, 90 ]
.text win32k.sys!EngCreatePath + 4 BF9395B9 76 Bytes [ FF, 55, 8B, EC, F6, 45, 08, ... ]
.text win32k.sys!EngDeletePath + 2 BF939606 1 Byte [ FF ]
.text win32k.sys!EngDeletePath + 4 BF939608 4 Bytes [ BF, 80, 00, 00 ]
.text win32k.sys!EngDeletePath + 9 BF93960D 54 Bytes JMP 8504768B
.text win32k.sys!EngDeletePath + 40 BF939644 2 Bytes [ 5D, 08 ]
.text win32k.sys!EngDeletePath + 43 BF939647 83 Bytes CALL BF938F29 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_bPolyBezierTo + E BF9396F3 27 Bytes CALL BF805B8B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_bPolyBezierTo + 2B BF939710 143 Bytes [ 83, C0, 1C, 50, 8D, 4D, 08, ... ]
.text win32k.sys!WNDOBJ_vSetConsumer + 62 BF9397A0 3 Bytes [ 4D, 10, E8 ]
.text win32k.sys!WNDOBJ_vSetConsumer + 66 BF9397A4 73 Bytes [ B3, EC, FF, FF, B3, 94, 00, ... ]
.text win32k.sys!WNDOBJ_vSetConsumer + B0 BF9397EE 9 Bytes CALL BF805AB3 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!WNDOBJ_vSetConsumer + BA BF9397F8 17 Bytes [ FC, FF, 73, 30, 8D, 75, D8, ... ]
.text win32k.sys!WNDOBJ_vSetConsumer + CC BF93980A 61 Bytes [ 8B, 8B, 84, 00, 00, 00, 6A, ... ]
.text win32k.sys!EngCreateWnd + 2 BF93988A 44 Bytes CALL ACE8B777
.text win32k.sys!EngCreateWnd + 2F BF9398B7 57 Bytes [ 45, F8, 8D, 45, F8, 89, 4D, ... ]
.text win32k.sys!EngCreateWnd + 69 BF9398F1 24 Bytes [ FF, 55, 8B, EC, 83, EC, 34, ... ]
.text win32k.sys!EngCreateWnd + 82 BF93990A 23 Bytes [ 35, 60, 4D, 9A, BF, 85, F6, ... ]
.text win32k.sys!EngCreateWnd + 9A BF939922 34 Bytes [ 75, F4, 85, 46, 18, 75, 0C, ... ]
.text win32k.sys!EngDeleteWnd + 1C BF939CCC 223 Bytes [ 85, FF, 74, 0F, 89, 38, 0F, ... ]
.text win32k.sys!EngDeleteWnd + FC BF939DAC 124 Bytes [ 0C, 8D, B0, AF, 99, BF, C7, ... ]
.text win32k.sys!EngDeleteWnd + 179 BF939E29 59 Bytes [ 8B, 19, 88, 14, 18, 8D, 0C, ... ]
.text win32k.sys!EngDeleteWnd + 1B5 BF939E65 20 Bytes [ 45, 0C, 0F, 85, AC, 00, 00, ... ]
.text win32k.sys!EngDeleteWnd + 1CA BF939E7A 89 Bytes [ 40, 0C, 8D, 14, 95, 30, B0, ... ]
.text win32k.sys!EngDitherColor + 1B BF93AA0F 175 Bytes [ 00, 00, 8B, 45, 08, 89, 8F, ... ]
.text win32k.sys!EngDitherColor + CB BF93AABF 1 Byte [ FF ]
.text win32k.sys!EngDitherColor + CD BF93AAC1 2 Bytes [ 4B, 08 ]
.text win32k.sys!EngDitherColor + D0 BF93AAC4 28 Bytes [ 55, 1C, 89, 45, FC, 83, 7D, ... ]
.text win32k.sys!EngDitherColor + ED BF93AAE1 122 Bytes [ 4D, 14, 39, 08, 77, 35, 8B, ... ]
.text win32k.sys!EngEnumForms + 13 BF93B29B 11 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text win32k.sys!EngEnumForms + 20 BF93B2A8 130 Bytes [ 8D, 4D, FC, 33, DB, E8, 4F, ... ]
.text win32k.sys!EngEnumForms + A3 BF93B32B 34 Bytes [ C3, 5B, C9, C2, 08, 00, 90, ... ]
.text win32k.sys!EngEnumForms + C6 BF93B34E 43 Bytes [ 02, 03, 00, 85, C0, 8B, 45, ... ]
.text win32k.sys!EngGetPrinter + 2

#17
mbha

Posted 09 April 2008 - 02:57 PM

Member

Topic Starter
Member
19 posts

Continued GMER scan
-------------------------
.text win32k.sys!EngEnumForms + C6 BF93B34E 43 Bytes [ 02, 03, 00, 85, C0, 8B, 45, ... ]
.text win32k.sys!EngGetPrinter + 2 BF93B37A 112 Bytes [ 75, 1C, FF, 75, 18, FF, 75, ... ]
.text win32k.sys!EngGetPrinter + 73 BF93B3EB 9 Bytes [ EC, 83, 7D, 10, 00, 74, 77, ... ]
.text win32k.sys!EngGetPrinter + 7D BF93B3F5 202 Bytes [ 75, 08, 57, 8B, 7D, 0C, 6A, ... ]
.text win32k.sys!EngGetForm + 30 BF93B4C0 30 Bytes JMP BF93B5B8 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetForm + 4F BF93B4DF 46 Bytes [ 05, 30, 04, 23, 00, 89, 45, ... ]
.text win32k.sys!EngGetForm + 7E BF93B50E 69 Bytes [ 00, 00, C7, 45, DC, 1C, 04, ... ]
.text win32k.sys!EngGetForm + C4 BF93B554 198 Bytes [ DC, 08, 08, 34, 00, EB, 5D, ... ]
.text win32k.sys!EngGetForm + 18B BF93B61B 19 Bytes [ 3B, 9A, AC, 00, 00, 00, 75, ... ]
.text win32k.sys!EngGetPrinterData + 8F BF93B7B5 136 Bytes [ 14, 01, 74, 06, FF, 15, 0C, ... ]
.text win32k.sys!EngSetPrinterData + B BF93B83E 13 Bytes [ 52, 03, CB, 51, 03, C3, 50, ... ]
.text win32k.sys!EngSetPrinterData + 19 BF93B84C 91 Bytes [ 10, D1, EE, D1, E6, 8B, 45, ... ]
.text win32k.sys!EngSetPrinterData + 75 BF93B8A8 53 Bytes [ EB, D7, 90, 90, 90, 90, 90, ... ]
.text win32k.sys!EngSetPrinterData + AB BF93B8DE 103 Bytes [ C6, C1, E0, 02, C1, E8, 02, ... ]
.text win32k.sys!EngWritePrinter + 2D BF93B946 10 Bytes [ 00, 00, F6, 45, 14, 01, 74, ... ]
.text win32k.sys!EngWritePrinter + 38 BF93B951 8 Bytes [ C4, 98, BF, 8B, 4D, 14, 8D, ... ]
.text win32k.sys!EngWritePrinter + 41 BF93B95A 68 Bytes [ 3B, C1, 72, 08, 3B, 05, E0, ... ]
.text win32k.sys!EngWritePrinter + 86 BF93B99F 50 Bytes [ 15, F4, C3, 98, BF, 83, 4D, ... ]
.text win32k.sys!EngWritePrinter + B9 BF93B9D2 20 Bytes [ 4D, AC, 03, C1, D1, E0, 8D, ... ]
.text win32k.sys!EngFileWrite + 21 BF93BB8D 12 Bytes [ E0, 00, 0F, 84, DE, 01, 00, ... ]
.text win32k.sys!EngFileWrite + 2E BF93BB9A 44 Bytes [ 00, 00, 8B, 75, 10, 85, F6, ... ]
.text win32k.sys!EngFileIoControl + 28 BF93BBC7 5 Bytes [ 5D, E0, 8D, 7B, 10 ]
.text win32k.sys!EngFileIoControl + 2E BF93BBCD 33 Bytes [ 3B, 8B, 4D, 10, 8B, 75, 0C, ... ]
.text win32k.sys!EngGetTickCount + 18 BF93BBEF 17 Bytes [ 4D, 14, 8D, 41, 0C, 3B, C1, ... ]
.text win32k.sys!EngGetTickCount + 2A BF93BC01 23 Bytes [ 15, F4, C3, 98, BF, 8D, 7B, ... ]
.text win32k.sys!EngGetTickCount + 43 BF93BC1A 16 Bytes [ 33, C0, 40, C3, 90, 90, 90, ... ]
.text win32k.sys!EngGetTickCount + 54 BF93BC2B 6 Bytes [ 5D, E0, 8D, 45, D4, 50 ]
.text win32k.sys!EngGetTickCount + 5B BF93BC32 39 Bytes [ 00, 6A, 00, FF, 75, C8, 53, ... ]
.text win32k.sys!EngHangNotification + 28 BF93E475 116 Bytes [ 8D, 4F, 08, FF, 15, B0, C5, ... ]
.text win32k.sys!EngHangNotification + 9D BF93E4EA 49 Bytes [ A5, 98, FC, FF, FF, 00, EB, ... ]
.text win32k.sys!EngHangNotification + CF BF93E51C 12 Bytes [ EC, 33, C0, 66, 39, 05, 50, ... ]
.text win32k.sys!EngHangNotification + DC BF93E529 91 Bytes [ 08, 0F, 94, C0, FF, 35, E0, ... ]
.text win32k.sys!EngHangNotification + 139 BF93E586 2 Bytes [ 75, 08 ]
.text win32k.sys!EngFntCacheFault + 18 BF93EEF7 25 Bytes CALL BF802B14 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFntCacheFault + 32 BF93EF11 28 Bytes CALL BF800C28 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFntCacheFault + 4F BF93EF2E 82 Bytes [ C1, 89, 45, CC, 8B, 08, 89, ... ]
.text win32k.sys!EngFntCacheFault + A2 BF93EF81 48 Bytes [ 00, 00, 89, 7D, E4, 33, DB, ... ]
.text win32k.sys!EngFntCacheFault + D3 BF93EFB2 124 Bytes [ 8D, 45, E4, 50, FF, 75, 10, ... ]
.text win32k.sys!EngMapModule + 2 BF93F134 17 Bytes [ 35, 34, 8B, 9A, BF, FF, 15, ... ]
.text win32k.sys!EngMapModule + 14 BF93F146 12 Bytes [ FC, EB, 60, FF, 35, 68, 5F, ... ]
.text win32k.sys!EngUnmapFile + 5 BF93F153 6 Bytes [ FF, FF, 46, 28, 39, 1F ]
.text win32k.sys!EngUnmapFile + C BF93F15A 112 Bytes [ 05, 89, 5D, 14, EB, 14, FF, ... ]
.text win32k.sys!EngUnmapFile + 80 BF93F1CE 153 Bytes [ 90, 8B, FF, 55, 8B, EC, 8B, ... ]
.text win32k.sys!EngUnmapFile + 11B BF93F269 24 Bytes CALL BF80FC46 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnmapFile + 134 BF93F282 8 Bytes [ 8B, 8E, 00, 03, 00, 00, 89, ... ]
.text win32k.sys!EngMapFile + 4 BF93F87B 17 Bytes [ 5D, F0, 89, 59, 14, 8B, 5D, ... ]
.text win32k.sys!EngMapFile + 16 BF93F88D 5 Bytes [ 5D, DC, 89, 59, 20 ]
.text win32k.sys!EngMapFile + 1C BF93F893 42 Bytes [ 5D, E0, 89, 31, 89, 59, 24, ... ]
.text win32k.sys!EngMapFile + 47 BF93F8BE 51 Bytes [ 78, 68, 01, 7D, EC, 8B, 78, ... ]
.text win32k.sys!EngMapFile + 7B BF93F8F2 62 Bytes [ 7A, 14, 11, 7D, F8, 8B, 7A, ... ]
.text win32k.sys!EngGetPrinterDataFileName + 9 BF93F9F7 93 Bytes [ 46, 10, 51, 50, 89, 55, F4, ... ]
.text win32k.sys!EngQueryDeviceAttribute + 33 BF93FA55 81 Bytes [ 75, F4, 8B, 4E, 24, FF, 75, ... ]
.text win32k.sys!EngQueryDeviceAttribute + 86 BF93FAA8 94 Bytes CALL BF800BBB \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngQueryDeviceAttribute + E6 BF93FB08 27 Bytes [ 89, 55, A4, 8B, 56, 0C, 3B, ... ]
.text win32k.sys!EngQueryDeviceAttribute + 102 BF93FB24 16 Bytes [ 00, 3B, FA, 7E, 07, 2B, D7, ... ]
.text win32k.sys!EngQueryDeviceAttribute + 113 BF93FB35 5 Bytes [ 55, FC, FF, 75, FC ]
.text win32k.sys!EngPlgBlt + 3B BF942052 13 Bytes CALL BF802B14 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngPlgBlt + 49 BF942060 11 Bytes [ 0C, C7, 45, C8, 01, 00, 00, ... ]
.text win32k.sys!EngPlgBlt + 55 BF94206C 51 Bytes [ 00, 8B, 45, 28, 8B, 48, 08, ... ]
.text win32k.sys!EngPlgBlt + 89 BF9420A0 65 Bytes [ 8B, 45, F4, 8B, 4D, A0, 8B, ... ]
.text win32k.sys!EngPlgBlt + CB BF9420E2 31 Bytes [ B5, 58, FF, FF, FF, E8, 97, ... ]
.text win32k.sys!STROBJ_fxBreakExtra + 39 BF94483C 9 Bytes [ EC, 53, 8B, 5D, 0C, 56, FF, ... ]
.text win32k.sys!STROBJ_fxBreakExtra + 43 BF944846 21 Bytes [ F6, 53, FF, 75, 08, E8, F3, ... ]
.text win32k.sys!STROBJ_fxBreakExtra + 59 BF94485C 31 Bytes [ 49, 74, 34, 49, 74, 2C, 49, ... ]
.text win32k.sys!STROBJ_fxBreakExtra + 79 BF94487C 78 Bytes [ 01, C1, E2, 08, 0B, D1, 83, ... ]
.text win32k.sys!STROBJ_fxBreakExtra + C8 BF9448CB 2 Bytes [ 5D, 10 ]
.text win32k.sys!FONTOBJ_pfdg + 16 BF945DAE 27 Bytes [ EC, 01, 00, 00, 89, 55, DC, ... ]
.text win32k.sys!FONTOBJ_cGetAllGlyphHandles + 1B BF945DCA 3 Bytes [ 89, 55, CC ]
.text win32k.sys!FONTOBJ_cGetAllGlyphHandles + 1F BF945DCE 12 Bytes [ 90, D8, 01, 00, 00, 89, 55, ... ]
.text win32k.sys!FONTOBJ_cGetAllGlyphHandles + 2C BF945DDB 57 Bytes [ 00, 89, 55, C4, 8B, 90, E0, ... ]
.text win32k.sys!FONTOBJ_pvTrueTypeFontFile + 35 BF945E15 5 Bytes CALL BF82C66B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_pvTrueTypeFontFile + 3B BF945E1B 32 Bytes [ 4D, 0C, 89, 43, 64, 39, 7D, ... ]
.text win32k.sys!FONTOBJ_pvTrueTypeFontFile + 5C BF945E3C 124 Bytes [ 2B, 68, EE, FF, 99, F7, 7D, ... ]
.text win32k.sys!FONTOBJ_pwszFontFilePaths + 21 BF945EB9 5 Bytes [ 08, 89, 45, E4, B8 ]
.text win32k.sys!FONTOBJ_pwszFontFilePaths + 27 BF945EBF 6 Bytes [ 00, 00, 80, 89, 45, BC ]
.text win32k.sys!FONTOBJ_pwszFontFilePaths + 2E BF945EC6 12 Bytes CALL BEEAB61B
.text win32k.sys!FONTOBJ_pwszFontFilePaths + 3B BF945ED3 45 Bytes [ FF, 7F, 89, 55, B4, 89, 55, ... ]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 22 BF945F01 45 Bytes [ 01, 00, 00, 10, 74, 0D, F6, ... ]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 50 BF945F2F 24 Bytes [ 77, 14, FF, 77, 08, 50, 8D, ... ]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 69 BF945F48 36 Bytes [ 18, 03, 45, F8, 50, FF, 75, ... ]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 8E BF945F6D 57 Bytes [ 3B, 45, B8, 7E, 03, 89, 45, ... ]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + C8 BF945FA7 31 Bytes [ 45, 20, EB, 12, 8B, 47, 0C, ... ]
.text win32k.sys!XLATEOBJ_cGetPalette BF947468 3 Bytes [ 90, 90, 90 ]
.text win32k.sys!XLATEOBJ_cGetPalette + 4 BF94746C 26 Bytes [ FF, 55, 8B, EC, 83, EC, 10, ... ]
.text win32k.sys!XLATEOBJ_cGetPalette + 1F BF947487 31 Bytes CALL BF82126A \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XLATEOBJ_cGetPalette + 3F BF9474A7 152 Bytes [ 41, 05, 10, 74, 09, FF, 71, ... ]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 55 BF947540 162 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text win32k.sys!XLATEOBJ_hGetColorTransform + F8 BF9475E3 112 Bytes [ FF, 8B, F8, 3B, FE, 75, 0C, ... ]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 169 BF947654 73 Bytes [ 74, 06, F6, 40, 64, 01, 74, ... ]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 1B3 BF94769E 168 Bytes [ 02, 00, 00, 8D, 45, 08, 50, ... ]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 25C BF947747 33 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text win32k.sys!EngDeleteClip + 6F BF976CB0 11 Bytes [ 74, 11, FF, 75, E0, 8B, CB, ... ]
.text win32k.sys!EngDeleteClip + 7B BF976CBC 21 Bytes [ 6A, 05, 59, 8B, F0, F3, A5, ... ]
.text win32k.sys!EngDeleteClip + 91 BF976CD2 11 Bytes CALL BF7BE2D6
.text win32k.sys!EngDeleteClip + 9D BF976CDE 1 Byte [ FF ]
.text win32k.sys!EngDeleteClip + 9F BF976CE0 22 Bytes [ 75, FC, 8D, 4D, F0, E8, 73, ... ]
.text win32k.sys!HT_ComputeRGBGammaTable + 4A BF97E19D 87 Bytes [ B6, 38, 8B, 3C, BA, 2B, FB, ... ]
.text win32k.sys!HT_ComputeRGBGammaTable + A2 BF97E1F5 29 Bytes [ 00, 70, 00, 80, E3, 0F, EB, ... ]
.text win32k.sys!HT_ComputeRGBGammaTable + C0 BF97E213 145 Bytes [ BC, BA, 00, 04, 00, 00, 23, ... ]
.text win32k.sys!HT_ComputeRGBGammaTable + 153 BF97E2A6 18 Bytes [ 2B, FB, 23, 7D, EC, 0F, B7, ... ]
.text win32k.sys!HT_ComputeRGBGammaTable + 166 BF97E2B9 68 Bytes [ 04, 00, 00, 2B, FB, 23, 7D, ... ]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Files - GMER 1.0.14 ----

#18
mbha

Posted 09 April 2008 - 02:58 PM

Member

Topic Starter
Member
19 posts

Continued GMER scan.
-------------------------
---- Files - GMER 1.0.14 ----

File C:\RRbackups\C 0 bytes
File C:\RRbackups\C\0 0 bytes
File C:\RRbackups\C\0\Data0 50003968 bytes
File C:\RRbackups\C\0\Data1 50003968 bytes
File C:\RRbackups\C\0\Data10 50003968 bytes
File C:\RRbackups\C\0\Data100 50003968 bytes
File C:\RRbackups\C\0\Data101 50003968 bytes
File C:\RRbackups\C\0\Data102 50003968 bytes
File C:\RRbackups\C\0\Data103 50003968 bytes
File C:\RRbackups\C\0\Data104 50003968 bytes
File C:\RRbackups\C\0\Data105 50003968 bytes
File C:\RRbackups\C\0\Data106 50003968 bytes
File C:\RRbackups\C\0\Data107 50003968 bytes
File C:\RRbackups\C\0\Data108 50003968 bytes
File C:\RRbackups\C\0\Data109 50003968 bytes
File C:\RRbackups\C\0\Data11 50003968 bytes
File C:\RRbackups\C\0\Data110 50003968 bytes
File C:\RRbackups\C\0\Data111 50003968 bytes
File C:\RRbackups\C\0\Data112 50003968 bytes
File C:\RRbackups\C\0\Data113 50003968 bytes
File C:\RRbackups\C\0\Data114 50003968 bytes
File C:\RRbackups\C\0\Data115 50003968 bytes
File C:\RRbackups\C\0\Data28 50003968 bytes
File C:\RRbackups\C\0\Data29 50003968 bytes
File C:\RRbackups\C\0\Data3 50003968 bytes
File C:\RRbackups\C\0\Data30 50003968 bytes
File C:\RRbackups\C\0\Data31 50003968 bytes
File C:\RRbackups\C\0\Data32 50003968 bytes
File C:\RRbackups\C\0\Data33 50003968 bytes
File C:\RRbackups\C\0\Data34 50003968 bytes
File C:\RRbackups\C\0\Data35 50003968 bytes
File C:\RRbackups\C\0\Data36 50003968 bytes
File C:\RRbackups\C\0\Data37 50003968 bytes
File C:\RRbackups\C\0\Data38 50003968 bytes
File C:\RRbackups\C\0\Data39 50003968 bytes
File C:\RRbackups\C\0\Data4 50003968 bytes
File C:\RRbackups\C\0\Data40 50003968 bytes
File C:\RRbackups\C\0\Data41 50003968 bytes
File C:\RRbackups\C\0\Data42 50003968 bytes
File C:\RRbackups\C\0\Data43 50003968 bytes
File C:\RRbackups\C\0\Data44 50003968 bytes
File C:\RRbackups\C\0\Data45 50003968 bytes
File C:\RRbackups\C\0\Data47 50003968 bytes
File C:\RRbackups\C\0\Data48 50003968 bytes
File C:\RRbackups\C\0\Data49 50003968 bytes
File C:\RRbackups\C\0\Data5 50003968 bytes
File C:\RRbackups\C\0\Data50 50003968 bytes
File C:\RRbackups\C\0\Data51 50003968 bytes
File C:\RRbackups\C\0\Data52 50003968 bytes
File C:\RRbackups\C\0\Data53 50003968 bytes
File C:\RRbackups\C\0\Data54 50003968 bytes
File C:\RRbackups\C\0\Data55 50003968 bytes
File C:\RRbackups\C\0\Data56 50003968 bytes
File C:\RRbackups\C\0\Data57 50003968 bytes
File C:\RRbackups\C\0\Data58 50003968 bytes
File C:\RRbackups\C\0\Data59 50003968 bytes
File C:\RRbackups\C\0\Data6 50003968 bytes
File C:\RRbackups\C\0\Data60 50003968 bytes
File C:\RRbackups\C\0\Data61 50003968 bytes
File C:\RRbackups\C\0\Data62 50003968 bytes
File C:\RRbackups\C\0\Data63 50003968 bytes
File C:\RRbackups\C\0\Data64 50003968 bytes
File C:\RRbackups\C\0\Data66 50003968 bytes
File C:\RRbackups\C\0\Data67 50003968 bytes
File C:\RRbackups\C\0\Data68 50003968 bytes
File C:\RRbackups\C\0\Data69 50003968 bytes
File C:\RRbackups\C\0\Data7 50003968 bytes
File C:\RRbackups\C\0\Data70 50003968 bytes
File C:\RRbackups\C\0\Data71 50003968 bytes
File C:\RRbackups\C\0\Data72 50003968 bytes
File C:\RRbackups\C\0\Data73 50003968 bytes
File C:\RRbackups\C\0\Data74 50003968 bytes
File C:\RRbackups\C\0\Data75 50003968 bytes
File C:\RRbackups\C\0\Data76 50003968 bytes
File C:\RRbackups\C\0\Data77 50003968 bytes
File C:\RRbackups\C\0\Data78 50003968 bytes
File C:\RRbackups\C\0\Data79 50003968 bytes
File C:\RRbackups\C\0\Data8 50003968 bytes
File C:\RRbackups\C\0\Data80 50003968 bytes
File C:\RRbackups\C\0\Data81 50003968 bytes
File C:\RRbackups\C\0\Data82 50003968 bytes
File C:\RRbackups\C\0\Data83 50003968 bytes
File C:\RRbackups\C\0\Data117 50003968 bytes
File C:\RRbackups\C\0\Data118 50003968 bytes
File C:\RRbackups\C\0\Data119 50003968 bytes
File C:\RRbackups\C\0\Data12 50003968 bytes
File C:\RRbackups\C\0\Data120 50003968 bytes
File C:\RRbackups\C\0\Data121 50003968 bytes
File C:\RRbackups\C\0\Data122 50003968 bytes
File C:\RRbackups\C\0\Data123 50003968 bytes
File C:\RRbackups\C\0\Data124 50003968 bytes
File C:\RRbackups\C\0\Data125 50003968 bytes
File C:\RRbackups\C\0\Data126 50003968 bytes
File C:\RRbackups\C\0\Data127 50003968 bytes
File C:\RRbackups\C\0\Data128 50003968 bytes
File C:\RRbackups\C\0\Data129 50003968 bytes
File C:\RRbackups\C\0\Data13 50003968 bytes
File C:\RRbackups\C\0\Data130 50003968 bytes
File C:\RRbackups\C\0\Data131 50003968 bytes
File C:\RRbackups\C\0\Data132 50003968 bytes
File C:\RRbackups\C\0\Data133 50003968 bytes
File C:\RRbackups\C\0\Data134 50003968 bytes
File C:\RRbackups\C\0\Data136 50003968 bytes
File C:\RRbackups\C\0\Data137 50003968 bytes
File C:\RRbackups\C\0\Data138 50003968 bytes
File C:\RRbackups\C\0\Data139 50003968 bytes
File C:\RRbackups\C\0\Data14 50003968 bytes
File C:\RRbackups\C\0\Data140 50003968 bytes
File C:\RRbackups\C\0\Data141 50003968 bytes
File C:\RRbackups\C\0\Data142 50003968 bytes
File C:\RRbackups\C\0\Data143 50003968 bytes
File C:\RRbackups\C\0\Data144 50003968 bytes
File C:\RRbackups\C\0\Data145 50003968 bytes
File C:\RRbackups\C\0\Data146 50003968 bytes
File C:\RRbackups\C\0\Data147 50003968 bytes
File C:\RRbackups\C\0\Data148 50003968 bytes
File C:\RRbackups\C\0\Data149 50003968 bytes
File C:\RRbackups\C\0\Data15 50003968 bytes
File C:\RRbackups\C\0\Data150 50003968 bytes
File C:\RRbackups\C\0\Data151 50003968 bytes
File C:\RRbackups\C\0\Data152 50003968 bytes
File C:\RRbackups\C\0\Data153 50003968 bytes
File C:\RRbackups\C\0\Data155 50003968 bytes
File C:\RRbackups\C\0\Data156 50003968 bytes
File C:\RRbackups\C\0\Data157 50003968 bytes
File C:\RRbackups\C\0\Data158 50003968 bytes
File C:\RRbackups\C\0\Data159 50003968 bytes
File C:\RRbackups\C\0\Data16 50003968 bytes
File C:\RRbackups\C\0\Data160 50003968 bytes
File C:\RRbackups\C\0\Data161 50003968 bytes
File C:\RRbackups\C\0\Data162 50003968 bytes
File C:\RRbackups\C\0\Data163 50003968 bytes
File C:\RRbackups\C\0\Data164 50003968 bytes
File C:\RRbackups\C\0\Data165 50003968 bytes
File C:\RRbackups\C\0\Data166 50003968 bytes
File C:\RRbackups\C\0\Data167 50003968 bytes
File C:\RRbackups\C\0\Data168 50003968 bytes
File C:\RRbackups\C\0\Data169 50003968 bytes
File C:\RRbackups\C\0\Data17 50003968 bytes
File C:\RRbackups\C\0\Data170 50003968 bytes
File C:\RRbackups\C\0\Data171 50003968 bytes
File C:\RRbackups\C\0\Data172 50003968 bytes
File C:\RRbackups\C\0\Data116 50003968 bytes
File C:\RRbackups\C\0\Data135 50003968 bytes
File C:\RRbackups\C\0\Data154 50003968 bytes
File C:\RRbackups\C\0\Data173 50003968 bytes
File C:\RRbackups\C\0\Data27 50003968 bytes
File C:\RRbackups\C\0\Data46 50003968 bytes
File C:\RRbackups\C\0\Data65 50003968 bytes
File C:\RRbackups\C\0\Data84 50003968 bytes
File C:\RRbackups\C\0\Data174 50003968 bytes
File C:\RRbackups\C\0\Data175 50003968 bytes
File C:\RRbackups\C\0\Data176 50003968 bytes
File C:\RRbackups\C\0\Data177 50003968 bytes
File C:\RRbackups\C\0\Data178 50003968 bytes
File C:\RRbackups\C\0\Data179 50003968 bytes
File C:\RRbackups\C\0\Data18 50003968 bytes
File C:\RRbackups\C\0\Data180 50003968 bytes
File C:\RRbackups\C\0\Data181 50003968 bytes
File C:\RRbackups\C\0\Data182 50003968 bytes
File C:\RRbackups\C\0\Data183 50003968 bytes
File C:\RRbackups\C\0\Data184 50003968 bytes
File C:\RRbackups\C\0\Data185 50003968 bytes
File C:\RRbackups\C\0\Data186 50003968 bytes
File C:\RRbackups\C\0\Data187 50003968 bytes
File C:\RRbackups\C\0\Data188 50003968 bytes
File C:\RRbackups\C\0\Data189 50003968 bytes
File C:\RRbackups\C\0\Data19 50003968 bytes
File C:\RRbackups\C\0\Data190 50003968 bytes
File C:\RRbackups\C\0\Data191 46222271 bytes
File C:\RRbackups\C\0\Data2 50003968 bytes
File C:\RRbackups\C\0\Data20 50003968 bytes
File C:\RRbackups\C\0\Data21 50003968 bytes
File C:\RRbackups\C\0\Data22 50003968 bytes
File C:\RRbackups\C\0\Data23 50003968 bytes
File C:\RRbackups\C\0\Data24 50003968 bytes
File C:\RRbackups\C\0\Data25 50003968 bytes
File C:\RRbackups\C\0\Data26 50003968 bytes
File C:\RRbackups\C\0\Data85 50003968 bytes
File C:\RRbackups\C\0\Data86 50003968 bytes
File C:\RRbackups\C\0\Data87 50003968 bytes
File C:\RRbackups\C\0\Data88 50003968 bytes
File C:\RRbackups\C\0\Data89 50003968 bytes
File C:\RRbackups\C\0\Data9 50003968 bytes
File C:\RRbackups\C\0\Data90 50003968 bytes
File C:\RRbackups\C\0\Data91 50003968 bytes
File C:\RRbackups\C\0\Data92 50003968 bytes
File C:\RRbackups\C\0\Data93 50003968 bytes
File C:\RRbackups\C\0\Data94 50003968 bytes
File C:\RRbackups\C\0\Data95 50003968 bytes
File C:\RRbackups\C\0\Data96 50003968 bytes
File C:\RRbackups\C\0\Data97 50003968 bytes
File C:\RRbackups\C\0\Data98 50003968 bytes
File C:\RRbackups\C\0\Data99 50003968 bytes
File C:\RRbackups\C\0\dats 0 bytes
File C:\RRbackups\C\0\dats\encobject.dat 1608 bytes
File C:\RRbackups\C\0\dats\swkeys.dat 6372 bytes
File C:\RRbackups\C\0\dats\symkeys.dat 656 bytes
File C:\RRbackups\C\0\EFSFile 0 bytes
File C:\RRbackups\C\0\HashFile 391734 bytes
File C:\RRbackups\C\0\Info 756 bytes
File C:\RRbackups\C\0\TOCFile 39826290 bytes
File C:\RRbackups\C\1 0 bytes
File C:\RRbackups\C\1\Data27 50003968 bytes
File C:\RRbackups\C\1\Data46 50003968 bytes
File C:\RRbackups\C\1\Data0 50003968 bytes
File C:\RRbackups\C\1\Data1 50003968 bytes
File C:\RRbackups\C\1\Data10 50003968 bytes
File C:\RRbackups\C\1\Data11 50003968 bytes
File C:\RRbackups\C\1\Data12 50003968 bytes
File C:\RRbackups\C\1\Data13 50003968 bytes
File C:\RRbackups\C\1\Data14 50003968 bytes
File C:\RRbackups\C\1\Data15 50003968 bytes
File C:\RRbackups\C\1\Data16 50003968 bytes
File C:\RRbackups\C\1\Data17 50003968 bytes
File C:\RRbackups\C\1\Data18 50003968 bytes
File C:\RRbackups\C\1\Data19 50003968 bytes
File C:\RRbackups\C\1\Data2 50003968 bytes
File C:\RRbackups\C\1\Data20 50003968 bytes
File C:\RRbackups\C\1\Data21 50003968 bytes
File C:\RRbackups\C\1\Data22 50003968 bytes
File C:\RRbackups\C\1\Data23 50003968 bytes
File C:\RRbackups\C\1\Data24 50003968 bytes
File C:\RRbackups\C\1\Data25 50003968 bytes
File C:\RRbackups\C\1\Data26 50003968 bytes
File C:\RRbackups\C\1\Data28 50003968 bytes
File C:\RRbackups\C\1\Data29 50003968 bytes
File C:\RRbackups\C\1\Data3 50003968 bytes
File C:\RRbackups\C\1\Data30 50003968 bytes
File C:\RRbackups\C\1\Data31 50003968 bytes
File C:\RRbackups\C\1\Data32 50003968 bytes
File C:\RRbackups\C\1\Data33 50003968 bytes
File C:\RRbackups\C\1\Data34 50003968 bytes
File C:\RRbackups\C\1\Data35 50003968 bytes
File C:\RRbackups\C\1\Data36 50003968 bytes
File C:\RRbackups\C\1\Data37 50003968 bytes
File C:\RRbackups\C\1\Data38 50003968 bytes
File C:\RRbackups\C\1\Data39 50003968 bytes
File C:\RRbackups\C\1\Data4 50003968 bytes
File C:\RRbackups\C\1\Data40 50003968 bytes
File C:\RRbackups\C\1\Data41 50003968 bytes
File C:\RRbackups\C\1\Data42 50003968 bytes
File C:\RRbackups\C\1\Data43 50003968 bytes
File C:\RRbackups\C\1\Data44 50003968 bytes
File C:\RRbackups\C\1\Data45 50003968 bytes
File C:\RRbackups\C\1\Data47 50003968 bytes
File C:\RRbackups\C\1\Data48 50003968 bytes
File C:\RRbackups\C\1\Data49 50003968 bytes
File C:\RRbackups\C\1\Data5 50003968 bytes
File C:\RRbackups\C\1\Data50 50003968 bytes
File C:\RRbackups\C\1\Data51 50003968 bytes
File C:\RRbackups\C\1\Data52 50003968 bytes
File C:\RRbackups\C\1\Data53 50003968 bytes
File C:\RRbackups\C\1\Data54 50003968 bytes
File C:\RRbackups\C\1\Data55

#19
mbha

Posted 09 April 2008 - 03:00 PM

Member

Topic Starter
Member
19 posts

Continued GMER scan
-------------------------
File C:\RRbackups\C\1\Data55 50003968 bytes
File C:\RRbackups\C\1\Data56 50003968 bytes
File C:\RRbackups\C\1\Data57 50003968 bytes
File C:\RRbackups\C\1\Data58 50003968 bytes
File C:\RRbackups\C\1\Data59 50003968 bytes
File C:\RRbackups\C\1\Data6 50003968 bytes
File C:\RRbackups\C\1\Data60 50003968 bytes
File C:\RRbackups\C\1\Data61 50003968 bytes
File C:\RRbackups\C\1\Data62 50003968 bytes
File C:\RRbackups\C\1\Data63 50003968 bytes
File C:\RRbackups\C\1\Data64 50003968 bytes
File C:\RRbackups\C\1\Data65 50003968 bytes
File C:\RRbackups\C\1\Data66 50003968 bytes
File C:\RRbackups\C\1\Data67 50003968 bytes
File C:\RRbackups\C\1\Data68 50003968 bytes
File C:\RRbackups\C\1\Data69 50003968 bytes
File C:\RRbackups\C\1\Data7 50003968 bytes
File C:\RRbackups\C\1\Data70 50003968 bytes
File C:\RRbackups\C\1\Data71 50003968 bytes
File C:\RRbackups\C\1\Data72 50003968 bytes
File C:\RRbackups\C\1\Data73 50003968 bytes
File C:\RRbackups\C\1\Data74 28539787 bytes
File C:\RRbackups\C\1\Data8 50003968 bytes
File C:\RRbackups\C\1\Data9 50003968 bytes
File C:\RRbackups\C\1\dats 0 bytes
File C:\RRbackups\C\1\dats\encobject.dat 1608 bytes
File C:\RRbackups\C\1\dats\swkeys.dat 6372 bytes
File C:\RRbackups\C\1\dats\symkeys.dat 656 bytes
File C:\RRbackups\C\1\EFSFile 0 bytes
File C:\RRbackups\C\1\HashFile 401868 bytes
File C:\RRbackups\C\1\Info 756 bytes
File C:\RRbackups\C\1\TOCFile 40856580 bytes
File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\backups.dat 8192 bytes
File C:\RRbackups\common\bt0.dat 32256 bytes
File C:\RRbackups\common\bt1.dat 32256 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\rr.log 23235 bytes
File C:\RRbackups\common\SAM 262144 bytes
File C:\RRbackups\common\seccache.dat 8192 bytes
File C:\RRbackups\common\secpolicy.dat 45056 bytes
File C:\RRbackups\common\settings.dat 28672 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\usersids.dat 14560 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\encobject.dat 1608 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\swkeys.dat 6372 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\symkeys.dat 656 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a077ead69703e3bf1fd373a3c9376faa_615a34f6-147c-4e77-9d9a-9351074a7a99 901 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_615a34f6-147c-4e77-9d9a-9351074a7a99 57 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\83aa4cc77f591dfc2374580bbd95f6ba_615a34f6-147c-4e77-9d9a-9351074a7a99 45 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_615a34f6-147c-4e77-9d9a-9351074a7a99 54 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_615a34f6-147c-4e77-9d9a-9351074a7a99 893 bytes
File C:\RRbackups\Documents and Settings\Aseem 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Lenovo\Client Security Solution\config.ini 61 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Lenovo\Client Security Solution\cspContainer.dat 332 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Lenovo\Client Security Solution\cssversion.dat 1908 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Lenovo\Client Security Solution\encobject.dat 14472 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Lenovo\Client Security Solution\pwdrecovery.dat 1104 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Lenovo\Client Security Solution\swkeys.dat 8496 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Lenovo\Client Security Solution\symkeys.dat 1968 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1008 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1008\1ad0c6892271bdc5d210cec5626340a8_615a34f6-147c-4e77-9d9a-9351074a7a99 46 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1008\533145ef011ddf5ca3983e2545a902b4_615a34f6-147c-4e77-9d9a-9351074a7a99 2075 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003\4ec3ba26-7ae6-4c81-8f10-1c302f0aebed 388 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1008 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1008\c47d6821-a929-4d57-a834-4f08ce72141c 388 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1008\f257ae58-068d-44a1-952f-bf3f1cd266ef 388 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1008\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003\0a124641-6439-4857-b61e-dae2de42ad2e 388 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003\c2a36130-4a0d-4591-b16d-f36111ecf531 388 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Aseem\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003\4ec3ba26-7ae6-4c81-8f10-1c302f0aebed 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003\0a124641-6439-4857-b61e-dae2de42ad2e 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003\c2a36130-4a0d-4591-b16d-f36111ecf531 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Geetika 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Lenovo\Client Security Solution\config.ini 61 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Lenovo\Client Security Solution\cspContainer.dat 332 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Lenovo\Client Security Solution\cssversion.dat 1908 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Lenovo\Client Security Solution\encobject.dat 14472 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Lenovo\Client Security Solution\pwdrecovery.dat 1104 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Lenovo\Client Security Solution\swkeys.dat 8496 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Lenovo\Client Security Solution\symkeys.dat 1968 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1009 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1009\533145ef011ddf5ca3983e2545a902b4_615a34f6-147c-4e77-9d9a-9351074a7a99 2075 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1009\cf4df228595f6d5fece5a59d0090b99a_615a34f6-147c-4e77-9d9a-9351074a7a99 48 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003\4ec3ba26-7ae6-4c81-8f10-1c302f0aebed 388 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1009 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1009\99ca871c-c2ba-47f9-a99c-620601ab120f 388 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1009\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003\0a124641-6439-4857-b61e-dae2de42ad2e 388 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003\c2a36130-4a0d-4591-b16d-f36111ecf531 388 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Geetika\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Mahim 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution\config.ini 61 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution\cspContainer.dat 332 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution\cssversion.dat 1908 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution\encobject.dat 14472 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution\Mahim.pwm 3936 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution\pwdrecovery.dat 1104 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution\pwmaction.dat 672 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution\swkeys.dat 8496 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Lenovo\Client Security Solution\symkeys.dat 1968 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1006 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1006\533145ef011ddf5ca3983e2545a902b4_615a34f6-147c-4e77-9d9a-9351074a7a99 2075 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1006\6b29ae44e85efac3c72ff4d1865d73f1_615a34f6-147c-4e77-9d9a-9351074a7a99 53 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1006\83aa4cc77f591dfc2374580bbd95f6ba_615a34f6-147c-4e77-9d9a-9351074a7a99 45 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1006\8f71098770f72c7a67cd8f1151619865_615a34f6-147c-4e77-9d9a-9351074a7a99 54 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1006\932a2db58c237abd381d22df4c63a04a_615a34f6-147c-4e77-9d9a-9351074a7a99 87 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\CREDHIST 160 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003\4ec3ba26-7ae6-4c81-8f10-1c302f0aebed 388 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1006 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1006\2661a16b-12a9-4c8d-99c6-305af2554e4d 388 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1006\29bdee7b-231a-4249-ab16-e54c5c76cecb 388 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1006\5b7437e8-4b46-4de2-bf90-8b08b72963c4 388 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1006\a67be6e4-5d53-4b93-82e6-ddf02f7d57a1 388 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1006\ab34c5c6-21f9-444e-b614-932253292f01 388 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1006\ec48b60b-2778-41d9-b055-5466d73f0859 388 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1006\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003\0a124641-6439-4857-b61e-dae2de42ad2e 388 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003\c2a36130-4a0d-4591-b16d-f36111ecf531 388 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Mahim\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Lenovo\Client Security Solution\config.ini 61 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Lenovo\Client Security Solution\cspContainer.dat 332 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Lenovo\Client Security Solution\cssversion.dat 1908 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Lenovo\Client Security Solution\encobject.dat 14472 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Lenovo\Client Security Solution\pwdrecovery.dat 1104 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Lenovo\Client Security Solution\swkeys.dat 8496 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Lenovo\Client Security Solution\symkeys.dat 1968 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1007 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1007\4fab426e0008105d5e2bc15563080fa3_615a34f6-147c-4e77-9d9a-9351074a7a99 46 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1007\533145ef011ddf5ca3983e2545a902b4_615a34f6-147c-4e77-9d9a-9351074a7a99 2075 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Crypto\RSA\S-1-5-21-260802699-1924936845-1543838306-1007\6b29ae44e85efac3c72ff4d1865d73f1_615a34f6-147c-4e77-9d9a-9351074a7a99 53 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003\4ec3ba26-7ae6-4c81-8f10-1c302f0aebed 388 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-2422942346-2288984452-214141379-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1007 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1007\3195a880-7834-4e88-a21a-71b830b304cd 388 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\

#20
mbha

Posted 09 April 2008 - 03:06 PM

Member

Topic Starter
Member
19 posts

Last bit of GMER log
-------------------
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1007\9acc7f00-d573-4b4d-a7d3-81cde0591d0c 388 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1007\ff76bf25-cba9-43ee-a315-a14c23d750b7 388 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-260802699-1924936845-1543838306-1007\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003\0a124641-6439-4857-b61e-dae2de42ad2e 388 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-3359925272-645178165-3065092502-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003\c2a36130-4a0d-4591-b16d-f36111ecf531 388 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\Protect\S-1-5-21-3430851255-2093298770-200444301-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Nidhi\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Owner 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\SIS 0 bytes
File C:\RRbackups\SIS\C 0 bytes
File C:\RRbackups\SIS\C\0 0 bytes

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdResumeDeferredWatch] 00000000
IAT \SystemRoot\System32\win32k.sys[HAL.dll!HalRequestSoftwareInterrupt] 0025002D
IAT \SystemRoot\System32\win32k.sys[HAL.dll!ExAcquireFastMutex] 002D0065
IAT \SystemRoot\System32\win32k.sys[Dxapi.sys!_DxApiGetVersion@0] 00760072
IAT \SystemRoot\System32\win32k.sys[HAL.dll!KeQueryPerformanceCounter] 00780025
IAT \SystemRoot\System32\win32k.sys[HAL.dll!ExReleaseFastMutex] 00780030
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdFreeDeferredWatchdog] [BF8435C5] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdExitMonitoredSection] [BF8435D7] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStartDeferredWatch] [BF8435DE] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdAllocateDeferredWatchdog] [BF8435EF] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdDdiWatchdogDpcCallback] [BF8695F5] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\System32\drivers\dxgthk.sys[WIN32K.SYS!EngDebugPrint] [BF9333D4] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdEnterMonitoredSection] FFFFFFFF
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStopDeferredWatch] FFFFFFFF
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdSuspendDeferredWatch] FFFFFFFF

---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7BB78AC]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7BB7812]

---- EOF - GMER 1.0.14 ----

Thanks a lot for everything.
Regards,
MBHA

#21
Tal

Posted 12 April 2008 - 03:27 AM

Trusted Helper

Retired Staff
2,138 posts

Hi mbha,

Sorry for the delay.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#22
mbha

Posted 14 April 2008 - 11:06 AM

Member

Topic Starter
Member
19 posts

Hi Tal,

Even I could not access the internet over the weekend, therefore this delay in replying.

The log of combofix is here:
=================
ComboFix 08-04-13.3 - Mahim 2008-04-14 22:21:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.560 [GMT 5.5:30]
Running from: C:\Documents and Settings\Mahim\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\recover.reg
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-10 01:41 . 2008-04-10 02:02 250 --a------ C:\WINDOWS\gmer.ini
2008-04-05 23:57 . 2008-04-05 23:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-05 23:57 . 2008-04-05 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-03 22:45 . 2008-04-03 22:45 <DIR> d-------- C:\_OTMoveIt
2008-03-31 23:18 . 2008-03-31 23:18 <DIR> d-------- C:\Deckard
2008-03-23 02:08 . 2008-03-23 02:10 <DIR> d-------- C:\smitRem
2008-03-23 01:48 . 2008-03-23 01:48 <DIR> d-------- C:\Documents and Settings\Mahim\Application Data\Grisoft
2008-03-23 01:48 . 2008-03-23 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 01:48 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-23 01:09 . 2008-03-23 01:11 <DIR> d-------- C:\Documents and Settings\Mahim\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 17:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-28 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-20 20:05 --------- d-----w C:\Documents and Settings\Mahim\Application Data\OpenOffice.org2
2008-03-01 13:51 --------- d-----w C:\Documents and Settings\Mahim\Application Data\webex
2008-02-26 19:15 --------- d-----w C:\Documents and Settings\Mahim\Application Data\WordWeb
2008-02-26 19:02 --------- d-----w C:\Program Files\WordWeb
2008-02-26 18:40 --------- d-----w C:\Program Files\NetMeter
2008-02-26 18:16 --------- d-----w C:\Program Files\Logtime
2008-02-26 18:07 --------- d-----w C:\Documents and Settings\Mahim\Application Data\GetRightToGo
2008-02-15 16:33 --------- d-----w C:\Program Files\Western Digital Technologies
2008-02-03 06:50 5,107,041 ----a-w C:\jvm.zip
2007-02-04 17:36 88 --sh--r C:\WINDOWS\system32\14E6186D5D.sys
2007-02-04 17:36 4,182 --sh--w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"C:\Program Files\NetMeter\NetMeter.exe"="C:\Program Files\NetMeter\NetMeter.exe" [2004-03-04 14:47 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 11:21 774233]
"TPWAUDAP"="C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-04-20 03:59 24576]
"PMHandler"="C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe" [2006-08-22 13:24 33128]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 13:10 89542 C:\WINDOWS\AGRSMMSG.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 09:47 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 09:43 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 09:47 118784]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-07-11 10:03 675840]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2006-10-17 04:06 2502656]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 19:33 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-11 00:14 81920]
"LPManager"="C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-02-02 02:01 120368]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-11-06 15:27 487424]
"AMSG"="C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe" [2005-11-23 10:06 507904]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-03-23 12:11 2341632]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 21:30 49152]
"Client Access Service"="C:\Program Files\IBM\Client Access\CwbSvStr.Exe" [1999-10-12 04:50 6928]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [1999-10-12 04:50 15632]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [1999-10-12 04:50 47888]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 05:54 196696]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2007-10-03 22:05 36972]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]

C:\Documents and Settings\Nidhi\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

C:\Documents and Settings\Mahim\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2008-02-27 00:32:46 44384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2006-10-17 04:00 49152 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--------- 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--------- 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--------- 2006-06-15 23:06 229376 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-r------- 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 22:57]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-13 14:03]
R1 PMHler;PMHler;C:\WINDOWS\system32\drivers\PMHler.sys [2006-05-25 01:18]
R2 FNF5SVC;Fn+F5 Service;C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe [2007-04-09 10:24]
R2 smi2;smi2;C:\Program Files\SMI2\smi2.sys [2006-07-15 05:25]
R3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-07-11 10:03]
S2 xmppd-jse;Collaboration Runtime Service;C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe [2005-05-15 23:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\q.com
\Shell\explore\Command - C:\q.com
\Shell\open\Command - C:\q.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fd66220-afba-11dc-a473-0016cfe89923}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f3ee748-48fa-11dc-a3c3-000fb0ce0aa8}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc4bc846-ccf7-11dc-a4a0-0016cfe89923}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf968a4a-c73a-11db-a33b-0016cfe89923}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c358d4a0-b671-11db-a327-0016cfe89923}]
\Shell\AutoRun\command - F:\rthrw.com
\Shell\explore\Command - F:\rthrw.com
\Shell\open\Command - F:\rthrw.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c56e01fe-b9d0-11db-a32c-0016cfe89923}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caeb8a10-f823-11dc-98ac-806d6172696f}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caeb8a11-f823-11dc-98ac-0016cfe89923}]
\Shell\AutoRun\command - E:\yo2mq6.exe
\Shell\explore\Command - E:\yo2mq6.exe
\Shell\open\Command - E:\yo2mq6.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 10:56:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 22:25:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\Program Files\\NetMeter\\NetMeter.exe"="C:\\Program Files\\NetMeter\\NetMeter.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Softex\OmniPass\OmniServ.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-04-14 22:28:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 16:58:43

Pre-Run: 30,718,959,616 bytes free
Post-Run: 30,634,614,784 bytes free
.
2008-04-09 20:26:49 --- E O F ---
==========================================================

Latest Hijack this log is here:
===================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:23 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mahim\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4927D037-277F-4586-B3B2-3C53BF4A79F2}: NameServer = 202.56.215.6,202.56.230.6
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

--
End of file - 10434 bytes

Please note that after running combofix, I am able to see the hidden folders and able to access C: drive using windows explorer.

Thanks & Regards,
Mbha

#23
Tal

Posted 17 April 2008 - 07:15 AM

Trusted Helper

Retired Staff
2,138 posts

Hey mbha,

I am sorry for the delay in getting back to you. I had some school work to do

Before we start the registry fix, we need to backup the registry in case anything goes wrong. This is a very simple and quick process

Please go to Start > Run
Paste in the following line: regedit /e c:\registrybackup.reg
Click OK. It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute. Please continue when it no longer has the hour glass.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\q.com
E:\Knight.exe
F:\rthrw.com
E:\ntde1ect.com
E:\yo2mq6.exe

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fd66220-afba-11dc-a473-0016cfe89923}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f3ee748-48fa-11dc-a3c3-000fb0ce0aa8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc4bc846-ccf7-11dc-a4a0-0016cfe89923}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf968a4a-c73a-11db-a33b-0016cfe89923}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c358d4a0-b671-11db-a327-0016cfe89923}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c56e01fe-b9d0-11db-a32c-0016cfe89923}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caeb8a10-f823-11dc-98ac-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caeb8a11-f823-11dc-98ac-0016cfe89923}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#24
mbha

Posted 17 April 2008 - 12:26 PM

Member

Topic Starter
Member
19 posts

Hi Tal,

Combo Fix Log for your review:

ComboFix 08-04-13.3 - Mahim 2008-04-17 23:41:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.530 [GMT 5.5:30]
Running from: C:\Documents and Settings\Mahim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mahim\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\q.com
E:\Knight.exe
E:\ntde1ect.com
E:\yo2mq6.exe
F:\rthrw.com
.

((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-17 23:38 . 2008-04-17 23:38 78,727,540 --a------ C:\registrybackup.reg
2008-04-10 01:41 . 2008-04-10 02:02 250 --a------ C:\WINDOWS\gmer.ini
2008-04-05 23:57 . 2008-04-05 23:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-05 23:57 . 2008-04-05 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-03 22:45 . 2008-04-03 22:45 <DIR> d-------- C:\_OTMoveIt
2008-03-31 23:18 . 2008-03-31 23:18 <DIR> d-------- C:\Deckard
2008-03-23 02:08 . 2008-03-23 02:10 <DIR> d-------- C:\smitRem
2008-03-23 01:48 . 2008-03-23 01:48 <DIR> d-------- C:\Documents and Settings\Mahim\Application Data\Grisoft
2008-03-23 01:48 . 2008-03-23 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 01:48 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-23 01:09 . 2008-03-23 01:11 <DIR> d-------- C:\Documents and Settings\Mahim\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 17:11 --------- d-----w C:\Documents and Settings\Mahim\Application Data\OpenOffice.org2
2008-04-14 16:45 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
2008-03-28 17:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-28 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-19 09:40 1,845,888 ------w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 13:51 --------- d-----w C:\Documents and Settings\Mahim\Application Data\webex
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-26 19:15 --------- d-----w C:\Documents and Settings\Mahim\Application Data\WordWeb
2008-02-26 19:02 --------- d-----w C:\Program Files\WordWeb
2008-02-26 18:40 --------- d-----w C:\Program Files\NetMeter
2008-02-26 18:16 --------- d-----w C:\Program Files\Logtime
2008-02-26 18:07 --------- d-----w C:\Documents and Settings\Mahim\Application Data\GetRightToGo
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:52 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-03 06:51 155,995 ----a-w C:\WINDOWS\java\Packages\GS0JXRH7.ZIP
2008-02-03 06:50 5,107,041 ----a-w C:\jvm.zip
2007-02-04 17:36 88 --sh--r C:\WINDOWS\system32\14E6186D5D.sys
2007-02-04 17:36 4,182 --sh--w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-14_22.28.30.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 16:55:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-17 17:41:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 16:55:15 16,384 ------w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-17 17:41:40 16,384 ------w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-14 16:55:15 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-17 17:41:40 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-14 16:55:15 49,152 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-17 17:41:40 49,152 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-17 17:41:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"C:\Program Files\NetMeter\NetMeter.exe"="C:\Program Files\NetMeter\NetMeter.exe" [2004-03-04 14:47 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 11:21 774233]
"TPWAUDAP"="C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-04-20 03:59 24576]
"PMHandler"="C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe" [2006-08-22 13:24 33128]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 13:10 89542 C:\WINDOWS\AGRSMMSG.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 09:47 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 09:43 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 09:47 118784]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-07-11 10:03 675840]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2006-10-17 04:06 2502656]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 19:33 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-11 00:14 81920]
"LPManager"="C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-02-02 02:01 120368]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-11-06 15:27 487424]
"AMSG"="C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe" [2005-11-23 10:06 507904]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-03-23 12:11 2341632]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 21:30 49152]
"Client Access Service"="C:\Program Files\IBM\Client Access\CwbSvStr.Exe" [1999-10-12 04:50 6928]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [1999-10-12 04:50 15632]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [1999-10-12 04:50 47888]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 05:54 196696]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2007-10-03 22:05 36972]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]

C:\Documents and Settings\Nidhi\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

C:\Documents and Settings\Mahim\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2008-02-27 00:32:46 44384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2006-10-17 04:00 49152 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--------- 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--------- 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--------- 2006-06-15 23:06 229376 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-r------- 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 22:57]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-13 14:03]
R1 PMHler;PMHler;C:\WINDOWS\system32\drivers\PMHler.sys [2006-05-25 01:18]
R2 FNF5SVC;Fn+F5 Service;C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe [2007-04-09 10:24]
R2 smi2;smi2;C:\Program Files\SMI2\smi2.sys [2006-07-15 05:25]
R3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-07-11 10:03]
S2 xmppd-jse;Collaboration Runtime Service;C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe [2005-05-15 23:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 10:56:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 23:44:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\Program Files\\NetMeter\\NetMeter.exe"="C:\\Program Files\\NetMeter\\NetMeter.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
-> C:\WINDOWS\system32\cwbrw.dll
.
Completion time: 2008-04-17 23:44:33
ComboFix-quarantined-files.txt 2008-04-17 18:14:23

Pre-Run: 30,883,102,720 bytes free
Post-Run: 30,868,168,704 bytes free
.
2008-04-09 20:26:49 --- E O F ---

#25
mbha

Posted 17 April 2008 - 12:28 PM

Member

Topic Starter
Member
19 posts

Here is the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:29 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mahim\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4927D037-277F-4586-B3B2-3C53BF4A79F2}: NameServer = 202.56.215.6,202.56.230.6
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

--
End of file - 10599 bytes

Hope you are not skipping your classes and home work to finish off this task..as that is more important.

Thanks & Regards,
Mbha

#26
Tal

Posted 19 April 2008 - 03:46 AM

Trusted Helper

Retired Staff
2,138 posts

Hey mbha,

Hope you are not skipping your classes and home work to finish off this task..as that is more important.

Don't worry, I always skip classes

Just kidding, I am not that busy at all.

Your computer looks clean from what I see. Do you have any issues with the PC?

#27
mbha

Posted 21 April 2008 - 02:02 AM

Member

Topic Starter
Member
19 posts

Hi Tal,

If you think my PC is clean, then it must be... I am relieved. Thanks a lot for your persistent support.

Regards,
Mbha

#28
Tal

Posted 22 April 2008 - 03:30 PM

Trusted Helper

Retired Staff
2,138 posts

Hi,

If you can, please include a new DSS log and we'll check. Also, you are the only one that can give me a hint on whether the PC is clean or not.

#29
mbha

Posted 23 April 2008 - 11:19 AM

Member

Topic Starter
Member
19 posts

Hi Tal:

here is DSS log
Deckard's System Scanner v20071014.68
Run by Mahim on 2008-04-23 22:41:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Mahim.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:46 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mahim\Desktop\dss.exe
C:\DOCUME~1\Mahim\Desktop\Mahim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4927D037-277F-4586-B3B2-3C53BF4A79F2}: NameServer = 202.56.215.6,202.56.230.6
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

--
End of file - 10489 bytes

-- Files created between 2008-03-23 and 2008-04-23 -----------------------------

2008-04-17 23:38:47 78727540 --a------ C:\registrybackup.reg <REGIST~1.REG>
2008-04-14 22:20:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-14 22:20:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-14 22:20:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-14 22:20:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-14 22:20:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-14 22:20:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-14 22:20:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-14 22:20:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-05 23:57:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-05 23:57:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-23 02:08:30 0 d-------- C:\smitRem
2008-03-23 01:48:54 0 d-------- C:\Documents and Settings\Mahim\Application Data\Grisoft
2008-03-23 01:48:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-23 01:09:49 0 d-------- C:\Documents and Settings\Mahim\.housecall6.6

-- Find3M Report ---------------------------------------------------------------

2008-04-22 22:45:14 0 d-------- C:\Documents and Settings\Mahim\Application Data\Adobe
2008-04-21 21:30:56 5427 --a------ C:\WINDOWS\system32\EGATHDRV.SYS <Not Verified; IBM Corporation; IBM eGatherer>
2008-04-14 22:41:34 0 d-------- C:\Documents and Settings\Mahim\Application Data\OpenOffice.org2
2008-03-28 22:53:48 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 22:52:08 0 d-------- C:\Program Files\Common Files
2008-03-19 22:55:11 4964 --a------ C:\Documents and Settings\Mahim\Application Data\NMM-MetaData.db
2008-03-01 19:21:49 0 d-------- C:\Documents and Settings\Mahim\Application Data\webex
2008-02-27 00:45:50 0 d-------- C:\Documents and Settings\Mahim\Application Data\WordWeb
2008-02-27 00:32:46 0 d-------- C:\Program Files\WordWeb
2008-02-27 00:10:31 0 d-------- C:\Program Files\NetMeter
2008-02-26 23:46:20 0 d-------- C:\Program Files\Logtime
2008-02-26 23:37:02 0 d-------- C:\Documents and Settings\Mahim\Application Data\GetRightToGo

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

-- End of Deckard's System Scanner: finished at 2008-04-23 22:42:13 ------------

I was wondering how to get rid of occurance of this virus as it has got embedded in system restore file (remember we discussed this earlier)...

Otherwise, I dont feel anything awkward with the system.

Thanks & Regards,
Mahim.

#30
Tal

Posted 24 April 2008 - 07:34 AM

Trusted Helper

Retired Staff
2,138 posts

Hello mbha,

Your computer appears to be clean

The following steps will guide you on deleting restore points and making sure your computer is secured for the future.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

and a good antivirus (these are also free for personal use):

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

Tal