can't remove hldrrr.exe mdelk.exe

**my5sons** · 2008-04-28, 23:02

1. I can't boot into Safe Mode. Each time I try, I get the Blue Screen.
2. So I ran Spybot Search & Destroy in Normal Mode. It found FirstRunRRR in the registry and I clicked Fix.
3. I rebooted, and get a popup window that says "Select File to Crack" and displays "My Documents"
4. I can't run the Online Virus Checker Kapersky. I click Accept, but nothing happens.
5. I found the files hldrrr.exe and mdelk.exe in windows/system32/drivers, I delete them and they reappear. I went to Trend Micro first, and they recommend that I turn off System Restore and run my Antivirus. No such luck there, so I am here now.
6. I can't find where the problem is, and why it keeps reappearing....

Here is my HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:49, on 2008-04-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\AdventNet\WebNMS\apache\bin\Apache.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.mot.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.mot.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.mot.com:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mot.com;*.gi.com;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: RSAToolbar - {749F8452-7D28-4658-A903-9B047E5A2CE8} - C:\Program Files\RSA Security\IE Toolbar\RSAToolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CSCAdvantage] "C:\Program Files\Help Desk\CSCAdv.exe" /s
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CSCLogonInfo] C:\WINDOWS\UsrLogon.exe
O4 - HKLM\..\Run: [SupportSoft_Amer_Motorola] "C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe" /P SupportSoft_Amer_Motorola
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [URLy Warning] "C:\Program Files\URLy Warning\URLyWarning.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-863651691-3918403040-59684098-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'sdm')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.motorola.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ds.mot.com
O17 - HKLM\Software\..\Telephony: DomainName = ds.mot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ds.mot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.mot.com,e1.bcs.mot.com,gic.gi.com,w1.bcs.mot.com,gi.com,corp.mot.com,ds.mot.com,mot.com,sps.mot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.mot.com,e1.bcs.mot.com,gic.gi.com,w1.bcs.mot.com,gi.com,corp.mot.com,ds.mot.com,mot.com,sps.mot.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ApacheForSDM - Apache Software Foundation - C:\AdventNet\WebNMS\apache\bin\Apache.exe
O23 - Service: Adaptive Server Anywhere - WebNmsDB (ASANYs_WebNmsDB) - iAnywhere Solutions, Inc. - C:\Sybase\SQL Anywhere 9\win32\dbsrv9.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Motorola SDM (SDM Service) - Unknown owner - C:\WINDOWS\JavaService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (supportsoft_amer_motorola) (sprtsvc_supportsoft_amer_motorola) - SupportSoft, Inc. - C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SupportSoft Repair Service (supportsoft_amer_motorola) (tgsrvc_supportsoft_amer_motorola) - SupportSoft, Inc. - C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 11322 bytes

**Rorschach112** · 2008-04-28, 23:19

Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

**my5sons** · 2008-04-28, 23:47

Thank you for the quick reply. I did as you said, renamed it to Combo-Fix.exe and closed/disabled all antivirus/spyware stuff. Here is the log.

ComboFix 08-04-27.3 - mgi2890 2008-04-28 17:34:59.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.546 [GMT -4:00]
Running from: D:\Profiles\MGI2890\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-28 16:56 . 2008-04-28 16:56 <DIR> d-------- D:\Profiles\All Users\Application Data\Kaspersky Lab
2008-04-28 16:56 . 2008-04-28 16:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 16:56 . 2008-04-28 16:56 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-28 15:24 . 2008-04-28 15:37 <DIR> d-------- D:\Profiles\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 15:24 . 2008-04-28 15:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-28 15:23 . 2008-04-28 15:23 9,722,720 --a------ C:\spybotsd152.exe
2008-04-28 14:09 . 2008-04-28 15:42 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-28 01:32 . 2008-04-28 01:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 01:32 . 2008-04-28 01:32 812,344 --a------ C:\HJTInstall.exe
2008-04-28 00:50 . 2008-04-28 00:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-28 00:45 . 2008-04-27 20:49 <DIR> d-------- C:\SDFix
2008-04-27 23:32 . 2008-04-27 23:32 650,296 --a------ C:\PREVXCSIFREE(2).EXE
2008-04-27 23:12 . 2008-04-27 23:17 2,205,157 --a------ C:\IceSword122en.zip
2008-04-27 23:01 . 2008-04-27 23:01 650,296 --a------ C:\PREVXCSIFREE.EXE
2008-04-27 22:41 . 2008-04-27 22:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-27 22:41 . 2008-04-27 22:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 22:39 . 2008-04-27 22:40 20,597,104 --a------ C:\aaw2007.exe
2008-04-25 22:05 . 2008-04-25 22:05 93,775 --a------ C:\2333.zip
2008-04-19 11:27 . 2008-04-19 11:27 <DIR> d-------- C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2008-04-19 11:27 . 2008-04-24 12:21 275 --a------ C:\lxcjfire.csv
2008-04-19 11:27 . 2008-04-24 12:12 275 --a------ C:\lxcjfire.008
2008-04-19 11:27 . 2008-04-24 12:11 275 --a------ C:\lxcjfire.007
2008-04-19 11:27 . 2008-04-24 12:07 275 --a------ C:\lxcjfire.006
2008-04-19 11:27 . 2008-04-24 12:07 275 --a------ C:\lxcjfire.005
2008-04-19 11:27 . 2008-04-19 11:43 275 --a------ C:\lxcjfire.004
2008-04-19 11:27 . 2008-04-19 11:41 275 --a------ C:\lxcjfire.003
2008-04-19 11:27 . 2008-04-19 11:38 275 --a------ C:\lxcjfire.002
2008-04-19 11:27 . 2008-04-19 11:28 275 --a------ C:\lxcjfire.001
2008-04-19 11:27 . 2008-04-19 11:27 275 --a------ C:\lxcjfire.000
2008-04-19 11:22 . 2008-04-24 12:25 <DIR> d-------- C:\Lexmark
2008-04-17 18:20 . 2008-04-17 18:28 31,232 --a------ C:\proposedamendment(2).doc
2008-04-17 18:18 . 2008-04-17 18:18 23,552 --a------ C:\Proxy.doc
2008-04-17 18:18 . 2008-04-17 18:19 6,709 --a------ C:\proposedamendment.doc.part
2008-04-17 18:18 . 2008-04-17 18:18 0 --a------ C:\proposedamendment.doc
2008-04-17 18:15 . 2008-04-17 18:15 6,184 --a------ C:\Pheasant
2008-04-17 15:42 . 2008-04-27 23:07 8,704 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-15 09:45 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-15 09:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-15 09:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-15 09:45 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-08 20:50 . 2008-04-08 20:50 <DIR> d-------- D:\Profiles\All Users\Application Data\Office Genuine Advantage
2008-03-30 00:10 . 2008-03-30 00:10 732 --a------ C:\about_inc.php
2008-03-29 23:02 . 2008-03-29 23:02 <DIR> d-------- D:\Profiles\All Users\Application Data\FLEXnet
2008-03-29 22:01 . 2008-03-29 22:01 <DIR> d-------- D:\Profiles\NetworkService\Application Data\Juniper Networks
2008-03-29 02:02 . 2008-04-15 20:22 <DIR> d-------- C:\desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 20:42 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-28 19:18 --------- d-----w C:\Program Files\Elaborate Bytes
2008-04-28 18:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-28 18:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-28 18:09 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-28 18:07 --------- d-----w C:\Program Files\Azureus
2008-04-28 18:05 --------- d-----w D:\Profiles\MGI2890\Application Data\Amazon
2008-04-28 18:05 --------- d-----w C:\Program Files\Amazon
2008-04-28 02:41 --------- d-----w D:\Profiles\All Users\Application Data\Lavasoft
2008-04-23 19:11 --------- d-----w D:\Profiles\MGI2890\Application Data\AdobeUM
2008-04-08 21:31 --------- d-----w D:\Profiles\MGI2890\Application Data\Vso
2008-03-28 19:08 --------- d-----w C:\Program Files\SlySoft
2008-03-27 02:11 --------- d-----w D:\Profiles\sdm.MGI2890-02\Application Data\Juniper Networks
2008-03-22 01:14 --------- d-----w C:\Program Files\MSECache
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 02:54 --------- d-----w D:\Profiles\MGI2890\Application Data\dvdcss
2008-03-18 19:46 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-03-16 01:43 --------- d-----w C:\Program Files\WS_FTP
2008-03-15 03:56 --------- d-----w D:\Profiles\MGI2890\Application Data\ZoomBrowser EX
2008-03-10 17:38 --------- d-----w C:\Program Files\Common Files\Canon
2008-03-08 02:09 --------- d-----w D:\Profiles\MGI2890\Application Data\Apple Computer
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-04 22:23 693,792 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
2008-02-01 07:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2008-01-06 04:07 47,360 ----a-w D:\Profiles\MGI2890\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-28_ 0.37.27.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 04:29:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 20:39:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 00:47:55 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-28 04:50:45 5,140,480 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-04-28 04:50:46 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-28 00:47:55 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-28 04:50:43 5,140,480 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-04-28 04:50:43 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-04-26 20:41:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-28 19:10:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-26 20:41:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-28 19:10:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-26 20:41:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-28 19:10:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-21 04:29:56 1,516,240 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-28 19:42:36 1,515,504 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-04-28 20:43:18 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a6c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{749F8452-7D28-4658-A903-9B047E5A2CE8}"= "C:\Program Files\RSA Security\IE Toolbar\RSAToolbar.dll" [2006-06-08 04:20 2420736]

[HKEY_CLASSES_ROOT\clsid\{749f8452-7d28-4658-a903-9b047e5a2ce8}]
[HKEY_CLASSES_ROOT\RSAToolbar.RSAToolbarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{37686C62-D497-42E3-BAAB-78D89A74E151}]
[HKEY_CLASSES_ROOT\RSAToolbar.RSAToolbarBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBISQL9"="" []
"SybaseCentral43"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:39 1289000]
"URLy Warning"="C:\Program Files\URLy Warning\URLyWarning.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-06-04 05:08 679936]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 02:56 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-04 05:08 679936]
"CSCAdvantage"="C:\Program Files\Help Desk\CSCAdv.exe" [2005-06-09 13:41 111403]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 13:41 860160]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 22:05 344064]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 14:24 290816]
"AGRSMMSG"="AGRSMMSG.exe" [2005-11-16 15:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38 688218]
"CSCLogonInfo"="C:\WINDOWS\UsrLogon.exe" [2006-12-12 17:28 127079]
"SupportSoft_Amer_Motorola"="C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe" [2006-07-12 17:00 192512]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SDFix"="C:\SDFix\RunThis.bat /second" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-02-01 18:31 3900776]
"drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoAutoTrayNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-1086857\Scripts\Logon\0\0]
"Script"=w2kenroll.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-980161\Scripts\Logon\0\0]
"Script"=wireless-qualification.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-980161\Scripts\Logon\1\0]
"Script"=w2kenroll.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Netmeeting\\conf.exe"= C:\\Program Files\\Netmeeting\\conf.exe
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:10.176.1.190/199:enabled:bDNA
"497:TCP"= 497:TCP:10.0.38.5/10:enabled:bDNA2
"6000:TCP"= 6000:TCP:exceed
"135:TCP"= 135:TCP:10.160.5.8:enabled:foundscan
"137:TCP"= 137:TCP:10.197.24.2:enabled:foundscan2
"138:TCP"= 138:TCP:10.0.125.17:enabled:foundscan3
"139:TCP"= 139:TCP:10.0.125.20:enabled:foundscan4
"1503:TCP"= 1503:TCP:10.0.125.21:enabled:foundscan5
"1720:TCP"= 1720:TCP:10.1.250.11:enabled:foundscan6
"1761:TCP"= 1761:TCP:10.64.2.96:enabled:foundscan7
"2701:TCP"= 2701:TCP:10.128.132.49:enabled:iss1
"2702:TCP"= 2702:TCP:10.128.132.49:enabled:iss2
"43189:TCP"= 43189:TCP:10.160.9.87:enabled:iss3
"4445:TCP"= 4445:TCP:10.0.125.19:enabled:iss4
"6401:TCP"= 6401:TCP:192.168.30.7:enabled:iss5
"1023:UDP"= 1023:UDP:144.190.1.100:enabled:iss6
"445:TCP"= 445:TCP:10.0.125.15:enabled:nmap
"123:UDP"= 123:UDP:129.188.57.239:enabled:scanner1
"137:UDP"= 137:UDP:129.188.147.55:enabled:scanner2
"138:UDP"= 138:UDP:192.168.3.1:enabled:scanner3
"2233:UDP"= 2233:UDP:129.188.33.18:enabled:scanner4
"371:UDP"= 371:UDP:10.0.125.13:enabled:scanner5
"407:UDP"= 407:UDP:10.0.125.28:enabled:scanner6
"497:UDP"= 497:UDP:10.193.21.54:enabled:scanner7
"500:UDP"= 500:UDP:10.0.125.11:enabled:scanner8
"600:UDP"= 600:UDP:10.79.40.64:enabled:scanner9
"601:UDP"= 601:UDP:10.79.40.64:enabled:scanner10
"602:UDP"= 602:UDP:10.79.40.64:enabled:scanner11
"603:UDP"= 603:UDP:10.79.40.64:enabled:scanner12
"604:UDP"= 604:UDP:10.79.40.64:enabled:scanner13
"605:UDP"= 605:UDP:10.79.40.64:enabled:scanner14
"606:UDP"= 606:UDP:10.79.40.64:enabled:scanner15
"607:UDP"= 607:UDP:10.79.40.64:enabled:scanner16
"608:UDP"= 608:UDP:10.79.40.64:enabled:scanner17
"609:UDP"= 609:UDP:10.79.40.64:enabled:scanner18
"610:UDP"= 610:UDP:10.79.40.64:enabled:scanner19
"62514:UDP"= 62514:UDP:10.79.40.72,10.82.51.100,10.228.96.22/24,10.228.96.26,10.16.225.208,10.17.193.181,10.17.193.182:enabled:scanner20
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)

R0 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2004-07-29 14:34]
R1 WrqDft;WrqDft;C:\WINDOWS\system32\drivers\WrqDft.sys [2002-07-29 09:50]
R1 WrqSDL;WrqSDL;C:\WINDOWS\system32\drivers\WrqSDL.sys [2002-07-29 09:50]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50]
R2 sprtsvc_supportsoft_amer_motorola;SupportSoft Sprocket Service (supportsoft_amer_motorola);C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe [2006-07-12 17:01]
R2 tgsrvc_supportsoft_amer_motorola;SupportSoft Repair Service (supportsoft_amer_motorola);C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe [2006-07-12 17:01]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-10-03 13:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 12:46]
R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\isskboep.sys [2007-06-15 19:56]
R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2007-10-29 13:44]
S0 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2007-06-15 19:56]
S2 ApacheForSDM;ApacheForSDM;"C:\AdventNet\WebNMS\apache\bin\Apache.exe" -k runservice []
S2 VPatch;ISS Buffer Overflow Exploit Prevention;"C:\Program Files\ISS\Proventia Desktop\vpatch.exe" [2007-10-29 13:44]
S3 ASANYs_WebNmsDB;Adaptive Server Anywhere - WebNmsDB;C:\Sybase\SQL Anywhere 9\win32\dbsrv9.exe [2005-02-25 11:27]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-06-19 22:40]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-06-19 22:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{547d3cce-1543-11dd-b3e4-0015001d2d0c}]
\Shell\AutoRun\command - F:\Launch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-2K3}]
C:\WINDOWS\2k3_USR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFC1927-A731-4c34-829B-47EE05ADD199}]
"C:\WINDOWS\regedit.exe" /s "C:\WINDOWS\mot-wmp9.reg"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C10BF3A1-3FEC-4a94-AAAF-9D6A4B522F63}]
"C:\Program Files\WinZip\wzusr90.exe" /NOICON /NOTRAY
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 20:41:41 C:\WINDOWS\Tasks\CheckNetwork.job"
- C:\Program Files\Motorola\WirelessControl\NetStatus.vbs
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 17:39:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-28 17:44:32
ComboFix-quarantined-files.txt 2008-04-28 21:44:23
ComboFix2.txt 2008-04-28 05:56:25
ComboFix3.txt 2008-04-28 05:49:19
ComboFix4.txt 2008-04-28 04:38:41

Pre-Run: 7,954,817,024 bytes free
Post-Run: 7,915,376,640 bytes free

268

**Rorschach112** · 2008-04-29, 01:14

Hello

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\drivers\WrqDft.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

And scan this file

C:\WINDOWS\2k3_USR.EXE

Do you recognise this zip file

C:\2333.zip

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" [ ]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{547d3cce-1543-11dd-b3e4-0015001d2d0c}]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

**my5sons** · 2008-04-29, 01:29

sorry, but I am unable to browse to the system32/drivers directory. The only way I can access it, is by typing C:\Windows\system32\drivers

I tried to change the folder options to view all protected windows files, but I still can't access it since I received this worm.

**Rorschach112** · 2008-04-29, 01:31

Ok go on and do the rest of the steps

**my5sons** · 2008-04-29, 01:51

ok, I typed in the name in the browse window and I was able to run a virus scan on those 2 files. 0/32 for WrqDft.sys (I think this belongs to my WRQ Reflections program)

The second one (2k3_USR.exe) is a custom file from my IT department for Microsoft Office

2333.zip is a forum software file zipped up.

I ran the Comb-Fix.exe again with the .txt file and here are the results.

ComboFix 08-04-27.3 - mgi2890 2008-04-28 19:42:21.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.535 [GMT -4:00]
Running from: D:\Profiles\MGI2890\Desktop\Combo-Fix.exe
Command switches used :: D:\Profiles\MGI2890\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-28 16:56 . 2008-04-28 16:56 <DIR> d-------- D:\Profiles\All Users\Application Data\Kaspersky Lab
2008-04-28 16:56 . 2008-04-28 16:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 15:24 . 2008-04-28 15:37 <DIR> d-------- D:\Profiles\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 15:24 . 2008-04-28 15:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-28 15:23 . 2008-04-28 15:23 9,722,720 --a------ C:\spybotsd152.exe
2008-04-28 14:09 . 2008-04-28 15:42 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-28 01:32 . 2008-04-28 01:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 01:32 . 2008-04-28 01:32 812,344 --a------ C:\HJTInstall.exe
2008-04-28 00:50 . 2008-04-28 00:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-28 00:45 . 2008-04-27 20:49 <DIR> d-------- C:\SDFix
2008-04-27 23:32 . 2008-04-27 23:32 650,296 --a------ C:\PREVXCSIFREE(2).EXE
2008-04-27 23:12 . 2008-04-27 23:17 2,205,157 --a------ C:\IceSword122en.zip
2008-04-27 23:01 . 2008-04-27 23:01 650,296 --a------ C:\PREVXCSIFREE.EXE
2008-04-27 22:41 . 2008-04-27 22:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-27 22:41 . 2008-04-27 22:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 22:39 . 2008-04-27 22:40 20,597,104 --a------ C:\aaw2007.exe
2008-04-25 22:05 . 2008-04-25 22:05 93,775 --a------ C:\2333.zip
2008-04-19 11:27 . 2008-04-19 11:27 <DIR> d-------- C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2008-04-19 11:27 . 2008-04-24 12:21 275 --a------ C:\lxcjfire.csv
2008-04-19 11:27 . 2008-04-24 12:12 275 --a------ C:\lxcjfire.008
2008-04-19 11:27 . 2008-04-24 12:11 275 --a------ C:\lxcjfire.007
2008-04-19 11:27 . 2008-04-24 12:07 275 --a------ C:\lxcjfire.006
2008-04-19 11:27 . 2008-04-24 12:07 275 --a------ C:\lxcjfire.005
2008-04-19 11:27 . 2008-04-19 11:43 275 --a------ C:\lxcjfire.004
2008-04-19 11:27 . 2008-04-19 11:41 275 --a------ C:\lxcjfire.003
2008-04-19 11:27 . 2008-04-19 11:38 275 --a------ C:\lxcjfire.002
2008-04-19 11:27 . 2008-04-19 11:28 275 --a------ C:\lxcjfire.001
2008-04-19 11:27 . 2008-04-19 11:27 275 --a------ C:\lxcjfire.000
2008-04-19 11:22 . 2008-04-24 12:25 <DIR> d-------- C:\Lexmark
2008-04-17 18:20 . 2008-04-17 18:28 31,232 --a------ C:\proposedamendment(2).doc
2008-04-17 18:18 . 2008-04-17 18:18 23,552 --a------ C:\Proxy.doc
2008-04-17 18:18 . 2008-04-17 18:19 6,709 --a------ C:\proposedamendment.doc.part
2008-04-17 18:18 . 2008-04-17 18:18 0 --a------ C:\proposedamendment.doc
2008-04-17 18:15 . 2008-04-17 18:15 6,184 --a------ C:\Pheasant
2008-04-17 15:42 . 2008-04-27 23:07 8,704 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-15 09:45 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-15 09:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-15 09:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-15 09:45 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-08 20:50 . 2008-04-08 20:50 <DIR> d-------- D:\Profiles\All Users\Application Data\Office Genuine Advantage
2008-03-30 00:10 . 2008-03-30 00:10 732 --a------ C:\about_inc.php
2008-03-29 23:02 . 2008-03-29 23:02 <DIR> d-------- D:\Profiles\All Users\Application Data\FLEXnet
2008-03-29 22:01 . 2008-03-29 22:01 <DIR> d-------- D:\Profiles\NetworkService\Application Data\Juniper Networks
2008-03-29 02:02 . 2008-04-15 20:22 <DIR> d-------- C:\desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 23:40 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-28 19:18 --------- d-----w C:\Program Files\Elaborate Bytes
2008-04-28 18:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-28 18:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-28 18:09 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-28 18:07 --------- d-----w C:\Program Files\Azureus
2008-04-28 18:05 --------- d-----w D:\Profiles\MGI2890\Application Data\Amazon
2008-04-28 18:05 --------- d-----w C:\Program Files\Amazon
2008-04-28 02:41 --------- d-----w D:\Profiles\All Users\Application Data\Lavasoft
2008-04-23 19:11 --------- d-----w D:\Profiles\MGI2890\Application Data\AdobeUM
2008-04-08 21:31 --------- d-----w D:\Profiles\MGI2890\Application Data\Vso
2008-03-28 19:08 --------- d-----w C:\Program Files\SlySoft
2008-03-27 02:11 --------- d-----w D:\Profiles\sdm.MGI2890-02\Application Data\Juniper Networks
2008-03-22 01:14 --------- d-----w C:\Program Files\MSECache
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 02:54 --------- d-----w D:\Profiles\MGI2890\Application Data\dvdcss
2008-03-18 19:46 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-03-16 01:43 --------- d-----w C:\Program Files\WS_FTP
2008-03-15 03:56 --------- d-----w D:\Profiles\MGI2890\Application Data\ZoomBrowser EX
2008-03-10 17:38 --------- d-----w C:\Program Files\Common Files\Canon
2008-03-08 02:09 --------- d-----w D:\Profiles\MGI2890\Application Data\Apple Computer
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-04 22:23 693,792 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
2008-02-01 07:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2008-01-06 04:07 47,360 ----a-w D:\Profiles\MGI2890\Application Data\pcouffin.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15} ----

2006-05-11 09:11 170 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\APPINST.ISF
2006-05-11 09:01 1488037 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJHELP.HLP
2006-05-02 23:56 131072 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJJSWR.DLL
2006-05-02 23:56 106496 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJINSR.DLL
2006-05-02 23:55 196608 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJINSB.DLL
2006-05-02 23:55 155648 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJINS.DLL
2006-05-02 23:54 434176 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJUTIL.DLL
2005-07-26 11:09 217088 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJINST.EXE
2005-07-26 11:09 184320 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJUNST.EXE
2005-07-26 11:08 131072 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJFIRE.EXE
2005-07-21 14:47 195 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\BEUNST.ISF
2005-06-24 09:47 983092 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJGF.DLL
2005-06-10 08:12 2184 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJPROD.INI
2005-06-01 12:53 69632 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJCFG.DLL
2003-10-15 13:15 5598 --a------ C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}\lxcj\LXCJEULA.TXT

((((((((((((((((((((((((((((( snapshot@2008-04-28_ 0.37.27.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 04:29:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 23:20:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 00:47:55 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-28 04:50:45 5,140,480 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-04-28 04:50:46 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-28 00:47:55 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-28 04:50:43 5,140,480 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-04-28 04:50:43 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-04-26 20:41:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-28 19:10:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-26 20:41:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-28 19:10:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-26 20:41:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-28 19:10:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-21 04:29:56 1,516,240 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-28 19:42:36 1,515,504 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-04-28 23:24:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_f5c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{749F8452-7D28-4658-A903-9B047E5A2CE8}"= "C:\Program Files\RSA Security\IE Toolbar\RSAToolbar.dll" [2006-06-08 04:20 2420736]

[HKEY_CLASSES_ROOT\clsid\{749f8452-7d28-4658-a903-9b047e5a2ce8}]
[HKEY_CLASSES_ROOT\RSAToolbar.RSAToolbarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{37686C62-D497-42E3-BAAB-78D89A74E151}]
[HKEY_CLASSES_ROOT\RSAToolbar.RSAToolbarBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBISQL9"="" []
"SybaseCentral43"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:39 1289000]
"URLy Warning"="C:\Program Files\URLy Warning\URLyWarning.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-06-04 05:08 679936]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 02:56 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-04 05:08 679936]
"CSCAdvantage"="C:\Program Files\Help Desk\CSCAdv.exe" [2005-06-09 13:41 111403]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 13:41 860160]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 22:05 344064]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 14:24 290816]
"AGRSMMSG"="AGRSMMSG.exe" [2005-11-16 15:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38 688218]
"CSCLogonInfo"="C:\WINDOWS\UsrLogon.exe" [2006-12-12 17:28 127079]
"SupportSoft_Amer_Motorola"="C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe" [2006-07-12 17:00 192512]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SDFix"="C:\SDFix\RunThis.bat /second" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-02-01 18:31 3900776]
"drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoAutoTrayNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-1086857\Scripts\Logon\0\0]
"Script"=w2kenroll.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-980161\Scripts\Logon\0\0]
"Script"=wireless-qualification.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-980161\Scripts\Logon\1\0]
"Script"=w2kenroll.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Netmeeting\\conf.exe"= C:\\Program Files\\Netmeeting\\conf.exe
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:10.176.1.190/199:enabled:bDNA
"497:TCP"= 497:TCP:10.0.38.5/10:enabled:bDNA2
"6000:TCP"= 6000:TCP:exceed
"135:TCP"= 135:TCP:10.160.5.8:enabled:foundscan
"137:TCP"= 137:TCP:10.197.24.2:enabled:foundscan2
"138:TCP"= 138:TCP:10.0.125.17:enabled:foundscan3
"139:TCP"= 139:TCP:10.0.125.20:enabled:foundscan4
"1503:TCP"= 1503:TCP:10.0.125.21:enabled:foundscan5
"1720:TCP"= 1720:TCP:10.1.250.11:enabled:foundscan6
"1761:TCP"= 1761:TCP:10.64.2.96:enabled:foundscan7
"2701:TCP"= 2701:TCP:10.128.132.49:enabled:iss1
"2702:TCP"= 2702:TCP:10.128.132.49:enabled:iss2
"43189:TCP"= 43189:TCP:10.160.9.87:enabled:iss3
"4445:TCP"= 4445:TCP:10.0.125.19:enabled:iss4
"6401:TCP"= 6401:TCP:192.168.30.7:enabled:iss5
"1023:UDP"= 1023:UDP:144.190.1.100:enabled:iss6
"445:TCP"= 445:TCP:10.0.125.15:enabled:nmap
"123:UDP"= 123:UDP:129.188.57.239:enabled:scanner1
"137:UDP"= 137:UDP:129.188.147.55:enabled:scanner2
"138:UDP"= 138:UDP:192.168.3.1:enabled:scanner3
"2233:UDP"= 2233:UDP:129.188.33.18:enabled:scanner4
"371:UDP"= 371:UDP:10.0.125.13:enabled:scanner5
"407:UDP"= 407:UDP:10.0.125.28:enabled:scanner6
"497:UDP"= 497:UDP:10.193.21.54:enabled:scanner7
"500:UDP"= 500:UDP:10.0.125.11:enabled:scanner8
"600:UDP"= 600:UDP:10.79.40.64:enabled:scanner9
"601:UDP"= 601:UDP:10.79.40.64:enabled:scanner10
"602:UDP"= 602:UDP:10.79.40.64:enabled:scanner11
"603:UDP"= 603:UDP:10.79.40.64:enabled:scanner12
"604:UDP"= 604:UDP:10.79.40.64:enabled:scanner13
"605:UDP"= 605:UDP:10.79.40.64:enabled:scanner14
"606:UDP"= 606:UDP:10.79.40.64:enabled:scanner15
"607:UDP"= 607:UDP:10.79.40.64:enabled:scanner16
"608:UDP"= 608:UDP:10.79.40.64:enabled:scanner17
"609:UDP"= 609:UDP:10.79.40.64:enabled:scanner18
"610:UDP"= 610:UDP:10.79.40.64:enabled:scanner19
"62514:UDP"= 62514:UDP:10.79.40.72,10.82.51.100,10.228.96.22/24,10.228.96.26,10.16.225.208,10.17.193.181,10.17.193.182:enabled:scanner20
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)

R0 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2004-07-29 14:34]
R1 WrqDft;WrqDft;C:\WINDOWS\system32\drivers\WrqDft.sys [2002-07-29 09:50]
R1 WrqSDL;WrqSDL;C:\WINDOWS\system32\drivers\WrqSDL.sys [2002-07-29 09:50]
R2 ApacheForSDM;ApacheForSDM;"C:\AdventNet\WebNMS\apache\bin\Apache.exe" -k runservice []
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50]
R2 sprtsvc_supportsoft_amer_motorola;SupportSoft Sprocket Service (supportsoft_amer_motorola);C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe [2006-07-12 17:01]
R2 tgsrvc_supportsoft_amer_motorola;SupportSoft Repair Service (supportsoft_amer_motorola);C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe [2006-07-12 17:01]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;"C:\Program Files\ISS\Proventia Desktop\vpatch.exe" [2007-10-29 13:44]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-10-03 13:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 12:46]
R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\isskboep.sys [2007-06-15 19:56]
R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2007-10-29 13:44]
S0 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2007-06-15 19:56]
S3 ASANYs_WebNmsDB;Adaptive Server Anywhere - WebNmsDB;C:\Sybase\SQL Anywhere 9\win32\dbsrv9.exe [2005-02-25 11:27]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-06-19 22:40]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-06-19 22:40]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-2K3}]
C:\WINDOWS\2k3_USR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFC1927-A731-4c34-829B-47EE05ADD199}]
"C:\WINDOWS\regedit.exe" /s "C:\WINDOWS\mot-wmp9.reg"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C10BF3A1-3FEC-4a94-AAAF-9D6A4B522F63}]
"C:\Program Files\WinZip\wzusr90.exe" /NOICON /NOTRAY
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 23:22:57 C:\WINDOWS\Tasks\CheckNetwork.job"
- C:\Program Files\Motorola\WirelessControl\NetStatus.vbs
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 19:44:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-28 19:48:10
ComboFix-quarantined-files.txt 2008-04-28 23:48:03
ComboFix2.txt 2008-04-28 21:44:35
ComboFix3.txt 2008-04-28 05:56:25
ComboFix4.txt 2008-04-28 05:49:19
ComboFix5.txt 2008-04-28 04:38:41

Pre-Run: 7,890,870,272 bytes free
Post-Run: 7,872,749,568 bytes free

285

**Rorschach112** · 2008-04-29, 01:59

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"=-

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Reboot and do this

Download NIAP to your desktop and unzip it to it's own folder

Close all windows and run NIAP_XRay_FileMgr

Click the Log tab at the top and click Create System log. Check the boxes beside Autorun.inf file. and System Critical Files and click OK. Save the log to your desktop and let the program run.
Exit out of NIAP_XRay_FileMgr

Next run NIAP_XRay_Regedit

Click the Log tab then click on Get log. Once it is finished scanning, click Save and call the log NiapReg, then save it to your desktop
Exit out of NIAP_XRay_Regedit

Finally run NIAP_XRay_System

Click the Log tab and click Create log. Check all the boxes and click Log, save it to your desktop. Let the program run.
Once it is done close the program and post the log back here along with the other two logs.

**my5sons** · 2008-04-29, 02:08

Here is combofix log....rebooting now...

ComboFix 08-04-27.3 - mgi2890 2008-04-28 20:02:36.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.527 [GMT -4:00]
Running from: D:\Profiles\MGI2890\Desktop\Combo-Fix.exe
Command switches used :: D:\Profiles\MGI2890\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-28 16:56 . 2008-04-28 16:56 <DIR> d-------- D:\Profiles\All Users\Application Data\Kaspersky Lab
2008-04-28 16:56 . 2008-04-28 16:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 15:24 . 2008-04-28 15:37 <DIR> d-------- D:\Profiles\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 15:24 . 2008-04-28 15:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-28 15:23 . 2008-04-28 15:23 9,722,720 --a------ C:\spybotsd152.exe
2008-04-28 14:09 . 2008-04-28 15:42 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-28 01:32 . 2008-04-28 01:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 01:32 . 2008-04-28 01:32 812,344 --a------ C:\HJTInstall.exe
2008-04-28 00:50 . 2008-04-28 00:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-28 00:45 . 2008-04-27 20:49 <DIR> d-------- C:\SDFix
2008-04-27 23:32 . 2008-04-27 23:32 650,296 --a------ C:\PREVXCSIFREE(2).EXE
2008-04-27 23:12 . 2008-04-27 23:17 2,205,157 --a------ C:\IceSword122en.zip
2008-04-27 23:01 . 2008-04-27 23:01 650,296 --a------ C:\PREVXCSIFREE.EXE
2008-04-27 22:41 . 2008-04-27 22:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-27 22:41 . 2008-04-27 22:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 22:39 . 2008-04-27 22:40 20,597,104 --a------ C:\aaw2007.exe
2008-04-25 22:05 . 2008-04-25 22:05 93,775 --a------ C:\2333.zip
2008-04-19 11:27 . 2008-04-19 11:27 <DIR> d-------- C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2008-04-19 11:27 . 2008-04-24 12:21 275 --a------ C:\lxcjfire.csv
2008-04-19 11:27 . 2008-04-24 12:12 275 --a------ C:\lxcjfire.008
2008-04-19 11:27 . 2008-04-24 12:11 275 --a------ C:\lxcjfire.007
2008-04-19 11:27 . 2008-04-24 12:07 275 --a------ C:\lxcjfire.006
2008-04-19 11:27 . 2008-04-24 12:07 275 --a------ C:\lxcjfire.005
2008-04-19 11:27 . 2008-04-19 11:43 275 --a------ C:\lxcjfire.004
2008-04-19 11:27 . 2008-04-19 11:41 275 --a------ C:\lxcjfire.003
2008-04-19 11:27 . 2008-04-19 11:38 275 --a------ C:\lxcjfire.002
2008-04-19 11:27 . 2008-04-19 11:28 275 --a------ C:\lxcjfire.001
2008-04-19 11:27 . 2008-04-19 11:27 275 --a------ C:\lxcjfire.000
2008-04-19 11:22 . 2008-04-24 12:25 <DIR> d-------- C:\Lexmark
2008-04-17 18:20 . 2008-04-17 18:28 31,232 --a------ C:\proposedamendment(2).doc
2008-04-17 18:18 . 2008-04-17 18:18 23,552 --a------ C:\Proxy.doc
2008-04-17 18:18 . 2008-04-17 18:19 6,709 --a------ C:\proposedamendment.doc.part
2008-04-17 18:18 . 2008-04-17 18:18 0 --a------ C:\proposedamendment.doc
2008-04-17 18:15 . 2008-04-17 18:15 6,184 --a------ C:\Pheasant
2008-04-17 15:42 . 2008-04-27 23:07 8,704 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-15 09:45 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-15 09:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-15 09:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-15 09:45 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-08 20:50 . 2008-04-08 20:50 <DIR> d-------- D:\Profiles\All Users\Application Data\Office Genuine Advantage
2008-03-30 00:10 . 2008-03-30 00:10 732 --a------ C:\about_inc.php
2008-03-29 23:02 . 2008-03-29 23:02 <DIR> d-------- D:\Profiles\All Users\Application Data\FLEXnet
2008-03-29 22:01 . 2008-03-29 22:01 <DIR> d-------- D:\Profiles\NetworkService\Application Data\Juniper Networks
2008-03-29 02:02 . 2008-04-15 20:22 <DIR> d-------- C:\desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 23:40 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-28 19:18 --------- d-----w C:\Program Files\Elaborate Bytes
2008-04-28 18:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-28 18:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-28 18:09 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-28 18:07 --------- d-----w C:\Program Files\Azureus
2008-04-28 18:05 --------- d-----w D:\Profiles\MGI2890\Application Data\Amazon
2008-04-28 18:05 --------- d-----w C:\Program Files\Amazon
2008-04-28 02:41 --------- d-----w D:\Profiles\All Users\Application Data\Lavasoft
2008-04-23 19:11 --------- d-----w D:\Profiles\MGI2890\Application Data\AdobeUM
2008-04-08 21:31 --------- d-----w D:\Profiles\MGI2890\Application Data\Vso
2008-03-28 19:08 --------- d-----w C:\Program Files\SlySoft
2008-03-27 02:11 --------- d-----w D:\Profiles\sdm.MGI2890-02\Application Data\Juniper Networks
2008-03-22 01:14 --------- d-----w C:\Program Files\MSECache
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 02:54 --------- d-----w D:\Profiles\MGI2890\Application Data\dvdcss
2008-03-18 19:46 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-03-16 01:43 --------- d-----w C:\Program Files\WS_FTP
2008-03-15 03:56 --------- d-----w D:\Profiles\MGI2890\Application Data\ZoomBrowser EX
2008-03-10 17:38 --------- d-----w C:\Program Files\Common Files\Canon
2008-03-08 02:09 --------- d-----w D:\Profiles\MGI2890\Application Data\Apple Computer
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-04 22:23 693,792 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
2008-02-01 07:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2008-01-06 04:07 47,360 ----a-w D:\Profiles\MGI2890\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-28_ 0.37.27.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 04:29:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 23:20:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 00:47:55 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-28 04:50:45 5,140,480 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-04-28 04:50:46 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-28 00:47:55 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-28 04:50:43 5,140,480 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-04-28 04:50:43 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-04-26 20:41:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-28 19:10:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-26 20:41:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-28 19:10:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-26 20:41:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-28 19:10:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-21 04:29:56 1,516,240 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-28 19:42:36 1,515,504 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-04-28 23:24:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_f5c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{749F8452-7D28-4658-A903-9B047E5A2CE8}"= "C:\Program Files\RSA Security\IE Toolbar\RSAToolbar.dll" [2006-06-08 04:20 2420736]

[HKEY_CLASSES_ROOT\clsid\{749f8452-7d28-4658-a903-9b047e5a2ce8}]
[HKEY_CLASSES_ROOT\RSAToolbar.RSAToolbarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{37686C62-D497-42E3-BAAB-78D89A74E151}]
[HKEY_CLASSES_ROOT\RSAToolbar.RSAToolbarBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBISQL9"="" []
"SybaseCentral43"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:39 1289000]
"URLy Warning"="C:\Program Files\URLy Warning\URLyWarning.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-06-04 05:08 679936]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 02:56 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-04 05:08 679936]
"CSCAdvantage"="C:\Program Files\Help Desk\CSCAdv.exe" [2005-06-09 13:41 111403]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 13:41 860160]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 22:05 344064]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 14:24 290816]
"AGRSMMSG"="AGRSMMSG.exe" [2005-11-16 15:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38 688218]
"CSCLogonInfo"="C:\WINDOWS\UsrLogon.exe" [2006-12-12 17:28 127079]
"SupportSoft_Amer_Motorola"="C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe" [2006-07-12 17:00 192512]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SDFix"="C:\SDFix\RunThis.bat /second" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-02-01 18:31 3900776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoAutoTrayNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-1086857\Scripts\Logon\0\0]
"Script"=w2kenroll.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-980161\Scripts\Logon\0\0]
"Script"=wireless-qualification.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-980161\Scripts\Logon\1\0]
"Script"=w2kenroll.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Netmeeting\\conf.exe"= C:\\Program Files\\Netmeeting\\conf.exe
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:10.176.1.190/199:enabled:bDNA
"497:TCP"= 497:TCP:10.0.38.5/10:enabled:bDNA2
"6000:TCP"= 6000:TCP:exceed
"135:TCP"= 135:TCP:10.160.5.8:enabled:foundscan
"137:TCP"= 137:TCP:10.197.24.2:enabled:foundscan2
"138:TCP"= 138:TCP:10.0.125.17:enabled:foundscan3
"139:TCP"= 139:TCP:10.0.125.20:enabled:foundscan4
"1503:TCP"= 1503:TCP:10.0.125.21:enabled:foundscan5
"1720:TCP"= 1720:TCP:10.1.250.11:enabled:foundscan6
"1761:TCP"= 1761:TCP:10.64.2.96:enabled:foundscan7
"2701:TCP"= 2701:TCP:10.128.132.49:enabled:iss1
"2702:TCP"= 2702:TCP:10.128.132.49:enabled:iss2
"43189:TCP"= 43189:TCP:10.160.9.87:enabled:iss3
"4445:TCP"= 4445:TCP:10.0.125.19:enabled:iss4
"6401:TCP"= 6401:TCP:192.168.30.7:enabled:iss5
"1023:UDP"= 1023:UDP:144.190.1.100:enabled:iss6
"445:TCP"= 445:TCP:10.0.125.15:enabled:nmap
"123:UDP"= 123:UDP:129.188.57.239:enabled:scanner1
"137:UDP"= 137:UDP:129.188.147.55:enabled:scanner2
"138:UDP"= 138:UDP:192.168.3.1:enabled:scanner3
"2233:UDP"= 2233:UDP:129.188.33.18:enabled:scanner4
"371:UDP"= 371:UDP:10.0.125.13:enabled:scanner5
"407:UDP"= 407:UDP:10.0.125.28:enabled:scanner6
"497:UDP"= 497:UDP:10.193.21.54:enabled:scanner7
"500:UDP"= 500:UDP:10.0.125.11:enabled:scanner8
"600:UDP"= 600:UDP:10.79.40.64:enabled:scanner9
"601:UDP"= 601:UDP:10.79.40.64:enabled:scanner10
"602:UDP"= 602:UDP:10.79.40.64:enabled:scanner11
"603:UDP"= 603:UDP:10.79.40.64:enabled:scanner12
"604:UDP"= 604:UDP:10.79.40.64:enabled:scanner13
"605:UDP"= 605:UDP:10.79.40.64:enabled:scanner14
"606:UDP"= 606:UDP:10.79.40.64:enabled:scanner15
"607:UDP"= 607:UDP:10.79.40.64:enabled:scanner16
"608:UDP"= 608:UDP:10.79.40.64:enabled:scanner17
"609:UDP"= 609:UDP:10.79.40.64:enabled:scanner18
"610:UDP"= 610:UDP:10.79.40.64:enabled:scanner19
"62514:UDP"= 62514:UDP:10.79.40.72,10.82.51.100,10.228.96.22/24,10.228.96.26,10.16.225.208,10.17.193.181,10.17.193.182:enabled:scanner20
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)

R0 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2004-07-29 14:34]
R1 WrqDft;WrqDft;C:\WINDOWS\system32\drivers\WrqDft.sys [2002-07-29 09:50]
R1 WrqSDL;WrqSDL;C:\WINDOWS\system32\drivers\WrqSDL.sys [2002-07-29 09:50]
R2 ApacheForSDM;ApacheForSDM;"C:\AdventNet\WebNMS\apache\bin\Apache.exe" -k runservice []
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50]
R2 sprtsvc_supportsoft_amer_motorola;SupportSoft Sprocket Service (supportsoft_amer_motorola);C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe [2006-07-12 17:01]
R2 tgsrvc_supportsoft_amer_motorola;SupportSoft Repair Service (supportsoft_amer_motorola);C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe [2006-07-12 17:01]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;"C:\Program Files\ISS\Proventia Desktop\vpatch.exe" [2007-10-29 13:44]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-10-03 13:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 12:46]
R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\isskboep.sys [2007-06-15 19:56]
R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2007-10-29 13:44]
S0 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2007-06-15 19:56]
S3 ASANYs_WebNmsDB;Adaptive Server Anywhere - WebNmsDB;C:\Sybase\SQL Anywhere 9\win32\dbsrv9.exe [2005-02-25 11:27]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-06-19 22:40]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-06-19 22:40]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-2K3}]
C:\WINDOWS\2k3_USR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFC1927-A731-4c34-829B-47EE05ADD199}]
"C:\WINDOWS\regedit.exe" /s "C:\WINDOWS\mot-wmp9.reg"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C10BF3A1-3FEC-4a94-AAAF-9D6A4B522F63}]
"C:\Program Files\WinZip\wzusr90.exe" /NOICON /NOTRAY
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 23:22:57 C:\WINDOWS\Tasks\CheckNetwork.job"
- C:\Program Files\Motorola\WirelessControl\NetStatus.vbs
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 20:04:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-28 20:06:53
ComboFix-quarantined-files.txt 2008-04-29 00:06:39
ComboFix2.txt 2008-04-28 23:48:12
ComboFix3.txt 2008-04-28 21:44:35
ComboFix4.txt 2008-04-28 05:56:25
ComboFix5.txt 2008-04-28 05:49:19

Pre-Run: 7,849,701,376 bytes free
Post-Run: 7,835,987,968 bytes free

262

**my5sons** · 2008-04-29, 04:01

Here are the NIAP logs.....

# NIAP_XRay_FileMgr.exe 0.0.0.4
# 2008-04-28 21:53:17
# ------------------------------------------------------------------------
# Scan Autorun.inf in: E:\
# Scan Autorun.inf in: D:\
# Not Found.

# Scan Autorun.inf in: C:\
# Not Found.

# Verify System Critical File
C:\WINDOWS\explorer.exe;OK
C:\WINDOWS\system32\win32k.sys;OK
C:\WINDOWS\system32\watchdog.sys;OK
C:\WINDOWS\system32\hal.dll;OK
C:\WINDOWS\system32\ntkrnlpa.exe;OK
C:\WINDOWS\system32\ntoskrnl.exe;OK
C:\WINDOWS\system32\smss.exe;OK
C:\WINDOWS\system32\csrss.exe;OK
C:\WINDOWS\system32\winlogon.exe;OK
C:\WINDOWS\system32\lsass.exe;OK
C:\WINDOWS\system32\services.exe;OK
C:\WINDOWS\system32\svchost.exe;OK
C:\WINDOWS\system32\userinit.exe;OK
C:\WINDOWS\system32\drivers\acpi.sys;OK
C:\WINDOWS\system32\drivers\atapi.sys;OK
C:\WINDOWS\system32\drivers\beep.sys;OK
C:\WINDOWS\system32\drivers\cdfs.sys;OK
C:\WINDOWS\system32\drivers\cdrom.sys;OK
C:\WINDOWS\system32\drivers\disk.sys;OK
C:\WINDOWS\system32\drivers\fastfat.sys;OK
C:\WINDOWS\system32\drivers\fs_rec.sys;OK
C:\WINDOWS\system32\drivers\ftdisk.sys;OK
C:\WINDOWS\system32\drivers\i8042prt.sys;OK
C:\WINDOWS\system32\drivers\kbdclass.sys;OK
C:\WINDOWS\system32\drivers\mouclass.sys;OK
C:\WINDOWS\system32\drivers\ndis.sys;OK
C:\WINDOWS\system32\drivers\ntfs.sys;OK
C:\WINDOWS\system32\drivers\null.sys;OK
C:\WINDOWS\system32\drivers\partmgr.sys;OK
C:\WINDOWS\system32\drivers\pci.sys;OK
C:\WINDOWS\system32\drivers\pciidex.sys;OK
C:\WINDOWS\system32\drivers\redbook.sys;OK
C:\WINDOWS\system32\drivers\scsiport.sys;OK
C:\WINDOWS\system32\drivers\sr.sys;OK
C:\WINDOWS\system32\drivers\termdd.sys;OK
C:\WINDOWS\system32\drivers\usbhub.sys;OK
C:\WINDOWS\system32\drivers\usbport.sys;OK
C:\WINDOWS\system32\drivers\volsnap.sys;OK
C:\WINDOWS\system32\drivers\tcpip.sys;OK
C:\WINDOWS\system32\drivers\tdi.sys;OK

-------------------------------

Report:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:
Name:ccApp , Path:"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Name:vptray , Path:C:\PROGRA~1\SYMANT~1\VPTray.exe
Name:CSCAdvantage , Path:"C:\Program Files\Help Desk\CSCAdv.exe" /s
Name:SoundMAXPnP , Path:C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
Name:SoundMAX , Path:"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
Name:ATIPTA , Path:C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Name:eabconfg.cpl , Path:C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
Name:AGRSMMSG , Path:AGRSMMSG.exe
Name:SynTPLpr , Path:C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
Name:SynTPEnh , Path:C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Name:CSCLogonInfo , Path:C:\WINDOWS\UsrLogon.exe
Name:SupportSoft_Amer_Motorola , Path:"C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe" /P SupportSoft_Amer_Motorola
Name:iTunesHelper , Path:"C:\Program Files\iTunes\iTunesHelper.exe"
Name:QuickTime Task , Path:"C:\Program Files\QuickTime\qttask.exe" -atboottime
Name:Adobe Reader Speed Launcher , Path:"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Name:SDFix , Path:C:\SDFix\RunThis.bat /second

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:
Name:DBISQL9 , Path:
Name:SybaseCentral43 , Path:
Name:H/PC Connection Agent , Path:"C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
Name:URLy Warning , Path:"C:\Program Files\URLy Warning\URLyWarning.exe" -quiet
Name:swg , Path:C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Name:SpybotSD TeaTimer , Path:C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\:

HKCC\Software\Microsoft\Windows NT\CurrentVersion\Windows\[Load]:
Value: None

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[Userinit]:
Value: C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[Shell]:
Value: Explorer.exe

HKLM\SYSTEM\ControlSet001\Control\Session Manager\[BootExecute]:
Value: autocheck autochk * lsdelete

BHO Items List:
{53707962-6F74-2D53-2644-206D7942484F}
InprocServer32:C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
ThreadingModel:Apartment
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
InprocServer32:C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
ThreadingModel:Apartment
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
InprocServer32:C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
ThreadingModel:Apartment
ProgID:protector_dll.ProtectorBho.1
Programmable:None
TypeLib:{C7CB459A-7261-4AE6-A87A-17041EE98A40}
VersionIndependentProgID:protector_dll.ProtectorBho

File Links List:
.txt: %SystemRoot%\system32\NOTEPAD.EXE %1
.exe: "%1" %*
.com: "%1" %*
.pif: "%1" %*
.bat: "%1" %*
.reg: regedit.exe "%1"
.chm: "C:\WINDOWS\hh.exe" %1
.hlp: %SystemRoot%\System32\winhlp32.exe %1
.ini: %SystemRoot%\System32\NOTEPAD.EXE %1
.inf: %SystemRoot%\System32\NOTEPAD.EXE %1
.vbs: %SystemRoot%\System32\WScript.exe "%1" %*
.js: %SystemRoot%\System32\WScript.exe "%1" %*
.lnk: CLSID: {00021401-0000-0000-C000-000000000046} shell32.dll

Image File Execution Options:
Your Image File Name Here without a path: ntsd -d

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\[AppInit_DLLs]:
Value:

ShellExecuteHooks:
{AEB6717E-7E19-11d0-97EE-00C04FD91972} : URL Exec Hook
InProcServer32:shell32.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\[Debugger]:
Value: drwtsn32 -p %ld -e %ld -g

Kernel Drivers:
black
DisplayName:black
Description:None
ImagePath:System32\drivers\BlackCat.sys
ObjectName:None
Start:SERVICE_DISABLED(4)
Type:SERVICE_KERNEL_DRIVER(1)
btaudio
DisplayName:Bluetooth Audio Device
Description:None
ImagePath:system32\drivers\btaudio.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BTDriver
DisplayName:Bluetooth Virtual Communications Driver
Description:None
ImagePath:system32\DRIVERS\btport.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BTKRNL
DisplayName:Bluetooth Bus Enumerator
Description:None
ImagePath:system32\DRIVERS\btkrnl.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BTWDNDIS
DisplayName:Bluetooth LAN Access Server
Description:None
ImagePath:system32\DRIVERS\btwdndis.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BTWUSB
DisplayName:WIDCOMM USB Bluetooth Driver
Description:None
ImagePath:System32\Drivers\btwusb.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
catchme
DisplayName:None
Description:None
ImagePath:\??\C:\Combo-Fix\catchme.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
IPSECSHM
DisplayName:Nortel IPSECSHM Adapter
Description:Nortel IPSECSHM Adapter
ImagePath:system32\DRIVERS\ipsecw2k.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
MakoNT
DisplayName:MakoNT
Description:None
ImagePath:\SystemRoot\system32\drivers\isskboep.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
NIAPSafe
DisplayName:NIAPSafe
Description:None
ImagePath:\??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys
ObjectName:None
Start:SERVICE_DISABLED(4)
Type:SERVICE_KERNEL_DRIVER(1)
pcouffin
DisplayName:VSO Software pcouffin
Description:None
ImagePath:System32\Drivers\pcouffin.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
rap
DisplayName:rap
Description:None
ImagePath:System32\drivers\RapDrv.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
RapFile
DisplayName:RapFile
Description:None
ImagePath:\??\C:\WINDOWS\system32\drivers\RapFile.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
RapNet
DisplayName:RapNet
Description:None
ImagePath:\??\C:\WINDOWS\system32\drivers\RapNet.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
USBAAPL
DisplayName:Apple Mobile USB Driver
Description:None
ImagePath:System32\Drivers\usbaapl.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
VClone
DisplayName:None
Description:None
ImagePath:system32\DRIVERS\VClone.sys [File not found]
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)

Services:
Adobe LM Service
DisplayName:Adobe LM Service
Description:AdobeLM Service
ImagePath:"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
ApacheForSDM
DisplayName:ApacheForSDM
Description:Apache
ImagePath:"C:\AdventNet\WebNMS\apache\bin\Apache.exe" -k runservice
ObjectName:.\sdm
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
ASANYs_WebNmsDB
DisplayName:Adaptive Server Anywhere - WebNmsDB
Description:None
ImagePath:C:\Sybase\SQL Anywhere 9\win32\dbsrv9.exe -hvASANYs_WebNmsDB
ObjectName:.\sdm
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
BlackICE
DisplayName:BlackICE
Description:None
ImagePath:"C:\Program Files\ISS\Proventia Desktop\blackd.exe"
ObjectName:LocalSystem
Start:SERVICE_DISABLED(4)
Type:SERVICE_WIN32_OWN_PROCESS(16)
btwdins
DisplayName:Bluetooth Service
Description:Handles installation and removal of Bluetooth devices.
ImagePath:C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
hpqwmi
DisplayName:HP WMI Interface
Description:None
ImagePath:C:\Program Files\HPQ\SHARED\HPQWMI.exe
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
RapApp
DisplayName:RapApp
Description:Application Protection
ImagePath:"C:\Program Files\ISS\Proventia Desktop\RapApp.exe"
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
Reflection Line Printer Daemon
DisplayName:Reflection Line Printer Daemon
Description:Make your local printer available to other users
ImagePath:"C:\Program Files\Reflection\lpdserv.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:None
SDM Service
DisplayName:Motorola SDM
Description:Motorola SmartStream Device Manager
ImagePath:JavaService.exe [File not found]
ObjectName:.\sdm
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
SoundMAX Agent Service (default)
DisplayName:SoundMAX Agent Service
Description:None
ImagePath:C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
sprtsvc_supportsoft_amer_motorola
DisplayName:SupportSoft Sprocket Service (supportsoft_amer_motorola)
Description:SupportSoft Sprocket Service
ImagePath:C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe /service /p supportsoft_amer_motorola
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
tgsrvc_supportsoft_amer_motorola
DisplayName:SupportSoft Repair Service (supportsoft_amer_motorola)
Description:SupportSoft Repair Service
ImagePath:C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe /p supportsoft_amer_motorola
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
VPatch
DisplayName:ISS Buffer Overflow Exploit Prevention
Description:None
ImagePath:"C:\Program Files\ISS\Proventia Desktop\vpatch.exe"
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
Wuser32
DisplayName:SMS Remote Control Agent
Description:None
ImagePath:C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None

------------------------------

NIAP_XRay_System Version 0.0.0.5 System log

Process:
PID | EPROCESS | Process Name | Module Path
00000004 86FC52C0 System
00000108 86EBC728 rapimgr.exe C:\PROGRA~1\MICROS~3\rapimgr.exe
00000150 85FE0DA0 SMAgent.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
00000160 85FD0020 sprtsvc.exe C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
00000180 85F1ADA0 hpqwmi.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe
00000184 85FD72D8 svchost.exe C:\WINDOWS\system32\svchost.exe
00000190 85FCA2F0 tgsrvc.exe C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
000001AC 85FCB518 Vpatch.exe C:\Program Files\ISS\Proventia Desktop\vpatch.exe
000001D0 863BA998 smss.exe \SystemRoot\System32\smss.exe
000001F8 85FCCDA0 Wuser32.exe C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
00000208 86E05230 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
00000220 86360848 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
0000024C 86CC9438 services.exe C:\WINDOWS\system32\services.exe
00000260 86CBA890 lsass.exe C:\WINDOWS\system32\lsass.exe
000002E4 862FDB78 svchost.exe C:\WINDOWS\system32\svchost.exe
00000300 85FBCDA0 CcmExec.exe C:\WINDOWS\system32\CCM\CcmExec.exe
00000340 8634BB10 svchost.exe C:\WINDOWS\system32\svchost.exe
0000039C 86E07A38 svchost.exe C:\WINDOWS\System32\svchost.exe
000003CC 85E4CB00 NIAP_XRay_Syste D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAP_XRay_System.exe
000003F4 86CF8DA0 svchost.exe C:\WINDOWS\system32\svchost.exe
00000434 86416DA0 svchost.exe C:\WINDOWS\system32\svchost.exe
00000460 86E49B78 aawservice.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
000004F8 86393950 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
00000530 86307A78 scardsvr.exe C:\WINDOWS\System32\SCardSvr.exe
00000644 863ABDA0 Apache.exe C:\AdventNet\WebNMS\apache\bin\Apache.exe
00000658 86E3A990 btwdins.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
0000066C 8630CB28 dsNcService.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
0000067C 85F49020 explorer.exe C:\WINDOWS\Explorer.EXE
0000069C 86259430 RapApp.exe C:\Program Files\ISS\Proventia Desktop\RapApp.exe
000006D0 86208500 Apache.exe C:\AdventNet\WebNMS\apache\bin\Apache.exe
00000828 85F40B90 RapUISvc.exe C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
00000834 85E438F0 notepad.exe C:\WINDOWS\system32\notepad.exe
00000848 8620A728 msiexec.exe C:\WINDOWS\system32\msiexec.exe
0000084C 85FAF900 wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
000008F8 86F5F950 wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
00000A4C 86D05AF8 wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
00000B18 85FA2020 wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
00000C20 85E8D918 iPodService.exe C:\Program Files\iPod\bin\iPodService.exe
00000C98 85F276D8 SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
00000D00 85F26340 SMax4.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
00000D1C 86ED1DA0 atiptaxx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
00000D2C 86EBD950 eabservr.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
00000D3C 85F153F0 AGRSMMSG.exe C:\WINDOWS\AGRSMMSG.exe
00000D50 86ED5750 SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
00000D6C 86EC7950 SynTPEnh.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
00000D80 85F16B80 sprtcmd.exe C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe
00000D88 85F0C7C8 iTunesHelper.ex C:\Program Files\iTunes\iTunesHelper.exe
00000E3C 85EFD908 wcescomm.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
00000E70 85ED2020 TeaTimer.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
00000ED8 85EB6DA0 BTTray.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

Kernel Module:
EntryPoint | Module Base | Image Size | Module Path
806AC5CE 804D7000 00214500 ntoskrnl.exe \WINDOWS\system32\ntoskrnl.exe
807090BC 806EC000 00020380 hal.dll \WINDOWS\system32\hal.dll
F7B2ECE6 F7B2E000 00002000 kdcom.dll \WINDOWS\system32\KDCOM.DLL
F7A3F872 F7A3E000 00003000 BOOTVID.dll \WINDOWS\system32\BOOTVID.dll
F7608059 F75DF000 0002E000 ACPI.sys ACPI.sys
F7B30B80 F7B30000 00002000 WMILIB.SYS \WINDOWS\system32\DRIVERS\WMILIB.SYS
F75DC004 F75CE000 00011000 pci.sys pci.sys
F76353E4 F762E000 00009000 isapnp.sys isapnp.sys
F7A43A00 F7A42000 00003000 compbatt.sys compbatt.sys
F7A46F00 F7A46000 00004000 BATTC.SYS \WINDOWS\system32\DRIVERS\BATTC.SYS
F7BF661E F7BF6000 00001000 pciide.sys pciide.sys
F78B3205 F78AE000 00007000 PCIIDEX.SYS \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
F7B32B6E F7B32000 00002000 aliide.sys aliide.sys
F7B352F4 F7B34000 00002000 cmdide.sys cmdide.sys
F7B36A94 F7B36000 00002000 toside.sys toside.sys
F7B38E85 F7B38000 00002000 viaide.sys viaide.sys
F7B3AF05 F7B3A000 00002000 intelide.sys intelide.sys
F75CAB86 F75B0000 0001E000 pcmcia.sys pcmcia.sys
F76471B4 F763E000 0000B000 MountMgr.sys MountMgr.sys
F75AC4E2 F7591000 0001F000 ftdisk.sys ftdisk.sys
F7B3CBF6 F7B3C000 00002000 dmload.sys dmload.sys
F758CF05 F756B000 00026000 dmio.sys dmio.sys
F78B9880 F78B6000 00005000 PartMgr.sys PartMgr.sys
F7A4BD00 F7A4A000 00003000 ACPIEC.sys ACPIEC.sys
F7BF734A F7BF7000 00001000 OPRGHDLR.SYS \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
F7657D3E F764E000 0000D000 VolSnap.sys VolSnap.sys
F7A4E300 F7A4E000 00004000 cpqarray.sys cpqarray.sys
F7568039 F7553000 00018000 SCSIPORT.SYS \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
F7480692 F747D000 000D6000 iaStor.sys iaStor.sys
F747A5F7 F7465000 00018000 atapi.sys atapi.sys
F7A53BD2 F7A52000 00004000 aha154x.sys aha154x.sys
F78BEFEA F78BE000 00005000 sparrow.sys sparrow.sys
F7A58FF8 F7A56000 00004000 symc810.sys symc810.sys
F7669808 F765E000 0000E000 aic78xx.sys aic78xx.sys
F7A5CA38 F7A5A000 00004000 dac960nt.sys dac960nt.sys
F7670042 F766E000 00009000 ql10wnt.sys ql10wnt.sys
F7A60472 F7A5E000 00003000 amsint.sys amsint.sys
F78C7636 F78C6000 00007000 asc.sys asc.sys
F7A62F52 F7A62000 00004000 asc3550.sys asc3550.sys
F78CEA78 F78CE000 00005000 mraid35x.sys mraid35x.sys
F78D9F85 F78D6000 00005000 i2omp.sys i2omp.sys
F7A691D4 F7A66000 00004000 ini910u.sys ini910u.sys
F7680034 F767E000 0000A000 ql1240.sys ql1240.sys
F769999A F768E000 0000E000 aic78u2.sys aic78u2.sys
F78E3F86 F78DE000 00008000 symc8xx.sys symc8xx.sys
F78EBA66 F78E6000 00007000 sym_hi.sys sym_hi.sys
F78F4268 F78EE000 00008000 sym_u3.sys sym_u3.sys
F78F7642 F78F6000 00006000 ABP480N5.SYS ABP480N5.SYS
F78FEC3E F78FE000 00006000 asc3350p.sys asc3350p.sys
F7B3EA15 F7B3E000 00002000 cd20xrnt.sys cd20xrnt.sys
F76A3CE8 F769E000 00009000 ultra.sys ultra.sys
F74603C0 F744C000 00019000 adpu160m.sys adpu160m.sys
F7909E30 F7906000 00005000 dpti2o.sys dpti2o.sys
F76AFF9C F76AE000 0000A000 ql1080.sys ql1080.sys
F76C1BE8 F76BE000 0000C000 ql12160.sys ql12160.sys
F76D1C0A F76CE000 0000C000 ql1280.sys ql1280.sys
F791105A F790E000 00007000 perc2.sys perc2.sys
F7B40DC0 F7B40000 00002000 perc2hib.sys perc2hib.sys
F791905A F7916000 00007000 hpn.sys hpn.sys
F7A6CCE0 F7A6A000 00004000 cbidf2k.sys cbidf2k.sys
F742BB00 F7420000 0002C000 dac2w2k.sys dac2w2k.sys
F740B4C0 F7409000 00017000 symmpi.sys symmpi.sys
F73CC190 F73CB000 0003E000 a320raid.sys a320raid.sys
F76E58AB F76DE000 00009000 disk.sys disk.sys
F76F8E8F F76EE000 0000D000 CLASSPNP.SYS \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
F73C7C58 F73AB000 00020000 fltMgr.sys fltMgr.sys
F73A8FD4 F7399000 00012000 sr.sys sr.sys
F770391D F76FE000 00009000 PxHelp20.sys PxHelp20.sys
F7396E29 F7382000 00017000 KSecDD.sys KSecDD.sys
F737A204 F72F5000 0008D000 Ntfs.sys Ntfs.sys
F72F1205 F72C8000 0002D000 NDIS.sys NDIS.sys
F7716885 F770E000 0000B000 sisagp.sys sisagp.sys
F7726D05 F771E000 0000B000 viaagp.sys viaagp.sys
F72C4BFA F72AD000 0001B000 Mup.sys Mup.sys
F7736F85 F772E000 0000B000 alim1541.sys alim1541.sys
F7746F85 F773E000 0000B000 amdagp.sys amdagp.sys
F7756D85 F774E000 0000B000 agp440.sys agp440.sys
F7767705 F775E000 0000B000 agpCPQ.sys agpCPQ.sys
F7D152C6 F7D15000 00001000 idisw2km.sys \SystemRoot\system32\DRIVERS\idisw2km.sys
F719A310 F7189000 00014000 VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
F7B58BCC F7B58000 00002000 kbstuff5.sys \SystemRoot\system32\DRIVERS\kbstuff5.sys
F79A2610 F799E000 00006000 kbdclass.sys \SystemRoot\system32\DRIVERS\kbdclass.sys
F79AA035 F79A6000 00006000 mouclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys
F7823885 F781E000 00009000 intelppm.sys \SystemRoot\system32\DRIVERS\intelppm.sys
F6FF28BA F6EE0000 00137000 ati2mtag.sys \SystemRoot\system32\DRIVERS\ati2mtag.sys
F79B2605 F79AE000 00005000 usbuhci.sys \SystemRoot\system32\DRIVERS\usbuhci.sys
F6EDD985 F6EBD000 00023000 USBPORT.SYS \SystemRoot\system32\DRIVERS\USBPORT.SYS
F79BBE05 F79B6000 00007000 usbehci.sys \SystemRoot\system32\DRIVERS\usbehci.sys
F6CA1610 F6CA1000 0021C000 w29n51.sys \SystemRoot\system32\DRIVERS\w29n51.sys
F6C9DDBF F6C79000 00028000 tifm21.sys \SystemRoot\system32\drivers\tifm21.sys
F6C7696C F6C68000 00011000 sdbus.sys \SystemRoot\system32\DRIVERS\sdbus.sys
F6C64A05 F6C52000 00016000 gtipci21.sys \SystemRoot\system32\DRIVERS\gtipci21.sys
F7AFCC00 F7AFA000 00004000 SMCLIB.SYS \SystemRoot\system32\DRIVERS\SMCLIB.SYS
F6C3CEB2 F6C12000 00040000 smwdm.sys \SystemRoot\system32\drivers\smwdm.sys
F6C0EC85 F6BEE000 00024000 portcls.sys \SystemRoot\system32\drivers\portcls.sys
F783BD85 F782E000 0000F000 drmk.sys \SystemRoot\system32\drivers\drmk.sys
F6BEAFB5 F6BCB000 00023000 ks.sys \SystemRoot\system32\drivers\ks.sys
F6BC84D6 F6BAB000 00020000 aeaudio.sys \SystemRoot\system32\drivers\aeaudio.sys
F6B9BC96 F6AA6000 00105000 AGRSM.sys \SystemRoot\system32\DRIVERS\AGRSM.sys
F79C3E6D F79BE000 00008000 Modem.SYS \SystemRoot\System32\Drivers\Modem.SYS
F784903B F783E000 00010000 serial.sys \SystemRoot\system32\DRIVERS\serial.sys
F7B08F69 F7B06000 00004000 serenum.sys \SystemRoot\system32\DRIVERS\serenum.sys
F7854000 F784E000 00009000 smcirda.sys \SystemRoot\system32\DRIVERS\smcirda.sys
F7B0C045 F7B0A000 00003000 irenum.sys \SystemRoot\system32\DRIVERS\irenum.sys
F6AA3705 F6A92000 00014000 parport.sys \SystemRoot\system32\DRIVERS\parport.sys
F7867385 F785E000 0000D000 i8042prt.sys \SystemRoot\system32\DRIVERS\i8042prt.sys
F6A8ED60 F6A64000 0002E000 SynTP.sys \SystemRoot\system32\DRIVERS\SynTP.sys
F7B5A300 F7B5A000 00002000 USBD.SYS \SystemRoot\system32\DRIVERS\USBD.SYS
F78769FB F786E000 0000B000 imapi.sys \SystemRoot\system32\DRIVERS\imapi.sys
F78886DA F787E000 0000D000 cdrom.sys \SystemRoot\system32\DRIVERS\cdrom.sys
F7899685 F788E000 0000F000 redbook.sys \SystemRoot\system32\DRIVERS\redbook.sys
F79CA000 F79C6000 00007000 GEARAspiWDM.sys \SystemRoot\System32\Drivers\GEARAspiWDM.sys
F7B18966 F7B16000 00004000 CmBatt.sys \SystemRoot\system32\DRIVERS\CmBatt.sys
F7B1B894 F7B1A000 00003000 wmiacpi.sys \SystemRoot\system32\DRIVERS\wmiacpi.sys
F69980E0 F6858000 00144000 btkrnl.sys \SystemRoot\system32\DRIVERS\btkrnl.sys
F78A512C F789E000 0000A000 dsNcAdpt.sys \SystemRoot\system32\DRIVERS\dsNcAdpt.sys
F7D24600 F7D24000 00001000 audstub.sys \SystemRoot\system32\DRIVERS\audstub.sys
F79D1A80 F79CE000 00005000 rasirda.sys \SystemRoot\system32\DRIVERS\rasirda.sys
F79D9B05 F79D6000 00005000 TDI.SYS \SystemRoot\system32\DRIVERS\TDI.SYS
F7260505 F7255000 0000D000 rasl2tp.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys
F7B23A22 F7B22000 00003000 ndistapi.sys \SystemRoot\system32\DRIVERS\ndistapi.sys
F6855323 F6841000 00017000 ndiswan.sys \SystemRoot\system32\DRIVERS\ndiswan.sys
F724E165 F7245000 0000B000 raspppoe.sys \SystemRoot\system32\DRIVERS\raspppoe.sys
F723F905 F7235000 0000C000 raspptp.sys \SystemRoot\system32\DRIVERS\raspptp.sys
F79E14A2 F79DE000 00005000 ptilink.sys \SystemRoot\system32\DRIVERS\ptilink.sys
F79E9200 F79E6000 00005000 raspti.sys \SystemRoot\system32\DRIVERS\raspti.sys
F722F317 F7225000 0000C000 pcouffin.sys \SystemRoot\System32\Drivers\pcouffin.sys
F683B885 F6810000 00031000 rdpdr.sys \SystemRoot\system32\DRIVERS\rdpdr.sys
F721D657 F7215000 0000A000 termdd.sys \SystemRoot\system32\DRIVERS\termdd.sys
F7B5C8DD F7B5C000 00002000 swenum.sys \SystemRoot\system32\DRIVERS\swenum.sys
F680E048 F67DC000 00034000 update.sys \SystemRoot\system32\DRIVERS\update.sys
F727BBE6 F7279000 00004000 mssmbios.sys \SystemRoot\system32\DRIVERS\mssmbios.sys
F720CF20 F7205000 0000A000 NDProxy.SYS \SystemRoot\System32\Drivers\NDProxy.SYS
F71D1A05 F71C5000 0000F000 usbhub.sys \SystemRoot\system32\DRIVERS\usbhub.sys
F7B65785 F7B64000 00002000 i2omgmt.SYS \SystemRoot\System32\Drivers\i2omgmt.SYS
F46C6B70 F4674000 00058000 savrt.sys \??\C:\Program Files\Symantec AntiVirus\savrt.sys
F4670010 F4652000 00022000 SYMEVENT.SYS \??\C:\Program Files\Symantec\SYMEVENT.SYS
F464F070 F463E000 00014000 Savrtpel.sys \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
F45AD960 F4565000 000D9000 navex15.sys \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080428.003\navex15.sys
F455333B F4552000 00013000 naveng.sys \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080428.003\naveng.sys
F7B695E4 F7B68000 00002000 Fs_Rec.SYS \SystemRoot\System32\Drivers\Fs_Rec.SYS
F7C8759A F7C87000 00001000 Null.SYS \SystemRoot\System32\Drivers\Null.SYS
F7B6A66C F7B6A000 00002000 Beep.SYS \SystemRoot\System32\Drivers\Beep.SYS
F7A12642 F7A0E000 00006000 vga.sys \SystemRoot\System32\drivers\vga.sys
F7B6C646 F7B6C000 00002000 mnmdd.SYS \SystemRoot\System32\Drivers\mnmdd.SYS
F7B6E944 F7B6E000 00002000 RDPCDD.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys
F7A19BED F7A16000 00005000 Msfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS
F7A246D3 F7A1E000 00008000 Npfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS
F7AE766B F7AE6000 00003000 rasacd.sys \SystemRoot\system32\DRIVERS\rasacd.sys
F452F885 F451F000 00013000 ipsec.sys \SystemRoot\system32\DRIVERS\ipsec.sys
F77C5A85 F77BE000 00009000 msgpc.sys \SystemRoot\system32\DRIVERS\msgpc.sys
F4518516 F44C7000 00058000 tcpip.sys \SystemRoot\system32\DRIVERS\tcpip.sys
F44C2F85 F449F000 00028000 netbt.sys \SystemRoot\system32\DRIVERS\netbt.sys
F449AF40 F447D000 00022000 afd.sys \SystemRoot\System32\drivers\afd.sys
F77D54A9 F77CE000 00009000 netbios.sys \SystemRoot\system32\DRIVERS\netbios.sys
F77E2160 F77DE000 00009000 WrqDft.SYS \SystemRoot\System32\Drivers\WrqDft.SYS
F7A26430 F7A26000 00005000 WrqSDL.SYS \SystemRoot\System32\Drivers\WrqSDL.SYS
F4478EF8 F4452000 0002B000 rdbss.sys \SystemRoot\system32\DRIVERS\rdbss.sys
F444A803 F43E3000 0006F000 mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys
F77F2F2B F77EE000 00009000 Fips.SYS \SystemRoot\System32\Drivers\Fips.SYS
F7804FD6 F77FE000 00009000 wanarp.sys \SystemRoot\system32\DRIVERS\wanarp.sys
F435B07D F430B000 00060000 eeCtrl.sys \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
F430707E F42ED000 0001E000 EraserUtilRebootDrv.sys \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
F7B7030E F7B70000 00002000 EABFiltr.sys \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
F6A61A85 F6A54000 00010000 Cdfs.SYS \SystemRoot\System32\Drivers\Cdfs.SYS
F42EA5F7 F42D5000 00018000 dump_atapi.sys \SystemRoot\System32\Drivers\dump_atapi.sys
F7B7AB80 F7B7A000 00002000 dump_WMILIB.SYS \SystemRoot\System32\Drivers\dump_WMILIB.SYS
BF9AFB6F BF800000 001C3000 win32k.sys \SystemRoot\System32\win32k.sys
F67C5E80 F67C4000 00003000 Dxapi.sys \SystemRoot\System32\drivers\Dxapi.sys
F7931890 F792E000 00005000 watchdog.sys \SystemRoot\System32\watchdog.sys
BF9D3090 BF9C3000 00012000 dxg.sys \SystemRoot\System32\drivers\dxg.sys
F7C07359 F7C07000 00001000 dxgthk.sys \SystemRoot\System32\drivers\dxgthk.sys
BF9F8348 BF9D5000 0003C000 ati2dvag.dll \SystemRoot\System32\ati2dvag.dll
BFA1B6A0 BFA11000 00033000 ati2cqag.dll \SystemRoot\System32\ati2cqag.dll
BFA57DE0 BFA44000 00033000 atikvmag.dll \SystemRoot\System32\atikvmag.dll
BFA77000 BFA77000 0023E000 ati3duag.dll \SystemRoot\System32\ati3duag.dll
BFCB5000 BFCB5000 00097000 ativvaxx.dll \SystemRoot\System32\ativvaxx.dll
BFFB3ADB BFFA0000 00046000 ATMFD.DLL \SystemRoot\System32\ATMFD.DLL
B8DF4AFB B8DE2000 00016000 irda.sys \SystemRoot\system32\DRIVERS\irda.sys
F7982685 F797E000 00006000 TDTCP.SYS \SystemRoot\System32\Drivers\TDTCP.SYS
B8C77F85 B8C57000 00023000 RDPWD.SYS \SystemRoot\System32\Drivers\RDPWD.SYS
B8B8AD85 B8B63000 0002C000 mrxdav.sys \SystemRoot\system32\DRIVERS\mrxdav.sys
B8A43D85 B89F9000 00052000 srv.sys \SystemRoot\system32\DRIVERS\srv.sys
B88B6D85 B88A4000 00015000 wdmaud.sys \SystemRoot\system32\drivers\wdmaud.sys
F47018E1 F46F4000 0000F000 sysaudio.sys \SystemRoot\system32\drivers\sysaudio.sys
B8A83D0A B8A7B000 0000D000 RapDrv.sys \SystemRoot\System32\drivers\RapDrv.sys
B8503C16 B84F2000 00014000 isskboep.sys \SystemRoot\system32\drivers\isskboep.sys
B7C74F50 B7C72000 0000E000 NIAPMirrorSystem.sys \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys
B7B3F105 B7B17000 0002B000 kmixer.sys \SystemRoot\system32\drivers\kmixer.sys
B7B01B50 B7AFD000 0001A000 NIAPRkDetect.sys \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPRkDetect.sys

SSDT:
ID | Current Function Address | Module Path | Source Function Address | Function Name
HOOK 00000025 B84F9C05 \SystemRoot\system32\drivers\isskboep.sys 8056FBF8 ZwCreateFile
HOOK 00000029 B8A80EA8 \SystemRoot\System32\drivers\RapDrv.sys 8056E7A9 ZwCreateKey
HOOK 0000002F B84F9C0C \SystemRoot\system32\drivers\isskboep.sys 805B0AA4 ZwCreateProcess
HOOK 00000030 B84F9C13 \SystemRoot\system32\drivers\isskboep.sys 80581E82 ZwCreateProcessEx
HOOK 00000039 B8A8084A \SystemRoot\System32\drivers\RapDrv.sys 80659301 ZwDebugActiveProcess
HOOK 00000077 B8A80FF2 \SystemRoot\System32\drivers\RapDrv.sys 80567CFB ZwOpenKey
HOOK 0000007A B8A8085C \SystemRoot\System32\drivers\RapDrv.sys 80572D06 ZwOpenProcess
HOOK 00000101 B8A806EC \SystemRoot\System32\drivers\RapDrv.sys 80584740 ZwTerminateProcess
HOOK 0000011C B7C74530 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys D763C355 -----
HOOK 0000011D B7C74590 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 71318D8B -----
HOOK 0000011E B7C745E0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 049B6FDF -----
HOOK 0000011F B7C74630 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 7FDD7024 -----
HOOK 00000120 B7C74680 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 9C50ABFF -----
HOOK 00000121 B7C746D0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 68618673 -----
HOOK 00000122 B7C74710 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 800E9FCF -----
HOOK 00000123 B7C74750 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 051D300B -----
HOOK 00000124 B7C747A0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 800D70D8 -----
HOOK 00000125 B7C747F0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 2329B38B -----
HOOK 00000126 B7C74850 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 7FED6008 -----
HOOK 00000127 B7C748A0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 813A23FF -----
HOOK 00000128 B7C748F0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 13987000 -----
HOOK 00000129 B7C74940 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 800D7134 -----
HOOK 0000012A B7C74980 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 9880FB52 -----
HOOK 0000012B B7C749E0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys ACB0F956 -----
HOOK 0000012C B7C74A30 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 030D7001 -----
HOOK 0000012D B7C74A80 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 7C9960E4 -----
HOOK 0000012E B7C74AC0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 821E5C81 -----
HOOK 0000012F B7C74B00 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 6E8E7000 -----
HOOK 00000130 B7C74B40 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 800D7210 -----
HOOK 00000131 B7C74BB0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 091BFBFA -----
HOOK 00000132 B7C74C00 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys CE98940C -----
HOOK 00000133 B7C74C40 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys A459F904 -----
HOOK 00000134 B7C74C80 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 885BFB04 -----
HOOK 00000135 B7C74CF0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 8831BC89 -----
HOOK 00000136 B7C74D40 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 0925BE8B -----
HOOK 00000137 B7C74D90 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 0B25944C -----
HOOK 00000138 B7C74DF0 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys 800F7C8E -----
HOOK 00000139 B7C74E50 \??\D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAPMirrorSystem.sys A499F900 -----

Shadow Table:
ID | Current Function Address | Module Path | Source Function Address | Function Name

System Callback:
Notify type | Address | Module Name | Module Path
Process Create/Terminate F465B280 SYMEVENT.SYS \??\C:\Program Files\Symantec\SYMEVENT.SYS
Process Create/Terminate B84FE4F4 isskboep.sys \SystemRoot\system32\drivers\isskboep.sys
Thread Create/Terminate F465B220 SYMEVENT.SYS \??\C:\Program Files\Symantec\SYMEVENT.SYS
LoadImage F465B020 SYMEVENT.SYS \??\C:\Program Files\Symantec\SYMEVENT.SYS

FSD Dispatch hook:
Driver Name | Major Function | Address | Module Path
HOOK \FileSystem\Ntfs IRP_MJ_CREATE 00000000 \SystemRoot\System32\drivers\RapDrv.sys
HOOK \FileSystem\Ntfs IRP_MJ_WRITE 00000000 \SystemRoot\System32\drivers\RapDrv.sys
HOOK \FileSystem\Ntfs IRP_MJ_SET_INFORMATION 00000000 \SystemRoot\System32\drivers\RapDrv.sys
HOOK \FileSystem\Ntfs IRP_MJ_CLEANUP 00000000 \SystemRoot\System32\drivers\RapDrv.sys

Kernel Mode Hook:
Module Name | Address | Hook Type | Memo

Windows Hook:
Process Name | IsGlobal | Function Address | Hook Type | Module Path
BTTray.exe Local 73DD50C7 WH_MSGFILTER C:\WINDOWS\system32\MFC42.DLL
BTTray.exe Global 000014C0 WH_KEYBOARD C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
BTTray.exe Global 000010A0 WH_KEYBOARD C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
BTTray.exe Local 00D634E0 WH_CALLWNDPROC C:\WINDOWS\system32\CSH.dll
BTTray.exe Local 73DD4EAA WH_CBT C:\WINDOWS\system32\MFC42.DLL
BTTray.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
BTTray.exe Global 000010D0 WH_MOUSE C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
BTTray.exe Local 73DD50C7 WH_MSGFILTER C:\WINDOWS\system32\MFC42.DLL
TeaTimer.exe Global 000014C0 WH_KEYBOARD C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
TeaTimer.exe Global 5FFF10A0 WH_KEYBOARD C:\Program Files\SupportSoft_Amer_Motorola\bin\sdcidle.dll
TeaTimer.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
TeaTimer.exe Global 5FFF10D0 WH_MOUSE C:\Program Files\SupportSoft_Amer_Motorola\bin\sdcidle.dll
wcescomm.exe Global 000014C0 WH_KEYBOARD C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
wcescomm.exe Global 000010A0 WH_KEYBOARD C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
wcescomm.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
wcescomm.exe Global 000010D0 WH_MOUSE C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
iTunesHelper.ex Global 000014C0 WH_KEYBOARD C:\Program Files\iTunes\iTunesHelper.exe
iTunesHelper.ex Global 000010A0 WH_KEYBOARD C:\Program Files\iTunes\iTunesHelper.exe
iTunesHelper.ex Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
iTunesHelper.ex Global 000010D0 WH_MOUSE C:\Program Files\iTunes\iTunesHelper.exe
sprtcmd.exe Global 000014C0 WH_KEYBOARD C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe
sprtcmd.exe Global 000010A0 WH_KEYBOARD C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe
sprtcmd.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
sprtcmd.exe Global 000010D0 WH_MOUSE C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe
SynTPEnh.exe Global 000014C0 WH_KEYBOARD C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SynTPEnh.exe Global 000010A0 WH_KEYBOARD C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SynTPEnh.exe Global 00001580 WH_CBT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SynTPEnh.exe Global 000010D0 WH_MOUSE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SynTPLpr.exe Global 000014C0 WH_KEYBOARD C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPLpr.exe Global 000010A0 WH_KEYBOARD C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPLpr.exe Global 00001580 WH_CBT C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPLpr.exe Global 000010D0 WH_MOUSE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
AGRSMMSG.exe Global 000014C0 WH_KEYBOARD C:\WINDOWS\AGRSMMSG.exe
AGRSMMSG.exe Global 000010A0 WH_KEYBOARD C:\WINDOWS\AGRSMMSG.exe
AGRSMMSG.exe Global 00001580 WH_CBT C:\WINDOWS\AGRSMMSG.exe
AGRSMMSG.exe Global 000010D0 WH_MOUSE C:\WINDOWS\AGRSMMSG.exe
eabservr.exe Global 000014C0 WH_KEYBOARD C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
eabservr.exe Global 000010A0 WH_KEYBOARD C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
eabservr.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
eabservr.exe Global 000010D0 WH_MOUSE C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
atiptaxx.exe Global 000014C0 WH_KEYBOARD C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
atiptaxx.exe Global 000010A0 WH_KEYBOARD C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
atiptaxx.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
atiptaxx.exe Global 000010D0 WH_MOUSE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
SMax4.exe Local 73DD50C7 WH_MSGFILTER C:\WINDOWS\system32\MFC42.DLL
SMax4.exe Global 000014C0 WH_KEYBOARD C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
SMax4.exe Global 000010A0 WH_KEYBOARD C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
SMax4.exe Global 00001580 WH_CBT C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
SMax4.exe Global 000010D0 WH_MOUSE C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
SMax4.exe Local 73DD50C7 WH_MSGFILTER C:\WINDOWS\system32\MFC42.DLL
SMax4.exe Local 73DD4EAA WH_CBT C:\WINDOWS\system32\MFC42.DLL
SMax4PNP.exe Local 73DD50C7 WH_MSGFILTER C:\WINDOWS\system32\MFC42.DLL
SMax4PNP.exe Global 000014C0 WH_KEYBOARD C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
SMax4PNP.exe Global 000010A0 WH_KEYBOARD C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
SMax4PNP.exe Local 73DD4EAA WH_CBT C:\WINDOWS\system32\MFC42.DLL
SMax4PNP.exe Global 00001580 WH_CBT C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
SMax4PNP.exe Global 000010D0 WH_MOUSE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
RapUISvc.exe Local 0044C5C5 WH_MSGFILTER C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
RapUISvc.exe Global 000014C0 WH_KEYBOARD C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
RapUISvc.exe Global 000010A0 WH_KEYBOARD C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
RapUISvc.exe Global 00001580 WH_CBT C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
RapUISvc.exe Global 000010D0 WH_MOUSE C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
RapApp.exe Local 0041C897 WH_MSGFILTER C:\Program Files\ISS\Proventia Desktop\RapApp.exe
RapApp.exe Global 000014C0 WH_KEYBOARD C:\Program Files\ISS\Proventia Desktop\RapApp.exe
RapApp.exe Global 000010A0 WH_KEYBOARD C:\Program Files\ISS\Proventia Desktop\RapApp.exe
RapApp.exe Global 00001580 WH_CBT C:\Program Files\ISS\Proventia Desktop\RapApp.exe
RapApp.exe Global 000010D0 WH_MOUSE C:\Program Files\ISS\Proventia Desktop\RapApp.exe
RapApp.exe Local 0041C897 WH_MSGFILTER C:\Program Files\ISS\Proventia Desktop\RapApp.exe
RapApp.exe Local 0041C897 WH_MSGFILTER C:\Program Files\ISS\Proventia Desktop\RapApp.exe
RapApp.exe Local 0044C5C5 WH_MSGFILTER C:\Program Files\ISS\Proventia Desktop\RapApp.exe
RapApp.exe Local 00443C3C WH_CBT C:\Program Files\ISS\Proventia Desktop\RapApp.exe
explorer.exe Global 000014C0 WH_KEYBOARD C:\WINDOWS\Explorer.EXE
explorer.exe Global 5FFF10A0 WH_KEYBOARD C:\Program Files\SupportSoft_Amer_Motorola\bin\sdcidle.dll
explorer.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
explorer.exe Global 5FFF10D0 WH_MOUSE C:\Program Files\SupportSoft_Amer_Motorola\bin\sdcidle.dll
spoolsv.exe Global 000014C0 WH_KEYBOARD C:\WINDOWS\system32\spoolsv.exe
spoolsv.exe Global 000010A0 WH_KEYBOARD C:\WINDOWS\system32\spoolsv.exe
spoolsv.exe Global 00001580 WH_CBT C:\WINDOWS\system32\spoolsv.exe
spoolsv.exe Global 000010D0 WH_MOUSE C:\WINDOWS\system32\spoolsv.exe
aawservice.exe Global 000014C0 WH_KEYBOARD C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
aawservice.exe Global 000010A0 WH_KEYBOARD C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
aawservice.exe Global 00001580 WH_CBT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
aawservice.exe Global 000010D0 WH_MOUSE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
NIAP_XRay_Syste Local 00431453 WH_MSGFILTER D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Global 000014C0 WH_KEYBOARD D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Global 5FFF10A0 WH_KEYBOARD C:\Program Files\SupportSoft_Amer_Motorola\bin\sdcidle.dll
NIAP_XRay_Syste Local 0041EB20 WH_CBT D:\Profiles\MGI2890\Desktop\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
NIAP_XRay_Syste Global 5FFF10D0 WH_MOUSE C:\Program Files\SupportSoft_Amer_Motorola\bin\sdcidle.dll
Wuser32.exe Global 000014C0 WH_KEYBOARD C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
Wuser32.exe Global 000010A0 WH_KEYBOARD C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
Wuser32.exe Global 00001580 WH_CBT C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
Wuser32.exe Global 000010D0 WH_MOUSE C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
Vpatch.exe Global 000014C0 WH_KEYBOARD C:\Program Files\ISS\Proventia Desktop\vpatch.exe
Vpatch.exe Global 000010A0 WH_KEYBOARD C:\Program Files\ISS\Proventia Desktop\vpatch.exe
Vpatch.exe Global 00001580 WH_CBT C:\Program Files\ISS\Proventia Desktop\vpatch.exe
Vpatch.exe Global 000010D0 WH_MOUSE C:\Program Files\ISS\Proventia Desktop\vpatch.exe
tgsrvc.exe Global 000014C0 WH_KEYBOARD C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
tgsrvc.exe Global 000010A0 WH_KEYBOARD C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
tgsrvc.exe Global 00001580 WH_CBT C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
tgsrvc.exe Global 000010D0 WH_MOUSE C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
sprtsvc.exe Global 000014C0 WH_KEYBOARD C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
sprtsvc.exe Global 000010A0 WH_KEYBOARD C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
sprtsvc.exe Global 00001580 WH_CBT C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
sprtsvc.exe Global 000010D0 WH_MOUSE C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
rapimgr.exe Global 000014C0 WH_KEYBOARD C:\PROGRA~1\MICROS~3\rapimgr.exe
rapimgr.exe Global 000010A0 WH_KEYBOARD C:\PROGRA~1\MICROS~3\rapimgr.exe
rapimgr.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
rapimgr.exe Global 000010D0 WH_MOUSE C:\PROGRA~1\MICROS~3\rapimgr.exe

Thread: can't remove hldrrr.exe mdelk.exe

Thread Tools

Display

can't remove hldrrr.exe mdelk.exe

Posting Permissions