Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware/Keylogger stealing WOW account


  • Please log in to reply

#1
09sden

09sden

    New Member

  • Member
  • Pip
  • 5 posts
Last thursday, I found out someone had hacked my World Of Warcraft account and deleted my stuff, no big deal, AVG, ad-aware, Antilogger, Kaspersky, etc... later and I still have him bothering me. I have an error when I start up my computer that says Error loading C:\Windows\system32\systemhper.dll. I saw some stuff in the wow forums and assumed this could be the problem, though its been around a while. Any help on whether this is it or how to find it another way if this is not. I am also having Ad-aware scan almost every minute becuase it keeps picking up registry startup and c:\windows\system32\diracsplitter.ax.

Edited by 09sden, 17 February 2009 - 10:02 PM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello 09sden

Welcome to G2Go. :)
=====================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#3
09sden

09sden

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is DDS.txt Attach.txt and GMER.txt

DS (Ver_09-02-01.01) - NTFSx86
Run by Family at 15:23:25.03 on Wed 02/18/2009
Internet Explorer: 8.0.6001.18241
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1692 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Game Updater\gameupdater.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\zHotkey.exe
C:\Windows\ModPS2Key.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AntiLogger\AntiLogger.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\BigFix\bigfix.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Family\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = Preserve
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5662
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: MSUSER Class: {8d4d2f69-df30-4471-988c-cc58545e86c8} - c:\windows\system32\SystemHper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [70244780469928609425893105232650] c:\program files\antivirus 2009\av2009.exe
uRun: [DAEMON Tools Lite] "c:\daemon tools lite\daemon.exe" -autorun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AAK] c:\program files\advanced anti keylogger\aak.exe /silent
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; FunWebProducts; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30618; .NET CLR 3.5.21022; .NET CLR 3.5.30729; Zune 3.0)
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [ModPS2] ModPS2Key.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [SystemHelp] RUNDLL32.EXE c:\windows\system32\SystemHper.dll,Install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AntiLogger] "c:\program files\antilogger\AntiLogger.exe" /minimized
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1226021132131
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1226020498306
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.gamehouse.com/realarcade-webgames/burgershop/GoBitGamesPlayer.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxp://mailsrv2.tps.org/dwa7W.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll, c:\progra~1\google\google~1\goec62~1.dll
SEH: {ab0a0b68-6e3c-31d2-8901-3a8ae135d25a} - c:\windows\system32\KcrndDrv.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\family\appdata\roaming\mozilla\firefox\profiles\swekd3ym.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=101760&l=dis
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-17 64160]
R1 AntiLog32;AntiLog32;c:\program files\antilogger\AntiLog32.sys [2009-2-2 108912]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-24 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-31 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-24 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-24 298264]
R2 gameupdater;Game Updater;c:\program files\common files\game updater\gameupdater.exe [2008-10-23 641024]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-19 950096]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\microsoft sql server\100\shared\sqladhlp.exe" --> c:\program files\microsoft sql server\100\shared\SQLADHLP.EXE [?]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\sqlagent.exe" -i sqlexpress --> c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [?]

=============== Created Last 30 ================

2009-02-17 19:49 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-17 19:42 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-17 19:39 <DIR> -cd-h--- c:\programdata\{2BAE6915-8510-4B9F-B498-02DA86258AA0}
2009-02-17 19:39 <DIR> -cd-h--- c:\progra~2\{2BAE6915-8510-4B9F-B498-02DA86258AA0}
2009-02-17 19:39 <DIR> --d----- c:\program files\Lavasoft
2009-02-17 19:00 27,612 a------- c:\windows\syscall.dat
2009-02-17 19:00 <DIR> -cd-h--- c:\programdata\{2EF4F8EB-1FF3-45C7-93BC-054FBE99D9E2}
2009-02-17 19:00 <DIR> -cd-h--- c:\progra~2\{2EF4F8EB-1FF3-45C7-93BC-054FBE99D9E2}
2009-02-17 19:00 <DIR> --d----- c:\program files\AntiLogger
2009-02-17 06:47 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-17 06:47 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-17 06:47 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-17 06:47 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-17 06:47 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-15 00:26 2,664 a------- c:\windows\wininit.ini
2009-02-11 03:00 1,659,392 a------- c:\windows\system32\mshtml.tlb
2009-02-08 12:01 <DIR> --d----- c:\programdata\NOS
2009-02-05 20:38 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0
2009-02-04 19:27 <DIR> --d----- c:\programdata\ATI
2009-02-04 18:21 0 a------- c:\windows\ativpsrm.bin
2009-02-04 18:19 <DIR> --d----- C:\ATI
2009-02-02 00:23 <DIR> --d----- c:\programdata\Adobe
2009-02-01 04:24 <DIR> --d----- C:\payloads
2009-02-01 04:24 <DIR> --d----- C:\Italiano
2009-02-01 04:24 <DIR> --d----- C:\Français
2009-02-01 04:24 <DIR> --d----- C:\Español
2009-02-01 04:24 <DIR> --d----- C:\English
2009-02-01 04:24 <DIR> --d----- C:\Deutsch
2009-02-01 04:24 <DIR> --d----- C:\deployment
2009-02-01 01:35 14,604 a------- c:\windows\system32\drivers\pfc.sys
2009-02-01 00:58 719,872 a------- c:\windows\system32\devil.dll
2009-02-01 00:58 318,976 a------- c:\windows\system32\avisynth.dll
2009-02-01 00:58 70,656 a------- c:\windows\system32\yv12vfw.dll
2009-02-01 00:58 70,656 a------- c:\windows\system32\i420vfw.dll
2009-02-01 00:58 27,648 a------- c:\windows\system32\AVSredirect.dll
2009-02-01 00:58 <DIR> --d----- c:\program files\AviSynth 2.5
2009-02-01 00:58 186,880 ---shr-- c:\windows\system32\RLOgg.ax
2009-02-01 00:58 179,200 ---shr-- c:\windows\system32\DiracSplitter.ax
2009-02-01 00:58 175,104 ---shr-- c:\windows\system32\CoreAAC.ax
2009-02-01 00:58 92,672 ---shr-- c:\windows\system32\RLVorbisDec.ax
2009-02-01 00:58 67,584 ---shr-- c:\windows\system32\RLTheoraDec.ax
2009-02-01 00:58 51,712 ---shr-- c:\windows\system32\RLSpeexDec.ax
2009-02-01 00:58 81,920 ---shr-- c:\windows\system32\aac_parser.ax
2009-02-01 00:47 258,352 a------- c:\windows\system32\Unicows.dll
2009-01-31 13:42 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-31 12:29 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2009-01-31 12:29 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-01-30 11:45 <DIR> --d----- c:\program files\AskBarDis
2009-01-30 10:41 <DIR> --d----- C:\Fraps

==================== Find3M ====================

2009-02-16 00:37 86,016 a------- c:\windows\inf\infstrng.dat
2009-02-16 00:37 86,016 a------- c:\windows\inf\infstor.dat
2009-02-16 00:37 51,200 a------- c:\windows\inf\infpub.dat
2009-01-31 13:42 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-31 13:42 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-14 02:15 4,235,776 a------- c:\windows\system32\drivers\atikmdag.sys
2009-01-14 00:03 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2009-01-14 00:02 159,744 a------- c:\windows\system32\atitmmxx.dll
2009-01-14 00:01 348,160 a------- c:\windows\system32\atipdlxx.dll
2009-01-14 00:01 274,432 a------- c:\windows\system32\Oemdspif.dll
2009-01-14 00:01 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-01-14 00:01 286,720 a------- c:\windows\system32\Ati2evxx.dll
2009-01-13 23:59 729,088 a------- c:\windows\system32\Ati2evxx.exe
2009-01-13 23:50 2,345,472 a------- c:\windows\system32\atidxx32.dll
2009-01-13 23:44 3,963,392 a------- c:\windows\system32\atiumdag.dll
2009-01-13 23:22 4,765,696 a------- c:\windows\system32\atiumdva.dll
2009-01-13 23:08 50,688 a------- c:\windows\system32\amdpcom32.dll
2009-01-13 23:07 122,880 a------- c:\windows\system32\atiadlxx.dll
2009-01-13 22:59 11,247,616 a------- c:\windows\system32\atioglxx.dll
2009-01-13 22:50 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-01-13 21:54 57,344 a------- c:\windows\system32\amdcalrt.dll
2009-01-13 21:53 53,248 a------- c:\windows\system32\amdcalcl.dll
2009-01-13 21:51 3,239,936 a------- c:\windows\system32\amdcaldd.dll
2009-01-03 03:07 81,920 a------- c:\windows\system32\frapsvid.dll
2008-12-30 15:51 1,028,096 a------- c:\windows\system32\libeay32.dll
2008-12-24 00:35 1,234,120 a------- c:\users\family\wrar380.exe
2008-12-23 20:10 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-12-23 13:20 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2008-12-01 23:26 1,020,703 a------- c:\users\family\svrec16.exe
2008-11-29 22:39 7,508,624 a------- c:\users\family\Firefox Setup 3.0.4.exe
2008-11-27 17:43 3,064,736 a------- c:\users\family\ventrilo-3.0.4-Windows-i386.exe
2008-11-26 13:21 3,292,936 a------- c:\users\family\UnityWebPlayer.exe
2008-11-24 19:59 50,689,960 a------- c:\users\family\avg_free_stf_en_8_173a1373.exe
2008-10-10 09:36 174 a--sh--- c:\program files\desktop.ini
2008-10-10 09:31 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-15 10:43 132 a------- c:\users\family\appdata\roaming\wklnhst.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-09-29 15:05 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-29 15:05 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-29 15:05 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 15:24:22.71 ===============


Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 11/23/2007 6:55:52 PM
System Uptime: 2/18/2009 1:45:56 PM (2 hours ago)

Motherboard: ECS | | MCP61PM-GM
Processor: AMD Phenom™ 9500 Quad-Core Processor | Socket AM2 | 2200/235mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 455 GiB total, 329.884 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 4.489 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: ACQ865LX IDE Controller
Device ID: ACPI\PNPA000\4&5D18F2DF&0
Manufacturer: (Standard mass storage controllers)
Name: ACQ865LX IDE Controller
PNP Device ID: ACPI\PNPA000\4&5D18F2DF&0
Service: a84j9r9h

==== System Restore Points ===================


==== Installed Programs ======================


2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 9
Adobe Shockwave Player
AGEIA PhysX v7.11.13
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AntiLogger
Apple Software Update
Ask Toolbar
ATI Catalyst Install Manager
ATI Catalyst Registration
AVG Free 8.0
Big Fish Games Client
BigFix
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
Gateway Connect
Gateway Games
Gateway Recovery Center Installer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Java™ SE Runtime Environment 6 Update 1
Jewel Labyrinth
LabelPrint
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office 2000 Premium
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 RsFx Driver
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Works
Microsoft WSE 2.0 SP3 Runtime
Mozilla Firefox (3.0.6)
MSXML 4.0 SP2 (KB936181)
NVIDIA Drivers
Pocket Tanks v1.2
Power2Go 5.0
PS2 Multimedia Keyboard Driver
QuickTime
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Skins
Soft Data Fax Modem with SmartCP
Spare Backup
Spelling Dictionaries Support For Adobe Reader 8
Sql Server Customer Experience Improvement Program
Super Collapse! 3
Super TextTwist
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wohiper
TurboTax 2008 wrapper
TurboTax Deluxe 2007
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Ventrilo Client
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
World of Warcraft
World of Warcraft FREE Trial
Yahoo! Toolbar
Zuma (remove only)
Zuma Deluxe 1.0

==== End Of File ===========================


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-18 15:51:32
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwCreateFile [0x8FD01532]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwCreateThread [0x8FD00D6E]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwDeleteKey [0x8FD01354]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwDeleteValueKey [0x8FD01228]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwLoadDriver [0x8FD00BA4]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwMapViewOfSection [0x8FD00946]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwOpenFile [0x8FD01782]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwOpenKey [0x8FD01520]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwOpenProcess [0x8FD00E90]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwOpenSection [0x8FD00FF6]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwOpenThread [0x8FD00F40]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwQueueApcThread [0x8FD00E1E]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwSecureConnectPort [0x8FD018B0]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwSetContextThread [0x8FD008D8]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwSetSystemInformation [0x8FD00D00]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwSetValueKey [0x8FD01420]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwTerminateProcess [0x8FD0110E]
SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys ZwWriteVirtualMemory [0x8FD007E0]

INT 0x51 ? 859FDBF8
INT 0x52 ? 87971BF8
INT 0x62 ? 87971BF8
INT 0x82 ? 859FCBF8
INT 0x92 ? 859FDBF8

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!KeSetTimerEx + 40C 822BA9D0 4 Bytes [ 32, 15, D0, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 454 822BAA18 4 Bytes [ 6E, 0D, D0, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 508 822BAACC 4 Bytes [ 54, 13, D0, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 514 822BAAD8 4 Bytes [ 28, 12, D0, 8F ]
.text ntkrnlpa.exe!KeSetTimerEx + 5B0 822BAB74 4 Bytes [ A4, 0B, D0, 8F ]
.text ...
? System32\Drivers\spja.sys The system cannot find the file specified. !
PAGE ataport.SYS!DllUnload 82E8CB2E 5 Bytes JMP 859FD1D8
.text USBPORT.SYS!DllUnload 8A98146F 5 Bytes JMP 879711D8

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\AntiLogger\AntiLogger.exe[2300] kernel32.dll!CreateThread + 1A 779746E2 4 Bytes [ BE, 2C, BC, 88 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[66392] USER32.dll!DialogBoxIndirectParamW 7600BD25 5 Bytes JMP 0215157B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66392] USER32.dll!CreateWindowExW 76013D67 5 Bytes JMP 01FBECEE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66392] USER32.dll!DialogBoxParamW 76021FD5 5 Bytes JMP 01F2E0B3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66392] USER32.dll!DialogBoxParamA 760480B2 5 Bytes JMP 02151518 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66392] USER32.dll!DialogBoxIndirectParamA 760483DD 5 Bytes JMP 021515DE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66392] USER32.dll!MessageBoxIndirectA 7605D471 5 Bytes JMP 021514AD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66392] USER32.dll!MessageBoxIndirectW 7605D56B 5 Bytes JMP 02151442 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66392] USER32.dll!MessageBoxExA 7605D5D1 5 Bytes JMP 021513E0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66392] USER32.dll!MessageBoxExW 7605D5F5 5 Bytes JMP 0215137E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!SetWindowsHookExW 76007B69 5 Bytes JMP 02151712 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!CallNextHookEx 76008C33 5 Bytes JMP 02151776 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!GetAsyncKeyState 76008DF4 5 Bytes JMP 0206FE7C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!DialogBoxIndirectParamW 7600BD25 5 Bytes JMP 0215157B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!SendInput 7600BEE7 5 Bytes JMP 02151B78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!EnableWindow 7600DC79 5 Bytes JMP 01F3E229 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!CreateWindowExW 76013D67 5 Bytes JMP 01FBECEE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!GetKeyState 760187C7 5 Bytes JMP 01F41B21 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!IsDialogMessageW 760199AE 5 Bytes JMP 02151974 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!CreateDialogParamA 760216FD 5 Bytes JMP 02151DE8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!IsDialogMessage 7602179A 5 Bytes JMP 02151934 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!DialogBoxParamW 76021FD5 5 Bytes JMP 01F2E0B3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!CreateDialogIndirectParamA 760227CD 5 Bytes JMP 02151E1F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!CreateDialogIndirectParamW 76029AFA 5 Bytes JMP 02151E1F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!UnhookWindowsHookEx 760308BE 5 Bytes JMP 0215175D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!CreateDialogParamW 76031C58 5 Bytes JMP 02038421 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!DialogBoxParamA 760480B2 5 Bytes JMP 02151518 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!DialogBoxIndirectParamA 760483DD 5 Bytes JMP 021515DE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!MessageBoxIndirectA 7605D471 5 Bytes JMP 021514AD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!MessageBoxIndirectW 7605D56B 5 Bytes JMP 02151442 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!MessageBoxExA 7605D5D1 5 Bytes JMP 021513E0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!MessageBoxExW 7605D5F5 5 Bytes JMP 0215137E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] USER32.dll!keybd_event 7605D93C 5 Bytes JMP 02151B56 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] SHELL32.dll!SHRestricted + DFD 76A58390 4 Bytes [ 99, 0B, 52, 6B ]
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] SHELL32.dll!SHRestricted + E05 76A58398 8 Bytes [ A7, 0A, 52, 6B, A4, 32, 51, ... ]
.text C:\Program Files\Internet Explorer\iexplore.exe[66428] ole32.dll!CoCreateInstance 7635E188 5 Bytes JMP 01F41420 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [82C096D2] \SystemRoot\System32\Drivers\spja.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82C09040] \SystemRoot\System32\Drivers\spja.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82C097FC] \SystemRoot\System32\Drivers\spja.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [82C090BE] \SystemRoot\System32\Drivers\spja.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [82C0913C] \SystemRoot\System32\Drivers\spja.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [82C19048] \SystemRoot\System32\Drivers\spja.sys

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\AntiLogger\AntiLogger.exe[2300] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [005374FC] C:\Program Files\AntiLogger\AntiLogger.exe (Zemana AntiLogger User Interface/Zemana Ltd.)
IAT C:\Program Files\AntiLogger\AntiLogger.exe[2300] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!QueueUserWorkItem] [005374FC] C:\Program Files\AntiLogger\AntiLogger.exe (Zemana AntiLogger User Interface/Zemana Ltd.)
IAT C:\Program Files\AntiLogger\AntiLogger.exe[2300] @ C:\Windows\system32\wininet.dll [KERNEL32.dll!QueueUserWorkItem] [005374FC] C:\Program Files\AntiLogger\AntiLogger.exe (Zemana AntiLogger User Interface/Zemana Ltd.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SearchPathW] [6B50F233] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6B50D537] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CopyFileW] [6B50B6A1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!MoveFileW] [6B50DE50] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!DeleteFileW] [6B50C301] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetCurrentDirectoryW] [6B50F49D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindClose] [6B510D4C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindNextFileW] [6B50FC09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindFirstFileW] [6B5102A5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6B50D09C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateFileW] [6B50BD1B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!WritePrivateProfileStringW] [6B50B114] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6B50D221] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetPrivateProfileStringW] [6B50A970] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegQueryInfoKeyW] [6B51DB0F] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegEnumValueW] [6B51E479] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegOpenKeyExW] [6B51CB9D] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegQueryValueExW] [6B51D773] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegDeleteKeyW] [6B51CEA5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegCreateKeyExW] [6B51C625] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegCloseKey] [6B51CD09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6B50D537] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6B50D09C] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!CopyFileW] [6B50B6A1] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6B50D221] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!CreateFileW] [6B50BD1B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SearchPathW] [6B50F233] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!DeleteFileW] [6B50C301] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6B50D221] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!ReplaceFileW] [6B50E151] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!WritePrivateProfileStringW] [6B50B114] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetPrivateProfileStringW] [6B50A970] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetPrivateProfileStringA] [6B50A819] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!DeleteFileW] [6B50C301] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6B50D537] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetFileAttributesW] [6B508D54] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileW] [6B50BD1B] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindFirstFileW] [6B5102A5] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindNextFileW] [6B50FC09] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SearchPathW] [6B50F233] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[66428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetFileAttributesW] [6B508AFB] C:\Windows\AppPatch\AcRedir.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#5
09sden

09sden

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here it is

Malwarebytes' Anti-Malware 1.34
Database version: 1779
Windows 6.0.6001 Service Pack 1

2/19/2009 5:40:03 PM
mbam-log-2009-02-19 (17-40-03).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 223923
Time elapsed: 1 hour(s), 21 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mshelp.msuser (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mshelp.msuser.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8d4d2f69-df30-4471-988c-cc58545e86c8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8d4d2f69-df30-4471-988c-cc58545e86c8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8d4d2f69-df30-4471-988c-cc58545e86c8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Family\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Family\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Family\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Family\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
09sden

09sden

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
The Kapersky online scan yielded nothing
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great how are things running?
  • 0

#9
09sden

09sden

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Uh Good, I hope the Tojan.BHO was my keylogger, everything else seems pretty normal. I was doing all this prior to starting my account back up so I wouldnt have to deal with the hassle again.

Edited by 09sden, 20 February 2009 - 06:46 PM.

  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Your logs are clean now.
If you want I will keep this thread open for a few days and let me know if anything changes.
So just use it a while and post back here in a few days and we will close this thread.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP