Yes that file is legit.
Please see link I gave you how to install recovery console manually, rerun combofix and post back a fresh combofix and a fresh hijackthis log afterwards.
Yes that file is legit.
Please see link I gave you how to install recovery console manually, rerun combofix and post back a fresh combofix and a fresh hijackthis log afterwards.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
ComboFix 09-03-10.03 - Jim 2009-03-12 21:50:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2009 [GMT -7:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jim\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.
2009-03-10 17:44 . 2009-03-10 17:45 132,096 --a------ c:\windows\oyananiy.dll
2009-03-10 16:26 . 2009-03-10 16:26 133,632 --a------ c:\windows\olimizuf.dll
2009-03-10 16:15 . 2009-03-10 16:15 123,392 --a------ C:\mfvse.exe
2009-03-10 16:15 . 2009-03-10 16:15 33,280 --a------ c:\program files\Common Files\bfyxdl.dll
2009-03-10 16:14 . 2009-03-12 21:55 110,958 --a------ c:\windows\system32\drivers\e55263f7.sys
2009-03-10 16:14 . 2009-03-10 16:14 31,744 --a------ C:\ucpdcu.exe
2009-03-10 16:14 . 2009-03-10 16:14 8,704 --a------ C:\yiar.exe
2009-03-10 16:14 . 2009-03-10 16:14 705 --a------ C:\cyieqw.exe
2009-03-10 16:14 . 2009-03-10 16:14 2 --a------ C:\537925202
2009-03-10 16:13 . 2009-03-10 16:13 41,984 --a------ c:\windows\Jmudukogevus.dll
2009-03-10 16:13 . 2009-03-10 16:13 41,984 --a------ C:\tcrnwc.exe
2009-03-10 16:13 . 2009-03-10 16:13 15,000 --a------ c:\windows\system32\kjr3iorojdnbfi43unjfd.dll
2009-03-10 16:13 . 2009-03-10 16:13 10,240 --a------ c:\windows\instsp1.exe
2009-03-09 17:39 . 2009-03-09 17:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-03-09 15:07 . 2009-03-09 15:07 <DIR> d-------- c:\program files\Trend Micro
2009-03-09 15:04 . 2009-03-09 15:05 <DIR> d-------- c:\program files\ERUNT
2009-02-18 14:56 . 2009-02-18 14:56 <DIR> d-------- c:\windows\PrimoPDF4
2009-02-18 14:56 . 2009-02-18 14:56 <DIR> d-------- c:\program files\activePDF
2009-02-18 14:56 . 2006-12-11 14:12 176,235 --a------ c:\windows\system32\Primomonnt.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 04:55 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-13 04:52 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-03-12 23:16 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-12 23:16 --------- d-----w c:\program files\CyberLink
2009-03-10 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-07 20:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 07:12 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-04 02:45 --------- d-----w c:\program files\Trillian
2009-02-14 06:41 --------- d-----w c:\documents and settings\Jim\Application Data\HP
2009-02-13 06:43 --------- d-----w c:\documents and settings\Jim\Application Data\Move Networks
2009-02-12 10:04 --------- d-----w c:\program files\AskBarDis
2009-02-12 03:52 --------- d-----w c:\program files\HP
2009-02-12 03:52 --------- d-----w c:\program files\Common Files\HP
2009-02-12 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-02-12 03:50 --------- d-----w c:\program files\Hewlett-Packard
2009-02-12 03:49 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-02-10 08:50 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-02-03 01:50 --------- d-----w c:\program files\Audacity
2009-02-02 07:01 --------- d-----w c:\program files\GameSpy
2009-02-02 06:59 --------- d-----w c:\documents and settings\Jim\Application Data\InstallShield
2009-02-02 06:21 --------- d-----w c:\documents and settings\Jim\Application Data\My Games
2009-02-02 04:21 --------- d-----w c:\program files\7-Zip
2009-01-31 03:23 --------- d-----w c:\program files\QuickTime
2009-01-14 09:52 --------- d-----w c:\program files\Google
2009-01-14 08:19 --------- d-s---w c:\program files\Xfire
2009-01-14 08:19 --------- d-----w c:\documents and settings\Jim\Application Data\Xfire
2009-01-14 07:19 --------- d-----w c:\program files\Firaxis Games
2009-01-14 06:07 --------- d-----w c:\program files\HWiNFO32
2009-01-13 01:46 --------- d-----w c:\program files\FREE Hi-Q Recorder
.
((((((((((((((((((((((((((((( SnapShot@2009-03-11_14.48.21.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-10 23:14:35 104,960 -c--a-w c:\windows\system32\dllcache\userinit.exe
+ 2008-04-14 00:12:38 26,112 -c--a-w c:\windows\system32\dllcache\userinit.exe
- 2009-03-11 21:16:06 58,613 ----a-w c:\windows\system32\nvModes.dat
+ 2009-03-13 04:42:07 63,289 ----a-w c:\windows\system32\nvModes.dat
- 2009-03-10 23:14:35 104,960 ----a-w c:\windows\system32\userinit.exe
+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5bf40a2-94f3-42bd-f434-1604812c8955}]
2009-03-10 16:13 15000 --a------ c:\windows\system32\kjr3iorojdnbfi43unjfd.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-05-04 237568]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-14 124656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Sjafiro"="c:\windows\Jmudukogevus.dll" [2009-03-10 41984]
"Jhakosita"="c:\windows\oyananiy.dll" [2009-03-10 132096]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"nwiz"="nwiz.exe" [2006-05-01 c:\windows\system32\nwiz.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
c:\documents and settings\Jim\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C5BF40A2-94F3-42BD-F434-1604812C8955}"= "c:\windows\system32\kjr3iorojdnbfi43unjfd.dll" [2009-03-10 15000]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Documents and Settings\\Jim\\My Documents\\Games\\Inspiration v3\\Inspiration v3\\Inspiration v3.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Documents and Settings\\Jim\\My Documents\\Games\\Inspiration v3\\Inspiration v3\\Inspiration v3\\Inspiration v3.exe"=
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [2009-01-13 16616]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2009-02-26 101936]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [2006-03-08 77952]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [2006-03-08 77952]
S2 yciwaovpxez;yciwaovpxez;c:\windows\System32\svchost.exe -k netsvcs [2004-08-10 14336]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-06-14 115952]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
YciwAovpxez
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa1e3a16-dbf4-11dd-b1e4-0016cfd78dfb}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-muzivefawi - c:\windows\system32\pegeseyi.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hotmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\TEMP\ntdll64.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 21:53:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e55263f7]
"ImagePath"="\SystemRoot\System32\drivers\e55263f7.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\stacsv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-12 21:59:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-13 04:59:32
ComboFix2.txt 2009-03-11 21:49:16
Pre-Run: 38,661,582,848 bytes free
Post-Run: 38,646,734,848 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
224 --- E O F --- 2009-03-08 11:01:15
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:07 PM, on 3/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll - {c5bf40a2-94f3-42bd-f434-1604812c8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Sjafiro] rundll32.exe "C:\WINDOWS\Jmudukogevus.dll",e
O4 - HKLM\..\Run: [Jhakosita] rundll32.exe "C:\WINDOWS\oyananiy.dll",e
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175131989452
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://demo.rentmanager.com/msrdp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: klj3r93iorkemnfaja93riemef - {C5BF40A2-94F3-42BD-F434-1604812C8955} - C:\WINDOWS\system32\kjr3iorojdnbfi43unjfd.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 9635 bytes
Please download gmer.zip from Gmer and save it to your desktop.
- Right click on gmer.zip and select Extract All....
- Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
- Click on the Browse button. Click on Desktop. Then click OK.
- Click Next. It will start extracting.
- Once done, check (tick) the Show extracted files box and click Finish.
Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.
- When done, you may receive another notice. Click OK.
- Click on Save ... to save a log.
- Copy and paste in Gmer.txt and click Save.
- Close Gmer.
If you receive no notice, click on the Scan button.
- It will start scanning again.
- When done, click on Save ... to save a log.
- Copy and paste in Gmer.txt and click Save.
- Close Gmer.
Note: Do not run any programs while Gmer is running.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
Thank you so much for your help. I did not have word wrap on in notepad, but it is still on in this forum, I guess. Sorry about that.
I hope you can still read this.
GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-13 12:33:39
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT 8A722230 ZwAlertResumeThread
SSDT 8A724948 ZwAlertThread
SSDT 8A7C3B30 ZwAllocateVirtualMemory
SSDT 8A78C080 ZwConnectPort
SSDT \SystemRoot\System32\drivers\e55263f7.sys ZwCreateEvent [0xBA9B11AD] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\drivers\e55263f7.sys ZwCreateKey [0xBA9AF285] <-- ROOTKIT !!!
SSDT 8A8772B8 ZwCreateMutant
SSDT 8A7BECB8 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB70BDCC0] <-- ROOTKIT !!!
SSDT sptd.sys ZwEnumerateKey [0xBA6C5E2C] <-- ROOTKIT !!!
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C61BA] <-- ROOTKIT !!!
SSDT 8A6FD480 ZwFreeVirtualMemory
SSDT 8A70E908 ZwImpersonateAnonymousToken
SSDT 8A714220 ZwImpersonateThread
SSDT 8A72DB28 ZwMapViewOfSection
SSDT 8A901E68 ZwOpenEvent
SSDT \SystemRoot\System32\drivers\e55263f7.sys ZwOpenKey [0xBA9AF345] <-- ROOTKIT !!!
SSDT 8A6EF9C8 ZwOpenProcessToken
SSDT 8A6FC7F8 ZwOpenThreadToken
SSDT sptd.sys ZwQueryKey [0xBA6C6292] <-- ROOTKIT !!!
SSDT 8A7CAA50 ZwQueryValueKey
SSDT 8A643730 ZwResumeThread
SSDT 8A6FC648 ZwSetContextThread
SSDT 8A6FC8F0 ZwSetInformationProcess
SSDT 8A63F2A8 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB70BDF20] <-- ROOTKIT !!!
SSDT 8A7F9288 ZwSuspendProcess
SSDT 8A6E40E8 ZwSuspendThread
SSDT 8A6EFB60 ZwTerminateProcess
SSDT 8A7EEBB0 ZwTerminateThread
SSDT 8A6FCA40 ZwUnmapViewOfSection
SSDT 8A7C3330 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2D28 805045C4 4 Bytes JMP D1AED039
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B996C8AC 5 Bytes JMP 8AB061C8
? System32\Drivers\a6h7nli8.SYS The system cannot find the path specified. !
? C:\WINDOWS\System32\drivers\e55263f7.sys The system cannot find the file specified.
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6C0AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6C0C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6C0B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6C1748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6C161E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D5ACA] sptd.sys
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\wscntfy.exe[748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802D60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[748] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[784] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00392F10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[784] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00392D60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[784] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00392D20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\eHome\ehmsas.exe[784] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00392D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [03842F10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [03842D60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [03842D20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [03842D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dwwin.exe[2816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00CD2F10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dwwin.exe[2816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00CD2D60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dwwin.exe[2816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00CD2D20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dwwin.exe[2816] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00CD2D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dumprep.exe[3088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009C2F10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dumprep.exe[3088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009C2D60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dumprep.exe[3088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009C2D20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\dumprep.exe[3088] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009C2D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[3312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00992F10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[3312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00992D60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[3312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00992D20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[3312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00992D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jim\Desktop\gmer.exe[3380] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jim\Desktop\gmer.exe[3380] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802D60] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jim\Desktop\gmer.exe[3380] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jim\Desktop\gmer.exe[3380] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802D70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs e55263f7.sys
Device \FileSystem\Ntfs \Ntfs 8AB051E8
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \FileSystem\Fastfat \FatCdrom 8A69B528
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip e55263f7.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\usbuhci \Device\USBPDO-0 8A8EA7A0
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AB071E8
Device \Driver\dmio \Device\DmControl\DmConfig 8AB071E8
Device \Driver\dmio \Device\DmControl\DmPnP 8AB071E8
Device \Driver\dmio \Device\DmControl\DmInfo 8AB071E8
Device \Driver\usbuhci \Device\USBPDO-1 8A8EA7A0
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\System32\drivers\e55263f7.sys (*** hidden *** ) [SYSTEM] e55263f7 <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\e55263f7@ImagePath \SystemRoot\System32\drivers\e55263f7.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\e55263f7@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\e55263f7@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\e55263f7@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\e55263f7@F96ZK6nPB YWR2YW50YXN0YXIudXM=
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x08 0xFE 0x97 0xEC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x78 0xE2 0x78 0x89 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA7 0xF9 0x93 0xBB ...
Reg HKLM\SYSTEM\ControlSet003\Services\e55263f7@ImagePath \SystemRoot\System32\drivers\e55263f7.sys
Reg HKLM\SYSTEM\ControlSet003\Services\e55263f7@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\e55263f7@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\e55263f7@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\e55263f7@F96ZK6nPB YWR2YW50YXN0YXIudXM=
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x08 0xFE 0x97 0xEC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x78 0xE2 0x78 0x89 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA7 0xF9 0x93 0xBB ...
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.15 ----
Never mind about the word wrap.
Download this and save it desktop. Doubleclick mbr.exe and post back its log, please.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
OK, that appears to be fine.
Open notepad and copy/paste the text in the codebox below into it:
Save this as "CFScript"Code:File:: c:\windows\oyananiy.dll c:\windows\olimizuf.dll C:\mfvse.exe c:\program files\Common Files\bfyxdl.dll c:\windows\system32\drivers\e55263f7.sys C:\ucpdcu.exe C:\yiar.exe C:\cyieqw.exe C:\537925202 c:\windows\Jmudukogevus.dll C:\tcrnwc.exe c:\windows\system32\kjr3iorojdnbfi43unjfd.dll c:\windows\instsp1.exe Driver:: yciwaovpxez e55263f7 DDS:: LSP: c:\windows\TEMP\ntdll64.dll
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
File::
c:\windows\oyananiy.dll
c:\windows\olimizuf.dll
C:\mfvse.exe
c:\program files\Common Files\bfyxdl.dll
c:\windows\system32\drivers\e55263f7.sys
C:\ucpdcu.exe
C:\yiar.exe
C:\cyieqw.exe
C:\537925202
c:\windows\Jmudukogevus.dll
C:\tcrnwc.exe
c:\windows\system32\kjr3iorojdnbfi43unjfd.dll
c:\windows\instsp1.exe
Driver::
yciwaovpxez
e55263f7
DDS::
LSP: c:\windows\TEMP\ntdll64.dll
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:37 PM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175131989452
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://demo.rentmanager.com/msrdp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 9932 bytes
You posted now contents of CFScript. Please post contents of combofix.txt
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006