Ok here are the DDS, Attach, and GMER things. sorry it took me soo long It was a long work day... It has too many characters so i am putting it in 2 maybe 3 posts. Thank you sooo much!
------------------------------------------------------
==========================================
------------------------------------------------------
DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 8:30:17.32 on Thu 05/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2287.1728 [GMT -5:00]
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
svchost.exe "C:\WINDOWS\system32\1031u.exe"
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\WTClient.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - g:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: {269c5932-7c9a-4c31-85c3-741c961128cc} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - g:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [nwiz] nwiz.exe /install
mRun: [WTClient] WTClient.exe
mRun: [Acrobat Assistant 8.0] "g:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\rt2500 wireless lan card\installer\winxp\RaConfig2500.exe
IE: Append to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146416732703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Notification Packages = scecli c:\windows\system32\bewihafe.dll
============= SERVICES / DRIVERS ===============
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [2006-4-13 38784]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-15 201320]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-9-19 72672]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-19 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-15 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-15 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-15 35240]
R3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2008-7-12 360448]
R3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-7-12 18944]
R3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-7-12 33792]
S1 chdlzdnk;chdlzdnk;\??\c:\windows\system32\drivers\chdlzdnk.sys --> c:\windows\system32\drivers\chdlzdnk.sys [?]
S2 ThemesCryptSvc;Themes ThemesCryptSvc;c:\windows\system32\1031u.exe srv --> c:\windows\system32\1031u.exe srv [?]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [2006-4-13 116224]
S3 L6PODLV;PODxt Live Service;c:\windows\system32\drivers\L6PODLV.sys [2008-3-16 514432]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-15 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-15 40488]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-15 695624]
=============== Created Last 30 ================
2009-05-20 00:17 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-20 00:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-19 23:44 <DIR> --d----- c:\program files\Trend Micro
2009-05-19 22:51 <DIR> --d----- c:\docume~1\owner\applic~1\Safer Networking
2009-05-19 22:51 <DIR> --d----- c:\program files\Safer Networking
2009-05-18 20:13 0 a------- c:\windows\st_1242714091.exe
2009-05-18 20:13 0 a------- c:\windows\st_1242695661.exe
2009-05-18 20:05 2 ----h--- c:\windows\sto453190.dat
2009-05-18 20:04 32 a--s---- c:\windows\system32\2757321258.dat
2009-05-18 20:04 53,248 ---shr-- c:\windows\system32\1031u.exe
2009-05-18 20:04 20,480 a------- c:\windows\system32\digiwet.dll
2009-05-02 00:45 215,465 a------- c:\windows\system32\nvapps.nvb
2009-04-23 19:25 <DIR> --d----- c:\docume~1\owner\applic~1\GetRightToGo
==================== Find3M ====================
2009-05-20 19:36 7,304 a------- c:\windows\TMP0001.TMP
2009-05-19 23:32 6,832 a------- c:\windows\system32\d3d9caps.dat
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
2007-10-26 19:20 1,355 a------- c:\docume~1\owner\applic~1\SAS7_000.DAT
2006-04-30 22:40 65 a------- c:\program files\common files\appop.log
2006-05-01 07:46 56 ---shr-- c:\windows\system32\5E0AFDD4F0.sys
2008-08-19 00:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat
2009-02-18 20:09 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-02-18 20:09 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-02-18 20:09 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 8:30:49.03 ===============
---------------------------------------------------------
============================================
---------------------------------------------------------
The Attach thing is attached, I wasnt sure how you wanted this one so I just followed the instructions it gave and zipped and attached it. If you would rather i just copy and paste it, let me know.
----------------------------------------------------------
=============================================
----------------------------------------------------------
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-21 20:55:57
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT spxl.sys ZwCreateKey [0xB9EAA0E0]
SSDT spxl.sys ZwEnumerateKey [0xB9EC7CA2]
SSDT spxl.sys ZwEnumerateValueKey [0xB9EC8030]
SSDT spxl.sys ZwOpenKey [0xB9EAA0C0]
SSDT spxl.sys ZwQueryKey [0xB9EC8108]
SSDT spxl.sys ZwQueryValueKey [0xB9EC7F88]
SSDT spxl.sys ZwSetValueKey [0xB9EC819A]
INT 0x63 ? 8AB04BF8
INT 0x73 ? 8AB04BF8
INT 0x82 ? 8AB70BF8
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA7FCB9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA7FCB958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA7FCB96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA7FCB9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA7FCB930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA7FCB944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA7FCB9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA7FCB996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA7FCB982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA7FCBA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA7FCBA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA7FCB9D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP A7FCB9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP A7FCB9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP A7FCB9EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP A7FCBA04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP A7FCB9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP A7FCB934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP A7FCB948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP A7FCB986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP A7FCB970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP A7FCB95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 5 Bytes JMP A7FCB99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP A7FCBA1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spxl.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B81218AC 5 Bytes JMP 8A9054E0
.text aav637q0.SYS B601C384 1 Byte [20]
.text aav637q0.SYS B601C384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text aav637q0.SYS B601C3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text aav637q0.SYS B601C3C4 3 Bytes [00, 00, 00]
.text aav637q0.SYS B601C3C9 1 Byte [00]
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0082
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00AE
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0093
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00DA
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00C9
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00EB
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0051
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F72
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0040
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290040
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0029007D
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0029001B
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FE5
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290062
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FC0
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [49, 88]
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290051
.text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F95
.text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0016
.text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FA6
.text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002C0FDB
.text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002C0FCA
.text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002C0FB9
.text C:\WINDOWS\Explorer.EXE[384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025A0000
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC005B
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0040
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0F66
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC002F
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0014
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0F41
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0089
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC00A4
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F0B
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FC0EF0
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FC0F8D
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FC006C
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FC0FB2
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FC0FC3
.text C:\WINDOWS\system32\services.exe[620] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FC0F26
.text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0099001B
.text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0099006C
.text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00990FD4
.text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00990FAF
.text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00990051
.text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00990036
.text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00980FA1
.text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!system 77C293C7 5 Bytes JMP 00980FBC
.text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00980FD7
.text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0098002C
.text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00980011
.text C:\WINDOWS\system32\services.exe[620] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00960FEF
.text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90078
.text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90067
.text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E9004A
.text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90F8D
.text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FB9
When It booted up, and combofix finished its thing I tried out HJT without changing the name and it started up like a champ! Soo it looks like the ones that were causing the main issues have been caught! Here is the Combofix log, Let me know if there is anything else and what to do. Thank you again.
ComboFix 09-05-22.05 - Owner 05/22/2009 19:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2287.1619 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\st_1242695661.exe
c:\windows\st_1242714091.exe
c:\windows\system32\1031u.exe
c:\windows\system32\getwn32.dll
c:\windows\system32\wertyu.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Legacy_THEMESCRYPTSVC
-------\Service_ThemesCryptSvc
((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.
2009-05-21 00:21 . 2009-05-21 00:21 -------- d-----w c:\program files\ERUNT
2009-05-20 05:17 . 2009-05-20 05:20 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-20 05:17 . 2009-05-20 05:20 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-20 04:44 . 2009-05-20 04:44 -------- d-----w c:\program files\Trend Micro
2009-05-20 04:39 . 2009-05-20 04:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Safer Networking
2009-05-20 04:37 . 2009-05-20 04:37 47688 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-20 04:37 . 2009-05-20 04:37 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-05-20 03:51 . 2009-05-20 03:51 -------- d-----w c:\documents and settings\Owner\Application Data\Safer Networking
2009-05-20 03:51 . 2009-05-20 03:51 -------- d-----w c:\program files\Safer Networking
2009-05-19 01:05 . 2009-05-19 01:05 2 ---h--w c:\windows\sto453190.dat
2009-05-19 01:04 . 2009-05-19 01:04 32 --s-a-w c:\windows\system32\2757321258.dat
2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-04-24 00:25 . 2009-04-24 02:10 -------- d-----w c:\documents and settings\Owner\Application Data\GetRightToGo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 05:39 . 2007-05-20 02:28 7304 ----a-w c:\windows\TMP0001.TMP
2009-05-22 23:32 . 2007-12-23 03:08 -------- d-----w c:\program files\uTorrent
2009-05-22 23:31 . 2006-04-26 05:46 -------- d-----w c:\program files\WinMX
2009-05-20 04:32 . 2006-05-01 13:10 6832 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-19 05:40 . 2006-05-19 01:47 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-12 02:12 . 2008-02-16 01:52 -------- d-----w c:\program files\Ableton
2009-05-12 02:09 . 2007-11-24 04:25 -------- d-----w c:\documents and settings\Owner\Application Data\Ableton
2009-05-07 06:45 . 2009-01-13 03:26 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-02 05:48 . 2008-03-16 02:32 -------- d-----w c:\program files\McAfee
2009-05-02 02:40 . 2009-01-08 03:39 -------- d-----w c:\program files\SystemRequirementsLab
2009-05-02 02:38 . 2009-01-08 03:39 -------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-03-27 13:14 . 2006-05-01 13:24 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2006-05-01 03:40 . 2006-04-14 02:09 65 ----a-w c:\program files\Common Files\appop.log
2006-05-01 12:46 . 2006-05-01 07:29 56 --sh--r c:\windows\system32\5E0AFDD4F0.sys
.
------- Sigcheck -------
[7] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-11-30 07:12 507904 3969440BA384D35317DBBDEEAAE641CE c:\windows\system32\winlogon.exe
[7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-11-30 07:12 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Acrobat Assistant 8.0"="g:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-08-17 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe [2006-4-10 561152]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi1"= ma_cmidn.dll
"midi4"= ma_cmidn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk
backup=c:\windows\pss\Dragon NaturallySpeaking.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPM2fbcc373
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vinawiguma
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Sony\\EverQuest II\\EverQuest2.exe"=
"c:\\Program Files\\RALINK\\RT2500 Wireless LAN Card\\Installer\\WINXP\\RaConfig2500.exe"=
"c:\\WINDOWS\\system32\\drwtsn32.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [4/13/2006 9:09 PM 38784]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [9/19/2007 9:11 AM 72672]
S1 chdlzdnk;chdlzdnk;\??\c:\windows\system32\drivers\chdlzdnk.sys --> c:\windows\system32\drivers\chdlzdnk.sys [?]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [4/13/2006 9:09 PM 116224]
S3 L6PODLV;PODxt Live Service;c:\windows\system32\drivers\L6PODLV.sys [3/16/2008 6:00 PM 514432]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [7/12/2008 6:33 PM 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [7/12/2008 6:33 PM 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [7/12/2008 6:33 PM 33792]
--- Other Services/Drivers In Memory ---
*Deregistered* - udffsrec
.
Contents of the 'Scheduled Tasks' folder
2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-16 18:32]
.
- - - - ORPHANS REMOVED - - - -
BHO-{269c5932-7c9a-4c31-85c3-741c961128cc} - (no file)
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-23 00:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1275210071-2147168017-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:4c,dd,3e,96,8f,f2,71,75,33,7f,f8,38,c5,92,3f,70,f4,f7,92,dd,ab,
17,04,f0,7b,ef,3c,67,27,f6,03,1b,5d,0a,76,c8,7f,2c,1a,e5,11,de,33,8d,74,b7,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(184)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\drivers\WTSrv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\CTXFISPI.EXE
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-05-23 0:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-23 05:48
Pre-Run: 14,224,998,400 bytes free
Post-Run: 13,968,957,440 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
Current=3 Default=3 Failed=2 LastKnownGood=1 Sets=1,2,3,4
223 --- E O F --- 2009-02-14 03:30
Thank you for this, it means alot to me...
Ok here are the requested scanned item logs:
c:\windows\system32\winlogon.exe
File has already been analysed:
MD5: 3969440ba384d35317dbbdeeaae641ce
First received: 2008.11.27 18:17:00 UTC
Date: 2009.02.11 17:45:35 UTC [>100D]
Results: 1/39
Permalink: analisis/80ec02f1c71f5249c0976b4ea96d9622899fca5591d47d87d4edc1897387c8f7-1234374335
This is info on the page where the Permalink brings me:
File winlogon.exe.vir received on 2009.02.11 17:45:35 (UTC)
Current status: finished
Result: 1/39 (2.56%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.11 -
AhnLab-V3 5.0.0.2 2009.02.11 -
AntiVir 7.9.0.76 2009.02.11 -
Authentium 5.1.0.4 2009.02.11 -
Avast 4.8.1335.0 2009.02.11 -
AVG 8.0.0.229 2009.02.11 -
BitDefender 7.2 2009.02.11 -
CAT-QuickHeal 10.00 2009.02.11 -
ClamAV 0.94.1 2009.02.11 -
Comodo 974 2009.02.11 -
DrWeb 4.44.0.09170 2009.02.11 -
eSafe 7.0.17.0 2009.02.11 Win32.Banker
eTrust-Vet 31.6.6350 2009.02.11 -
F-Prot 4.4.4.56 2009.02.11 -
F-Secure 8.0.14470.0 2009.02.11 -
Fortinet 3.117.0.0 2009.02.11 -
GData 19 2009.02.11 -
Ikarus T3.1.1.45.0 2009.02.11 -
K7AntiVirus 7.10.627 2009.02.11 -
Kaspersky 7.0.0.125 2009.02.11 -
McAfee 5523 2009.02.11 -
McAfee+Artemis 5522 2009.02.10 -
Microsoft 1.4306 2009.02.11 -
NOD32 3846 2009.02.11 -
Norman 6.00.02 2009.02.11 -
nProtect 2009.1.8.0 2009.02.11 -
Panda 10.0.0.10 2009.02.11 -
PCTools 4.4.2.0 2009.02.11 -
Prevx1 V2 2009.02.11 -
Rising 21.16.22.00 2009.02.11 -
SecureWeb-Gateway 6.7.6 2009.02.11 -
Sophos 4.38.0 2009.02.11 -
Sunbelt 3.2.1851.2 2009.02.11 -
Symantec 10 2009.02.11 -
TheHacker 6.3.1.85.252 2009.02.11 -
TrendMicro 8.700.0.1004 2009.02.11 -
VBA32 3.12.8.12 2009.02.11 -
ViRobot 2009.2.11.1600 2009.02.11 -
VirusBuster 4.5.11.0 2009.02.11 -
Additional information
File size: 507904 bytes
MD5 : 3969440ba384d35317dbbdeeaae641ce
SHA1 : c87bb53e5dd5258e80df74ebd4f68aef193ea5af
SHA256: 80ec02f1c71f5249c0976b4ea96d9622899fca5591d47d87d4edc1897387c8f7
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x3E5E1
timedatestamp.....: 0x48027549 (Sun Apr 13 23:04:09 2008)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x70991 0x70A00 6.82 8b92c0dadae385ba7a05299c9a7cafbf
.data 0x72000 0x4E70 0x2000 6.28 44bd27282514b5e3a27b570106930d8d
.rsrc 0x77000 0x9020 0x9200 3.62 8b50f3590d97bb27639f10bacbc53187
( 0 imports )
( 0 exports )
TrID : File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=3969440ba384d35317dbbdeeaae641ce
ssdeep: 6144:kNZlxEdL5RvGlcHJ37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYl:jdz+lc3Kao6nSKHsRqOMgxZg
PEiD : -
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=3969440ba384d35317dbbdeeaae641ce
RDS : NSRL Reference Data Set
===========================================================
===========================================================
c:\windows\system32\termsrv.dll
File has already been analysed:
MD5: 63999d0abd8dabfd76a9c07f6e104868
First received: 2008.11.26 04:21:07 UTC
Date: 2009.05.19 17:47:24 UTC [>3D]
Results: 2/40
Permalink: analisis/5f6f0507b9ec1e8843363ea312475e9e6dd129e03ecb5308db285cd15fdfd482-1242755244
This is info on the page where the Permalink brings me:
File termsrv.dll received on 2009.05.19 17:47:24 (UTC)
Current status: finished
Result: 2/40 (5.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.19 -
AhnLab-V3 5.0.0.2 2009.05.19 -
AntiVir 7.9.0.168 2009.05.19 -
Antiy-AVL 2.0.3.1 2009.05.19 -
Authentium 5.1.2.4 2009.05.19 -
Avast 4.8.1335.0 2009.05.18 -
AVG 8.5.0.336 2009.05.19 -
BitDefender 7.2 2009.05.19 -
CAT-QuickHeal 10.00 2009.05.19 -
ClamAV 0.94.1 2009.05.19 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.19 -
eSafe 7.0.17.0 2009.05.19 -
eTrust-Vet 31.6.6511 2009.05.19 -
F-Prot 4.4.4.56 2009.05.18 -
F-Secure 8.0.14470.0 2009.05.19 -
Fortinet 3.117.0.0 2009.05.19 -
GData 19 2009.05.19 -
Ikarus T3.1.1.49.0 2009.05.19 -
K7AntiVirus 7.10.739 2009.05.19 -
Kaspersky 7.0.0.125 2009.05.19 -
McAfee 5620 2009.05.19 potentially unwanted program Patched Termsrv
McAfee+Artemis 5620 2009.05.19 potentially unwanted program Patched Termsrv
McAfee-GW-Edition 6.7.6 2009.05.19 -
Microsoft 1.4602 2009.05.19 -
NOD32 4088 2009.05.19 -
Norman 6.01.05 2009.05.19 -
nProtect 2009.1.8.0 2009.05.19 -
Panda 10.0.0.14 2009.05.18 -
PCTools 4.4.2.0 2009.05.18 -
Prevx 3.0 2009.05.19 -
Rising 21.30.14.00 2009.05.19 -
Sophos 4.41.0 2009.05.19 -
Sunbelt 3.2.1858.2 2009.05.18 -
Symantec 1.4.4.12 2009.05.19 -
TheHacker 6.3.4.1.327 2009.05.19 -
TrendMicro 8.950.0.1092 2009.05.19 -
VBA32 3.12.10.5 2009.05.19 -
ViRobot 2009.5.19.1740 2009.05.19 -
VirusBuster 4.6.5.0 2009.05.19 -
Additional information
File size: 295424 bytes
MD5 : 63999d0abd8dabfd76a9c07f6e104868
SHA1 : 509689ba3edd2cfad361773708b72dc35f1c77b8
SHA256: 5f6f0507b9ec1e8843363ea312475e9e6dd129e03ecb5308db285cd15fdfd482
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x219FD
timedatestamp.....: 0x4802A11C (Mon Apr 14 02:11:08 2008)
machinetype.......: 0x14C (Intel I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3F7CA 0x3F800 6.62 d12183a6fa34bf7974abe33c87bdee41
.data 0x41000 0x9838 0x1200 5.40 2c69a08d65ee8234c239668dd7d86937
.rsrc 0x4B000 0x3E50 0x4000 3.25 07385c44d1453e3272809960a81ac436
.reloc 0x4F000 0x32EE 0x3400 6.19 c59c84e9cda7289330e30d991fa19248
( 17 imports )
> advapi32.dll: GetSidSubAuthorityCount, GetSidSubAuthority, AccessCheckAndAuditAlarmW, AllocateAndInitializeSid, SetEntriesInAclW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegEnumKeyW, DeregisterEventSource, CryptAcquireContextW, CryptCreateHash, CryptImportKey, CryptVerifySignatureW, CryptDestroyKey, CryptDestroyHash, CryptReleaseContext, AddAce, GetAce, GetAclInformation, GetUserNameA, CryptHashData, RegisterServiceCtrlHandlerW, GetSidIdentifierAuthority, IsValidSid, GetTokenInformation, EqualSid, LookupAccountSidW, RegSetValueExW, CryptGenRandom, RegisterEventSourceW, ReportEventW, SetServiceBits, RegOpenKeyW, GetUserNameW, SetServiceStatus, RegOpenKeyExW, GetSecurityDescriptorDacl, LsaDelete, LsaSetSecret, LsaClose, LsaOpenSecret, LsaCreateSecret, LsaOpenPolicy, LsaFreeMemory, LsaQuerySecret, GetEventLogInformation, LsaQueryInformationPolicy, RegQueryValueExW, RegCloseKey, LogonUserW, AddAccessAllowedAce, InitializeAcl, GetLengthSid, OpenThreadToken, CheckTokenMembership, MakeSelfRelativeSD, MakeAbsoluteSD, IsValidSecurityDescriptor, ElfReportEventW, ElfRegisterEventSourceW, I_ScSendTSMessage, RegNotifyChangeKeyValue, RegCreateKeyExW, RegQueryValueExA, RegOpenKeyExA, GetCurrentHwProfileA, RegEnumKeyExA, RegEnumKeyExW, LsaStorePrivateData, LsaNtStatusToWinError, LsaRetrievePrivateData, RegDeleteValueW, OpenProcessToken
> authz.dll: AuthzFreeResourceManager, AuthziAllocateAuditParams, AuthziInitializeAuditParamsWithRM, AuthziInitializeAuditEvent, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthziFreeAuditParams, AuthzInitializeResourceManager, AuthziInitializeAuditEventType, AuthziFreeAuditEventType
> crypt32.dll: CertCloseStore, CertCreateCertificateContext, CertOpenStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetIssuerCertificateFromStore, CertVerifySubjectCertificateContext, CryptExportPublicKeyInfo, CertEnumCertificatesInStore, CertFindExtension, CertVerifyCertificateChainPolicy, CertComparePublicKeyInfo, CryptDecodeObject, CryptVerifyCertificateSignature, CryptBinaryToStringW
> icaapi.dll: IcaOpen, IcaStackCallback, IcaStackConnectionWait, IcaStackConnectionRequest, IcaStackConnectionAccept, _IcaStackIoControl, IcaStackUnlock, IcaStackReconnect, IcaStackTerminate, IcaChannelClose, IcaStackIoControl, IcaPushConsoleStack, IcaChannelOpen, IcaChannelIoControl, IcaStackConnectionClose, IcaStackClose, IcaClose, IcaIoControl, IcaStackOpen, IcaStackDisconnect
> kernel32.dll: GetLocalTime, GetDiskFreeSpaceA, GetDateFormatW, FileTimeToSystemTime, InitializeCriticalSection, GetVersion, CreateMutexW, GetModuleHandleA, InterlockedExchange, OutputDebugStringA, GetProcessAffinityMask, SetThreadAffinityMask, ResumeThread, GetExitCodeThread, GetSystemInfo, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GetVolumeInformationA, GlobalMemoryStatus, lstrlenA, lstrcpyA, GetFileSize, WriteFile, SetFilePointer, ReadFile, CreateFileA, HeapAlloc, HeapFree, CompareFileTime, CreateWaitableTimerW, SetWaitableTimer, FormatMessageW, LeaveCriticalSection, GetSystemDefaultLCID, SystemTimeToFileTime, LoadLibraryExA, GetVersionExA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetCurrentThreadId, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, DelayLoadFailureHook, lstrcpynW, GetACP, MultiByteToWideChar, SetLastError, lstrlenW, LocalFree, LocalAlloc, GetProcessHeap, DisableThreadLibraryCalls, DebugBreak, Sleep, CloseHandle, CreateProcessW, GetCurrentProcessId, IsDebuggerPresent, GetVersionExW, ResetEvent, SetEvent, VerifyVersionInfoW, CreateEventW, GetLastError, ReleaseMutex, UnmapViewOfFile, MapViewOfFile, OpenFileMappingW, WaitForMultipleObjects, OpenEventW, OpenMutexW, InterlockedDecrement, CreateThread, CreateFileW, GetSystemDirectoryW, GetSystemTime, GetComputerNameA, GetSystemTimeAsFileTime, UnregisterWait, WaitForSingleObject, InterlockedIncrement, lstrcpyW, ExitThread, QueryDosDeviceW, ProcessIdToSessionId, IsBadReadPtr, IsBadWritePtr, OpenProcess, GetComputerNameW, FreeLibrary, GetProcAddress, LoadLibraryW, GetProfileStringW, GetTickCount, RegisterWaitForSingleObject, lstrcatW, lstrcmpiW, GetProfileIntW, GetWindowsDirectoryW, SetThreadPriority, GetCurrentThread, LocalSize, GetCurrentProcess, PulseEvent, GetComputerNameExW, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, DeleteCriticalSection
> mstlsapi.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> msvcrt.dll: wcscpy, wcscmp, _except_handler3, _wcsnicmp, wcscat, swscanf, wcsncpy, wcslen, wcsncat, swprintf, wcsrchr, memmove, _snwprintf, wcschr, sprintf, qsort, strncpy, gmtime, time, mktime, _mbslen, mbstowcs, __3@YAXPAX@Z, __2@YAPAXI@Z, free, _initterm, malloc, _adjust_fdiv, _ftol, _snprintf, strncmp, iswdigit, _wcsupr, wcstok, _wtol, _stricmp, __CxxFrameHandler, _purecall, _wcsicmp
> ntdll.dll: NtOpenProcessToken, NtQueryInformationToken, RtlLengthSid, RtlCopySid, NtAllocateVirtualMemory, NtFreeVirtualMemory, RtlAcquireResourceShared, NtDelayExecution, DbgBreakPoint, RtlPrefixUnicodeString, NtResetEvent, NtWaitForMultipleObjects, RtlInitializeGenericTable, RtlDeleteCriticalSection, NtOpenProcess, NtQueryVirtualMemory, RtlLookupElementGenericTable, RtlCompareMemory, RtlInsertElementGenericTable, RtlDeleteElementGenericTable, RtlInitializeResource, NtCreateEvent, NtDuplicateObject, NtQuerySystemTime, RtlEqualSid, RtlAdjustPrivilege, RtlInitializeCriticalSection, NtTerminateProcess, RtlLengthRequiredSid, NtReleaseMutant, NtWaitForSingleObject, NtCreateMutant, NtQueryInformationProcess, NtDuplicateToken, NtSetInformationThread, RtlpNtEnumerateSubKey, NtRequestPort, NtConnectPort, NtSetEvent, RtlEnterCriticalSection, RtlAllocateHeap, NtOpenThreadToken, NtReplyPort, NtCompleteConnectPort, NtAcceptConnectPort, NtCreateSection, NtReplyWaitReceivePort, RtlFreeUnicodeString, NtCreatePort, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlQueryRegistryValues, NtDeviceIoControlFile, RtlExtendedLargeIntegerDivide, RtlConvertExclusiveToShared, RtlConvertSharedToExclusive, RtlDeleteResource, NtRequestWaitReplyPort, RtlFreeHeap, RtlLeaveCriticalSection, RtlAcquireResourceExclusive, RtlReleaseResource, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, NtClose, VerSetConditionMask, RtlCreateEnvironment, RtlSetProcessIsCritical, DbgPrint, NtQuerySystemInformation, NtSetTimer, NtCreateTimer, RtlCopySecurityDescriptor, RtlNtStatusToDosError, RtlDeleteAce, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, RtlMapGenericMask, RtlSubAuthoritySid, RtlInitializeSid, RtlCreateUserSecurityObject, RtlSetDaclSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlCreateSecurityDescriptor, RtlWriteRegistryValue, RtlCreateRegistryKey, RtlLengthSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, NtSetSecurityObject, NtQuerySecurityObject, NtOpenSymbolicLinkObject, NtQueryDirectoryObject, NtCreateDirectoryObject, RtlFreeSid, RtlAllocateAndInitializeSid, RtlIntegerToUnicodeString, RtlAppendUnicodeToString, NtQueryMutant
> oleaut32.dll: -, -, -, -, -, -, -, -, -, -
> rpcrt4.dll: RpcServerInqDefaultPrincNameW, RpcServerRegisterAuthInfoW, RpcServerRegisterIfEx, RpcBindingToStringBindingW, RpcServerListen, RpcImpersonateClient, I_RpcBindingIsClientLocal, RpcRevertToSelf, RpcServerUseProtseqEpW, I_RpcBindingInqLocalClientPID, RpcStringFreeW, RpcRaiseException, RpcSsContextLockExclusive, NdrServerCall2, RpcServerRegisterIf, RpcStringBindingParseW
> secur32.dll: GetUserNameExW
> setupapi.dll: SetupDiGetDeviceRegistryPropertyA, SetupDiGetClassDevsA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList
> shell32.dll: SHGetFolderPathA
> shlwapi.dll: PathAppendA
> user32.dll: GetCursorPos, wvsprintfA, BroadcastSystemMessageA, wsprintfA, GetSystemMetrics, wsprintfW, ExitWindowsEx, LoadStringW, MessageBeep, GetMessageTime
> wintrust.dll: CryptCATAdminCalcHashFromFileHandle, CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminReleaseCatalogContext, CryptCATAdminReleaseContext, WTHelperProvDataFromStateData, WTHelperGetProvSignerFromChain, CryptCATAdminAcquireContext, WinVerifyTrust
> ws2_32.dll: -, -, -, getaddrinfo, -, -
( 1 exports )
> ServiceMain
TrID : File type identification
80.9% (.EXE) Win64 Executable Generic (85619/45/3)
8.0% (.EXE) Win32 Executable Generic (8527/13/3)
7.1% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
1.8% (.EXE) DOS Executable Generic (2000/1)
ssdeep: 6144:BRp6fWMV1Adl7LQup17zettU8kY0c0XwJs/nE0fiLitmNGAM:BPvMV1/ixettmXwu/nHtc8
PEiD : -
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=63999d0abd8dabfd76a9c07f6e104868
RDS : NSRL Reference Data Set
-
=======================================================
=======================================================
c:\windows\sto453190.dat
File has already been analysed:
MD5: 6226f7cbe59e99a90b5cef6f94f966fd
First received: 2009.05.18 12:58:41 UTC
Date: 2009.05.23 16:54:03 UTC [<1D]
Results: 0/39
Permalink: analisis/03042cf8100db386818cee4ff0f2972431a62ed78edbd09ac08accfabbefd818-1243097643
This is info on the page where the Permalink brings me:
File sto453250.dat received on 2009.05.23 16:54:03 (UTC)
Current status: finished
Result: 0/39 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.23 -
AhnLab-V3 5.0.0.2 2009.05.23 -
AntiVir 7.9.0.168 2009.05.23 -
Antiy-AVL 2.0.3.1 2009.05.22 -
Authentium 5.1.2.4 2009.05.22 -
Avast 4.8.1335.0 2009.05.23 -
AVG 8.5.0.339 2009.05.23 -
BitDefender 7.2 2009.05.23 -
CAT-QuickHeal 10.00 2009.05.23 -
ClamAV 0.94.1 2009.05.22 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.23 -
eSafe 7.0.17.0 2009.05.21 -
eTrust-Vet 31.6.6519 2009.05.23 -
F-Prot 4.4.4.56 2009.05.22 -
F-Secure 8.0.14470.0 2009.05.23 -
Fortinet 3.117.0.0 2009.05.23 -
GData 19 2009.05.23 -
Ikarus T3.1.1.49.0 2009.05.23 -
K7AntiVirus 7.10.741 2009.05.21 -
Kaspersky 7.0.0.125 2009.05.23 -
McAfee 5624 2009.05.23 -
McAfee+Artemis 5624 2009.05.23 -
McAfee-GW-Edition 6.7.6 2009.05.23 -
Microsoft 1.4701 2009.05.23 -
NOD32 4098 2009.05.22 -
Norman 6.01.05 2009.05.22 -
nProtect 2009.1.8.0 2009.05.23 -
Panda 10.0.0.14 2009.05.23 -
PCTools 4.4.2.0 2009.05.21 -
Prevx 3.0 2009.05.23 -
Rising 21.30.52.00 2009.05.23 -
Sophos 4.42.0 2009.05.23 -
Sunbelt 3.2.1858.2 2009.05.23 -
Symantec 1.4.4.12 2009.05.23 -
TheHacker 6.3.4.3.331 2009.05.22 -
TrendMicro 8.950.0.1092 2009.05.23 -
VBA32 3.12.10.5 2009.05.23 -
ViRobot 2009.5.23.1749 2009.05.23 -
Additional information
File size: 2 bytes
MD5 : 6226f7cbe59e99a90b5cef6f94f966fd
SHA1 : 4452d71687b6bc2c9389c3349fdc17fbd73b833b
SHA256: 03042cf8100db386818cee4ff0f2972431a62ed78edbd09ac08accfabbefd818
TrID : File type identification
Unknown!
ssdeep: 3:G:G
PEiD : -
RDS : NSRL Reference Data Set
( Check Point Software Technologies Ltd )
Check Point 2000 Enterprise Suite v.4.1 Strong (3DES) Edition: etcertut.exe
================================================
================================================
c:\windows\system32\2757321258.dat
File has already been analysed:
MD5: 5e7e954d7eb504af49747a85336da63a
First received: 2008.03.25 12:09:56 UTC
Date: 2009.05.23 16:49:19 UTC [<1D]
Results: 0/40
Permalink: analisis/e8c8ac428fe98b423e983b4251fc6fa45776407223475cc55f03e0d874a9f863-1243097359
This is info on the page where the Permalink brings me:
File 213905052.dat received on 2009.05.23 16:49:19 (UTC)
Current status: finished
Result: 0/40 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.23 -
AhnLab-V3 5.0.0.2 2009.05.23 -
AntiVir 7.9.0.168 2009.05.23 -
Antiy-AVL 2.0.3.1 2009.05.22 -
Authentium 5.1.2.4 2009.05.22 -
Avast 4.8.1335.0 2009.05.23 -
AVG 8.5.0.339 2009.05.23 -
BitDefender 7.2 2009.05.23 -
CAT-QuickHeal 10.00 2009.05.23 -
ClamAV 0.94.1 2009.05.22 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.23 -
eSafe 7.0.17.0 2009.05.21 -
eTrust-Vet 31.6.6519 2009.05.23 -
F-Prot 4.4.4.56 2009.05.22 -
F-Secure 8.0.14470.0 2009.05.23 -
Fortinet 3.117.0.0 2009.05.23 -
GData 19 2009.05.23 -
Ikarus T3.1.1.49.0 2009.05.23 -
K7AntiVirus 7.10.741 2009.05.21 -
Kaspersky 7.0.0.125 2009.05.23 -
McAfee 5624 2009.05.23 -
McAfee+Artemis 5624 2009.05.23 -
McAfee-GW-Edition 6.7.6 2009.05.23 -
Microsoft 1.4701 2009.05.23 -
NOD32 4098 2009.05.22 -
Norman 6.01.05 2009.05.22 -
nProtect 2009.1.8.0 2009.05.23 -
Panda 10.0.0.14 2009.05.23 -
PCTools 4.4.2.0 2009.05.21 -
Prevx 3.0 2009.05.23 -
Rising 21.30.52.00 2009.05.23 -
Sophos 4.42.0 2009.05.23 -
Sunbelt 3.2.1858.2 2009.05.23 -
Symantec 1.4.4.12 2009.05.23 -
TheHacker 6.3.4.3.331 2009.05.22 -
TrendMicro 8.950.0.1092 2009.05.23 -
VBA32 3.12.10.5 2009.05.23 -
ViRobot 2009.5.23.1749 2009.05.23 -
VirusBuster 4.6.5.0 2009.05.23 -
Additional information
File size: 32 bytes
MD5 : 5e7e954d7eb504af49747a85336da63a
SHA1 : c1a385f81c2f3789d7b113599901c4b562491023
SHA256: e8c8ac428fe98b423e983b4251fc6fa45776407223475cc55f03e0d874a9f863
TrID : File type identification
Unknown!
ssdeep: 3:5aW5fZYLU4GUJ78:EYfmg4V78
PEiD : -
RDS : NSRL Reference Data Set
When Combofix attempted to reset the computer a popup message appeared that said:
"Dwwin.exe failed to initialize because Windows station is shutting down" with a "ok" box
I let it sit for about 5 minutes at which point I attempted to open the Task manager, It would not open, so i clicked ok on the popup message button, at which time the computer finished reseting.
Here is the combofix log:
ComboFix 09-05-22.08 - Owner 05/23/2009 12:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2287.1665 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\HOLYCRAP\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FILE ::
c:\windows\system32\drivers\chdlzdnk.sys
c:\windows\system32\drivers\svchost.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\uTorrent
c:\program files\uTorrent\8179-utorrent.d6de.dmp
c:\program files\WinMX
c:\program files\WinMX\wpnpchannelcmds.txt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_chdlzdnk
((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.
2009-05-21 00:21 . 2009-05-21 00:21 -------- d-----w c:\program files\ERUNT
2009-05-20 05:17 . 2009-05-20 05:20 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-20 05:17 . 2009-05-20 05:20 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-20 04:44 . 2009-05-20 04:44 -------- d-----w c:\program files\Trend Micro
2009-05-20 04:39 . 2009-05-20 04:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Safer Networking
2009-05-20 04:37 . 2009-05-20 04:37 47688 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-20 04:37 . 2009-05-20 04:37 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-05-20 03:51 . 2009-05-20 03:51 -------- d-----w c:\documents and settings\Owner\Application Data\Safer Networking
2009-05-20 03:51 . 2009-05-20 03:51 -------- d-----w c:\program files\Safer Networking
2009-05-19 01:05 . 2009-05-19 01:05 2 ---h--w c:\windows\sto453190.dat
2009-05-19 01:04 . 2009-05-19 01:04 32 --s-a-w c:\windows\system32\2757321258.dat
2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-04-24 00:25 . 2009-04-24 02:10 -------- d-----w c:\documents and settings\Owner\Application Data\GetRightToGo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 17:49 . 2007-05-20 02:28 7304 ----a-w c:\windows\TMP0001.TMP
2009-05-20 04:32 . 2006-05-01 13:10 6832 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-19 05:40 . 2006-05-19 01:47 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-12 02:12 . 2008-02-16 01:52 -------- d-----w c:\program files\Ableton
2009-05-12 02:09 . 2007-11-24 04:25 -------- d-----w c:\documents and settings\Owner\Application Data\Ableton
2009-05-07 06:45 . 2009-01-13 03:26 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-02 05:48 . 2008-03-16 02:32 -------- d-----w c:\program files\McAfee
2009-05-02 02:40 . 2009-01-08 03:39 -------- d-----w c:\program files\SystemRequirementsLab
2009-05-02 02:38 . 2009-01-08 03:39 -------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-03-27 13:14 . 2006-05-01 13:24 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2006-05-01 03:40 . 2006-04-14 02:09 65 ----a-w c:\program files\Common Files\appop.log
2006-05-01 12:46 . 2006-05-01 07:29 56 --sh--r c:\windows\system32\5E0AFDD4F0.sys
.
------- Sigcheck -------
[7] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-11-30 07:12 507904 3969440BA384D35317DBBDEEAAE641CE c:\windows\system32\winlogon.exe
[7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-11-30 07:12 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-23_05.40.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-19 13:11 . 2009-05-23 15:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-19 13:11 . 2009-05-23 05:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-19 13:11 . 2009-05-23 15:10 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-07-19 13:11 . 2009-05-23 05:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Acrobat Assistant 8.0"="g:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-08-17 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe [2006-4-10 561152]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi1"= ma_cmidn.dll
"midi4"= ma_cmidn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk
backup=c:\windows\pss\Dragon NaturallySpeaking.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Sony\\EverQuest II\\EverQuest2.exe"=
"c:\\Program Files\\RALINK\\RT2500 Wireless LAN Card\\Installer\\WINXP\\RaConfig2500.exe"=
"c:\\WINDOWS\\system32\\drwtsn32.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [4/13/2006 9:09 PM 38784]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [9/19/2007 9:11 AM 72672]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [4/13/2006 9:09 PM 116224]
S3 L6PODLV;PODxt Live Service;c:\windows\system32\drivers\L6PODLV.sys [3/16/2008 6:00 PM 514432]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [7/12/2008 6:33 PM 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [7/12/2008 6:33 PM 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [7/12/2008 6:33 PM 33792]
--- Other Services/Drivers In Memory ---
*Deregistered* - udffsrec
.
Contents of the 'Scheduled Tasks' folder
2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-16 18:32]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j6tnr1aj.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07030901.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-23 12:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1275210071-2147168017-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:4c,dd,3e,96,8f,f2,71,75,33,7f,f8,38,c5,92,3f,70,f4,f7,92,dd,ab,
17,04,f0,7b,ef,3c,67,27,f6,03,1b,5d,0a,76,c8,7f,2c,1a,e5,11,de,33,8d,74,b7,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(8144)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\drivers\WTSrv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\CTXFISPI.EXE
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-05-23 12:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-23 17:56
ComboFix2.txt 2009-05-23 05:48
Pre-Run: 13,941,227,520 bytes free
Post-Run: 13,934,288,896 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=1 Sets=1,2,3,4
216 --- E O F --- 2009-02-14 03:30