Virtumonde

Denali · Apr 27, 2009

I have executed SpyBot S&D several times and allowed a reboot run also, still seems there are traces present.

Thanks,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:35 PM, on 4/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\KH1\Desktop\AnalyseHJ.exe
C:\xnev.exe
c:\lsass.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE6
O4 - HKLM\..\Run: [28386] C:\xnev.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.kendle.com/iNotes6W.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: hhyxpq.dll ,c:\progra~1\ThunMail\testabd.dll,
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7068 bytes

Shaba · Apr 27, 2009

Hi Denali

Please post next spybot report

Denali · Apr 27, 2009

Checks and Fixes Log

Thank you for your assistance.
I hope this is what you requested.

Checks:
27.04.2009 13:53:36 - ##### check started #####
27.04.2009 13:53:36 - ### Version: 1.6.2
27.04.2009 13:53:36 - ### Date: 4/27/2009 1:53:36 PM
27.04.2009 13:53:38 - ##### checking bots #####
27.04.2009 13:56:36 - found: Win32.Agent.icb Settings
27.04.2009 13:56:36 - found: Win32.Agent.icb Settings
27.04.2009 13:56:43 - found: Win32.Delf.uc Settings
27.04.2009 13:56:43 - found: Win32.Delf.uc Settings
27.04.2009 14:02:09 - ##### check finished #####
Fixes:
--- Report generated: 2009-04-27 14:02 ---

Win32.Agent.icb: [SBI $A0EF69BD] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\mid

Win32.Agent.icb: [SBI $9C8AB327] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\st

Win32.Delf.uc: [SBI $88B8013A] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe

Win32.Delf.uc: [SBI $14B30E85] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-04-09 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-03-25 Includes\Adware.sbi (*)
2009-04-21 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-03-31 Includes\Dialer.sbi (*)
2009-04-21 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-04-21 Includes\Hijackers.sbi (*)
2009-04-21 Includes\HijackersC.sbi (*)
2009-03-17 Includes\Keyloggers.sbi (*)
2009-04-21 Includes\KeyloggersC.sbi (*)
2009-04-07 Includes\Malware.sbi (*)
2009-04-21 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-03-31 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-04-21 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-04-21 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-04-21 Includes\Trojans.sbi (*)
2009-04-21 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Shaba · Apr 27, 2009

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)

Denali · Apr 27, 2009

RSIT Log.txt

Log.TXT
Logfile of random's system information tool 1.06 (written by random/random)
Run by KH1 at 2009-04-27 14:20:09
Microsoft Windows XP Professional Service Pack 2
System drive C: has 102 GB (67%) free of 153 GB
Total RAM: 2046 MB (73% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"3391"=C:\xnev.exe [2009-04-26 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP LaserJet Director.lnk - C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\KH1\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="hhyxpq.dll ,c:\progra~1\ThunMail\testabd.dll, "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-03-22 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-17 87352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2005-04-17 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=255
"ForceClassicControlPanel"=1
"NoResolveTrack"=1
"NoResolveSearch"=1
"NoSMConfigurePrograms"=1
"MemCheckBoxInRunDlg"=1
"NoSharedDocuments"=1
"NoActiveDesktop"=1
"NoStartMenuMFUprogramsList"=1
"NoInstrumentation"=1
"NoSMBalloonTip"=1
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"MemCheckBoxInRunDlg"=
"NoStartMenuPinnedList"=
"StartMenuFavorites"=
"Start_ShowHelp"=
"Start_ShowMyComputer"=
"Start_ShowMyDocs"=
"Start_ShowMyMusic"=
"Start_ShowMyPics"=
"Start_ShowNetConn"=
"Start_ShowPrinters"=
"Start_ShowRun"=
"Start_ShowSearch"=
"NoStartMenuMFUprogramsList"=
"ClassicViewState"=
"HideRunAsVerb"=
"ShowSuperHidden"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\Temp\oioyuiyryy43.exe"="C:\WINDOWS\Temp\oioyuiyryy43.exe:*:Enabled

ioyuiyryy43"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-04-27 14:20:10 ----D---- C:\Program Files\trend micro
2009-04-27 14:20:09 ----D---- C:\rsit
2009-04-27 10:46:13 ----A---- C:\Ntf4.tmp
2009-04-27 10:46:13 ----A---- C:\Ntf3.tmp
2009-04-26 18:16:53 ----A---- C:\Ntf2.tmp
2009-04-26 18:16:53 ----A---- C:\Ntf1.tmp
2009-04-26 15:23:00 ----D---- C:\WINDOWS\ERDNT
2009-04-26 15:22:21 ----D---- C:\Program Files\ERUNT
2009-04-25 14:49:11 ----A---- C:\lsass.exe
2009-04-25 13:30:12 ----RSHD---- C:\Program Files\ThunMail
2009-04-25 13:29:32 ----A---- C:\pdtivk.exe
2009-04-25 13:29:28 ----A---- C:\ffws.exe
2009-04-25 13:29:22 ----A---- C:\celkadaa.exe
2009-04-25 13:29:16 ----A---- C:\xnev.exe
2009-04-25 13:29:16 ----A---- C:\WINDOWS\system32\nvrsk.dll
2009-04-25 13:29:10 ----A---- C:\kggi.exe
2009-04-25 13:29:07 ----A---- C:\WINDOWS\system32\sjg9s8guigjs.dll
2009-04-25 13:29:03 ----H---- C:\WINDOWS\ld08.exe
2009-04-09 15:30:13 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2009-04-09 12:35:09 ----A---- C:\WINDOWS\system32\ptpusd.dll
2009-04-09 12:35:09 ----A---- C:\WINDOWS\system32\ptpusb.dll
2009-04-09 11:57:57 ----A---- C:\WINDOWS\syssvc.exe

======List of files/folders modified in the last 1 months======

2009-04-27 14:20:10 ----RD---- C:\Program Files
2009-04-27 13:54:18 ----D---- C:\WINDOWS\Prefetch
2009-04-27 13:42:19 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-04-27 13:37:32 ----D---- C:\WINDOWS\Temp
2009-04-27 10:46:54 ----D---- C:\Program Files\Symantec AntiVirus
2009-04-27 10:46:10 ----D---- C:\Program Files\LogMeIn
2009-04-26 18:13:51 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-26 18:09:20 ----D---- C:\WINDOWS
2009-04-26 15:46:55 ----D---- C:\WINDOWS\system32
2009-04-26 15:38:27 ----D---- C:\Program Files\Mozilla Firefox
2009-04-25 15:01:20 ----ASH---- C:\BOOT.INI
2009-04-25 15:01:20 ----A---- C:\WINDOWS\win.ini
2009-04-25 15:01:20 ----A---- C:\WINDOWS\system.ini
2009-04-25 14:47:23 ----D---- C:\WINDOWS\system32\drivers
2009-04-25 14:31:16 ----D---- C:\Root
2009-04-25 13:36:10 ----SHD---- C:\WINDOWS\Installer
2009-04-25 13:35:41 ----A---- C:\WINDOWS\OEWABLog.txt
2009-04-25 13:35:22 ----D---- C:\Documents and Settings\KH1\Application Data\Identities
2009-04-25 13:29:53 ----SD---- C:\WINDOWS\Tasks
2009-04-25 13:29:34 ----D---- C:\Documents and Settings\KH1\Application Data\uTorrent
2009-04-25 13:29:17 ----D---- C:\WINDOWS\system32\dllcache
2009-04-25 13:29:16 ----A---- C:\WINDOWS\system32\user32.DLL
2009-04-25 13:28:46 ----ASH---- C:\WINDOWS\system32\tibivapu.exe
2009-04-16 14:59:49 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-09 16:09:06 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-09 16:09:03 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-09 15:17:19 ----D---- C:\Program Files\RegVac Registry Cleaner
2009-04-09 12:58:45 ----SHD---- C:\System Volume Information
2009-04-09 12:58:45 ----D---- C:\WINDOWS\system32\Restore
2009-04-09 12:48:11 ----D---- C:\WINDOWS\security
2009-04-09 12:46:43 ----D---- C:\Documents and Settings\KH1\Application Data\SUPERAntiSpyware.com
2009-04-09 12:46:34 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-09 12:46:34 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-09 12:35:06 ----HD---- C:\WINDOWS\inf
2009-04-06 11:58:08 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 BANTExt;Belarc SMBios Access; C:\WINDOWS\System32\Drivers\BANTExt.sys [2008-02-27 3840]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 SYMTDI;SYMTDI; \??\C:\WINDOWS\system32\Drivers\SYMTDI.SYS []
R1 wpsdrvnt;wpsdrvnt; \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys []
R2 EIO;EIO; \??\C:\WINDOWS\system32\drivers\EIO.sys []
R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2005-01-01 9728]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 wg3n;SyGate for NT, wg3n; C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys [2005-09-27 14944]
R2 wg4n;SyGate for NT, wg4n; C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys [2005-09-27 14944]
R2 wg5n;SyGate for NT, wg5n; C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys [2005-09-27 14944]
R2 wg6n;SyGate for NT, wg6n; C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys [2005-09-27 14944]
R3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys [2006-11-01 33280]
R3 amdtools;AMD Special Tools Driver; C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-07 29696]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-03-22 1034752]
R3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2004-08-03 207360]
R3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
R3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2005-01-01 26240]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 KeyMaestro;KeyMaestro; \??\C:\WINDOWS\system32\drivers\Maestro1.sys []
R3 LMImirr;LMImirr; C:\WINDOWS\system32\DRIVERS\LMImirr.sys [2007-04-17 10144]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090417.007\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090417.007\navex15.sys []
R3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2005-07-26 53376]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-04-14 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-04-14 13056]
R3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2005-07-26 415360]
R3 Pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\Pcouffin.sys [2009-02-19 47360]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2006-11-07 21760]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-11-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2006-11-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-11-03 17024]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-07-26 3644032]
S3 AMDPCI;AMDPCI; C:\WINDOWS\system32\drivers\AMDPCI.sys []
S3 eraserutildrv10910;EraserUtilDrv10910; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys []
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2007-07-12 25544]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2008-09-15 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2008-09-15 22016]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 SYMREDRV;SYMREDRV; \??\C:\WINDOWS\system32\Drivers\SYMREDRV.SYS []
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2008-03-27 503008]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2006-11-03 73472]
S4 vsdatant;vsdatant; C:\WINDOWS\system32\drivers\vsdatant.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-11-03 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Ad-Aware 2007 Service; C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe [2007-10-29 587096]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-03-22 380928]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2005-04-08 185968]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2005-04-08 161392]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2005-04-17 19648]
R2 Diskeeper;Diskeeper; C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe [2006-10-04 913408]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-12 152984]
R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-17 116032]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2007-04-17 63040]
R2 SmcService;Sygate Personal Firewall Pro; C:\Program Files\Sygate\SPF\smc.exe [2005-09-27 2635472]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2005-04-17 1706176]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2007-02-05 320512]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2006-11-03 14336]
R3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-10-22 86016]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2005-03-22 536576]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2005-04-08 83568]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 57344]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-03 136120]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 90112]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-29 761856]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-23 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2007-12-10 373760]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-04-05 206552]
S3 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2005-03-30 992864]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 933888]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-29 143360]

-----------------EOF-----------------

Denali · Apr 27, 2009

RSIT Info.txt

info.txt logfile of random's system information tool 1.06 2009-04-27 14:20:12

======Uninstall list======

-->MsiExec.exe /I{219B0DA4-8F1A-499D-8795-4A07C632521E}
-->MsiExec.exe /I{644B991F-B109-4360-9DA3-40CDAD13961C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Ad-Aware 2007-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Ad-Aware SE Professional-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Alcohol 120%-->MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
AMD CPUInfo-->MsiExec.exe /X{6B619ED4-492F-4AD2-BCA7-563AFC938B0F}
AT&T Connect Participant-->c:\program filesinterwiseparticipant\interwise\participant\iwuninst.exe
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class

ISPLAY -clean
Atomic Clock Sync-->C:\PROGRA~1\ATOMIC~1\UNWISE.EXE C:\PROGRA~1\ATOMIC~1\INSTALL.LOG
AVI to VCD SVCD DVD Converter 1.7.6-->"C:\Program Files\AVI to VCD SVCD DVD Converter\unins000.exe"
Belarc Advisor 7.2-->"C:\PROGRA~1\Belarc\Advisor\Uninstall.exe" "C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG"
Brother P-touch Editor 4.2-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{003447F5-0058-4B77-9C1E-50488F77C4A7}
Canon CanoScan Toolbox 5.0-->"C:\Program Files\Canon\CanoScan Toolbox Ver5.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\CanoScan Toolbox Ver5.0\uninst.ini
CanoScan 4400F-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4803\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4803 /L0x0009
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CDRWIN-->C:\CDRWIN3\UNWISE.EXE C:\CDRWIN3\INSTALL.LOG
Classic Menu 3.x for Office 2007-->"C:\Program Files\Classic Menu for Office\unins000.exe"
CloneCD-->"C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
CloneDVD 3.9.1-->"C:\Program Files\CloneDVD\unins000.exe"
Continental Airlines Timetable-->MsiExec.exe /X{884ACC8E-FE0E-4CA7-AE93-08435BD5A0A9}
ConvertXtoDVD 3.3.4.106e-->"C:\Program Files\VSO\ConvertX\3\unins000.exe"
Diskeeper 2007 Pro Premier-->MsiExec.exe /X{B1D8CAE1-62E8-4259-8B57-1755629F71EC}
Disney-Pixar Ratatouille-->C:\Program Files\InstallShield Installation Information\{B94C6815-7BCC-4124-AC39-9208A06FFFA7}\setup.exe -runfromtemp -l0x0009 -removeonly
Dual-Core Optimizer-->MsiExec.exe /X{BCA02FAD-2C86-4C8C-A815-51C09F4E51FF}
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
FOX News Live Stream-->msiexec /qb /x {107CCB00-CDBB-95D7-556A-6A4E1CCA8973}
FOX News Live-->MsiExec.exe /I{107CCB00-CDBB-95D7-556A-6A4E1CCA8973}
Garmin MapSource-->MsiExec.exe /X{CF07A1C9-098F-47DD-99E0-B6558C33871B}
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Hamachi 1.0.2.2-->C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2-->"C:\Root\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB915800)-->"C:\WINDOWS\$NtUninstallKB915800$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
HP LaserJet 2410/2420/2430-->C:\Program Files\Hewlett-Packard\hp LaserJet 2410 2420 2430\Installer\hpsetup.exe /x
HP LaserJet 2410/2420/2430-->msiexec /x{02C0BC1F-E273-4FA7-BF75-46ACF9650765}
hp LaserJet 3300 Uninstaller-->C:\Program Files\Hewlett-Packard\LaserJet 33xx\Uninstall\setup.exe uninst.ini
HP Printer Access Tool-->MsiExec.exe /X{D8DBCF67-C44C-4768-8112-9CADBAC390E6}
IrfanView (remove only)-->c:\Program Files\IrFanView\iv_uninstall.exe
Java 2 Runtime Environment, SE v1.4.2_04-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
KeyMaestro Input Device Driver V2.4.1-32A9 MUL-->C:\WINDOWS\system32\KmRemove.exe
K-Lite Mega Codec Pack 1.53-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
LiveUpdate 2.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
LogMeIn-->MsiExec.exe /I{3FEC3A5B-60FF-4626-B425-08E09B121A15}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapSource - US Rec Lakes with Fishing Hot Spots Central v5-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{A6B21A2C-9F04-4761-8E85-48BD9BE51E03} /l1033
MapSource-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Garmin\MapSource\Uninst.isu"
MapSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}\Setup.exe" -l0x9 AddRemove
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft English TTS Engine-->MsiExec.exe /I{94824ADD-8F26-43D2-84DB-22E11F377E5E}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft MapPoint North America 2009-->MsiExec.exe /I{C82185E8-C27B-4EF4-2009-1111BC2C2B6D}
Microsoft Office Access database engine 2007 (English)-->MsiExec.exe /I{90120000-00D1-0409-0000-0000000FF1CE}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Streets & Trips 2007-->MsiExec.exe /I{C82185E8-C27B-4EF4-2007-4444BC2C2B6D}
Microsoft User-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MozBackup 1.4.5-->"C:\Program Files\MozBackup\unins000.exe"
Mozilla Firefox (3.0.9)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86-->MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 6.0 Parser-->MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
MultiMon TaskBar 2.1-->"C:\Program Files\MMTaskbar\unins000.exe"
Nero 7 Ultra Edition BASIC-->MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444445167}
Nokia Connectivity Cable Driver-->MsiExec.exe /X{15AC0C5D-A6FB-4CE2-8CD0-28179EEB5625}
Nokia Flashing Cable Driver-->MsiExec.exe /X{D99C322D-C21B-40C7-AE71-EE51AA096B6E}
Nokia Multimedia Factory-->MsiExec.exe /I{4CFB3821-1582-4F3B-BF8D-30986923B36B}
Nokia PC Suite-->C:\Documents and Settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Nokia_PC_Suite_rel_6_85_14_1_eng_us_web.exe
Nokia PC Suite-->MsiExec.exe /I{29466F9C-7C6A-419C-B301-F440FAF78760}
Nokia Software Updater-->MsiExec.exe /X{59367F7E-D7C1-4629-8AEC-71AA24A68F31}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuaudio.exe UninstallGUI
PC Connectivity Solution-->MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
Pirates of the Caribbean - At Worlds End-->C:\Program Files\InstallShield Installation Information\{01CBFCE7-95AD-40F3-BC63-C46EFB2FC9C4}\setup.exe -runfromtemp -l0x0009 Pirates of the Caribbean - At Worlds End -removeonly
PowerDesk 6-->MsiExec.exe /I{B93251B5-9209-4DAB-867C-AA98D91584CD}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
RegVac Registry Cleaner 5.01 (Registered Version)-->"C:\Program Files\RegVac Registry Cleaner\unins000.exe"
Shipping Assistant 3.4-->MsiExec.exe /X{15C77FC3-8137-4A5E-8F81-F559045DD6B0}
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Stedman's Electronic Medical Dictionary 6.0-->C:\PROGRA~1\SEMD60\UNWISE32.EXE C:\PROGRA~1\SEMD60\INSTALL.LOG
Sygate Personal Firewall Pro-->MsiExec.exe /I{10B446B3-4DF4-4489-A168-8A98F7CD807E}
Symantec AntiVirus-->MsiExec.exe /I{5A633ED0-E5D7-4D65-AB8D-53ED43510284}
TTS Wrapper-->MsiExec.exe /I{97D0C0A1-7E64-4B05-A2EE-61D2CE23F154}
UltraISO Premium V8.2-->"C:\Program Files\UltraISO\unins000.exe"
Update for Outlook 2007 Junk Email Filter (kb943597)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A751F0DB-8476-4207-956E-20AEBBA4B1DA}
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Desktop Search 3.01-->"C:\WINDOWS\$NtUninstallKB917013$\spuninst\spuninst.exe"
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_1EB5F2E6F54A6BEDE9F436D1BA5D830FC71739BE\nokbtmdm.inf
Windows Driver Package - Nokia Modem (10/12/2007 3.6)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_0A5D98F754C6588B2E3DDE89DDEF097075ADFFB7\nokia_bluetooth.inf
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Support Tools-->MsiExec.exe /I{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

=====HijackThis Backups=====

O4 - HKLM\..\Run: [21262] C:\xnev.exe [2009-04-25]

======Hosts File======

127.0.0.1 jL.chura.pl
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

======Security center information======

AV: Symantec AntiVirus Corporate Edition
FW: Sygate Personal Firewall Pro

======System event log======

Computer Name: NFORCE4
Event Code: 62465
Message: Bandwidth limitation. Overlay allocation failed

Record Number: 9811
Source Name: ati2mtag
Time Written: 20090117145022.000000-360
Event Type: warning
User:

Computer Name: NFORCE4
Event Code: 62465
Message: Bandwidth limitation. Overlay allocation failed

Record Number: 9809
Source Name: ati2mtag
Time Written: 20090117145022.000000-360
Event Type: warning
User:

Computer Name: NFORCE4
Event Code: 62465
Message: Bandwidth limitation. Overlay allocation failed

Record Number: 9807
Source Name: ati2mtag
Time Written: 20090117145022.000000-360
Event Type: warning
User:

Computer Name: NFORCE4
Event Code: 62465
Message: Bandwidth limitation. Overlay allocation failed

Record Number: 9805
Source Name: ati2mtag
Time Written: 20090117145022.000000-360
Event Type: warning
User:

Computer Name: NFORCE4
Event Code: 62465
Message: Bandwidth limitation. Overlay allocation failed

Record Number: 9803
Source Name: ati2mtag
Time Written: 20090117145022.000000-360
Event Type: warning
User:

=====Application event log=====

Computer Name: NFORCE4
Event Code: 46
Message:

Security Risk Found!Threat: Trojan Horse in File: E:\Progs\MEDIAC~1\POCKET~1.5B0\CRACK-~1.EXE by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Record Number: 2724
Source Name: Symantec AntiVirus
Time Written: 20090224125116.000000-360
Event Type: error
User:

Computer Name: NFORCE4
Event Code: 51
Message:

Security Risk Found!Threat: Trojan Horse in File: E:\Progs\mcd\Rootkits\RKUNHO~1.EXE by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Record Number: 2723
Source Name: Symantec AntiVirus
Time Written: 20090224124022.000000-360
Event Type: error
User:

Computer Name: NFORCE4
Event Code: 5
Message:

Threat Found!Threat: Trojan Horse in File: E:\Progs\mcd\Rootkits\RkUnhooker.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Record Number: 2722
Source Name: Symantec AntiVirus
Time Written: 20090224124022.000000-360
Event Type: error
User:

Computer Name: NFORCE4
Event Code: 46
Message:

Security Risk Found!Threat: Trojan Horse in File: E:\Progs\mcd\Rootkits\RKUNHO~1.EXE by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Record Number: 2721
Source Name: Symantec AntiVirus
Time Written: 20090224124022.000000-360
Event Type: error
User:

Computer Name: NFORCE4
Event Code: 51
Message:

Security Risk Found!Threat: Backdoor.Mosuck in File: E:\Progs\ADOBE_~1\ADOBE_~1.EXE by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully.

Record Number: 2720
Source Name: Symantec AntiVirus
Time Written: 20090224121704.000000-360
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\PC Connectivity Solution\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Diskeeper Corporation\Diskeeper\;C:\Program Files\Support Tools\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 43 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=2b01
"NUMBER_OF_PROCESSORS"=2
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"DEVMGR_SHOW_DETAILS"=1
"DEVMGR_SHOW_NONPRESENT_DEVICES"=1

-----------------EOF-----------------

Shaba · Apr 27, 2009

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

c:\progra~1\ThunMail\testabd.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Denali · Apr 27, 2009

Jotti Results

Service load: 0% 100%

File: testabd.dll
Status: INFECTED/MALWARE
MD5: 77e297f6dc35936e0850955972135439
Packers detected: -

Scanner results
Scan taken on 27 Apr 2009 20:16:46 (GMT)
A-Squared Found Trojan.Win32.Agent2!IK
AntiVir Found TR/Agent2.IMR.1
ArcaVir Found Trojan.Agent.Cimr
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.PWS.Wsgame.11359
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Agent2.imr
Ikarus Found Trojan.Win32.Agent2
Kaspersky Anti-Virus Found Trojan.Win32.Agent2.imr
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Denali · Apr 27, 2009

VirusTotal Results

File 000027591_testabd.dll received on 04.27.2009 11:44:20 (CET)
Current status: finished

Result: 10/40 (25.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.27 -
AhnLab-V3 5.0.0.2 2009.04.27 Win-Trojan/OnlineGameHack.28672.WH
AntiVir 7.9.0.156 2009.04.27 TR/Agent2.IMR.1
Antiy-AVL 2.0.3.1 2009.04.27 -
Authentium 5.1.2.4 2009.04.26 -
Avast 4.8.1335.0 2009.04.26 -
AVG 8.5.0.287 2009.04.27 -
BitDefender 7.2 2009.04.27 -
CAT-QuickHeal 10.00 2009.04.27 -
ClamAV 0.94.1 2009.04.27 -
Comodo 1137 2009.04.27 -
DrWeb 4.44.0.09170 2009.04.27 Trojan.PWS.Wsgame.11359
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 -
F-Prot 4.4.4.56 2009.04.26 -
F-Secure 8.0.14470.0 2009.04.27 Trojan.Win32.Agent2.imr
Fortinet 3.117.0.0 2009.04.27 -
GData 19 2009.04.27 -
Ikarus T3.1.1.49.0 2009.04.27 -
K7AntiVirus 7.10.716 2009.04.25 -
Kaspersky 7.0.0.125 2009.04.27 Trojan.Win32.Agent2.imr
McAfee 5597 2009.04.26 -
McAfee+Artemis 5597 2009.04.26 Generic!Artemis
McAfee-GW-Edition 6.7.6 2009.04.27 Trojan.Agent2.IMR.1
Microsoft 1.4602 2009.04.27 -
NOD32 4036 2009.04.27 -
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.27 -
Panda 10.0.0.14 2009.04.26 Suspicious file
PCTools 4.4.2.0 2009.04.26 -
Prevx1 3.0 2009.04.27 High Risk Worm
Rising 21.27.02.00 2009.04.27 Trojan.PSW.Win32.GameOL.xzy
Sophos 4.41.0 2009.04.27 -
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.27 -
TheHacker 6.3.4.1.315 2009.04.27 -
TrendMicro 8.700.0.1004 2009.04.27 -
VBA32 3.12.10.3 2009.04.27 -
ViRobot 2009.4.27.1710 2009.04.27 -
VirusBuster 4.6.5.0 2009.04.26 -
Additional information
File size: 28672 bytes
MD5...: 77e297f6dc35936e0850955972135439
SHA1..: 3211e494a4c4090f3c6781985f0f62cf45d10764
SHA256: 530cf8f327bb888d80b339736953a5bb1465aeaed79e230ab16d95802555d33e
SHA512: 2294f33e7c5fc2b83443a894576226a3896054bd4a80fdf03a25df32cfe30869
9f1cafa7161407fa338f83fd37b90f63fdd3e2a5eb84bae18e8e2508e3da8599
ssdeep: 384:SL048PXk5tqbal8Gey7C1ygju2LQLnhs2j:s04QUyqeL1ygjuCUhv

PEiD..: Armadillo v1.xx - v2.xx
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3467
timedatestamp.....: 0x49f15512 (Fri Apr 24 05:58:42 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2510 0x3000 5.41 d301f9f14a35a473e456e32b77621e8f
.rdata 0x4000 0x396 0x1000 1.49 8c16c58a5192181a28f23ca4a69eb280
.data 0x5000 0x514 0x1000 1.11 c2fd2ee84339422c1ac3ba3b5ed4a4df
.reloc 0x6000 0x58e 0x1000 2.98 7acf6f2f9a57905e3666b4d781c9e180

( 3 imports )
> MSVCRT.dll: free, _initterm, malloc, _adjust_fdiv, strrchr, _itoa, _strlwr, fopen, fseek, ftell, fread, fclose, strstr, strchr, strncpy, __2@YAPAXI@Z, sprintf, __3@YAXPAX@Z
> USER32.dll: EnumWindows, EnumChildWindows, GetWindowThreadProcessId, GetWindowLongA, GetWindowTextA, GetClassNameA
> KERNEL32.dll: IsBadReadPtr, lstrcatA, MultiByteToWideChar, WideCharToMultiByte, CreateThread, LoadLibraryA, Sleep, GetCurrentProcessId, VirtualAllocEx, GetModuleHandleA, GetModuleFileNameA

( 0 exports )

PDFiD.: -
RDS...: NSRL Reference Data Set
-

Shaba · Apr 28, 2009

Thank you.

Please tell what other files are in c:\progra~1\ThunMail folder.

Denali · Apr 28, 2009

ThunMail folder

Sir,

There are no other files in this folder, and I did check for hidden files also.

Thank you.

Shaba · Apr 28, 2009

Thanks for infomation.

Let's check this next:

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

Denali · Apr 28, 2009

Limited internet access

Something has affected the DNS on that machine, I cannot connect to many of the security web sites. I cannot connect to Kaspersky, Spybot, Symantec, etc..

Also, Symantec has repeatedly alerted on Trojan - VRTA.tmp.

Shaba · Apr 28, 2009

Download gmer.zip and save to your desktop.
alternate download site

Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

Denali · Apr 28, 2009

GMER.txt

Sorry for the delay, lots of files to scan and it did crash once.

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-28 12:51:59
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.15 ----

.text tcpip.sys!IPTransmit + 10FC A80FDD3A 6 Bytes CALL BA583FB0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2850 A80FF48E 6 Bytes CALL BA583FB0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!ARPRcv + 5029 A81044DC 6 Bytes CALL BA583FB0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B7C483FD 7 Bytes CALL BA584100 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[216] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\svchost.exe[216] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\svchost.exe[216] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\svchost.exe[216] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\svchost.exe[216] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\svchost.exe[216] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[224] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[224] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[224] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[224] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[224] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[224] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\SearchIndexer.exe[428] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\SearchIndexer.exe[428] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\SearchIndexer.exe[428] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\SearchIndexer.exe[428] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\SearchIndexer.exe[428] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\SearchIndexer.exe[428] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\SearchIndexer.exe[428] kernel32.dll!WriteFile 7C810D87 7 Bytes JMP 00C41B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[552] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[552] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[552] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[552] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[552] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[552] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\System32\alg.exe[684] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\System32\alg.exe[684] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\System32\alg.exe[684] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\System32\alg.exe[684] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\System32\alg.exe[684] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\System32\alg.exe[684] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\winlogon.exe[724] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\winlogon.exe[724] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\winlogon.exe[724] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\winlogon.exe[724] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\winlogon.exe[724] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\winlogon.exe[724] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF94751
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF947E0
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF947ED
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FF94A67
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF947D6
.text C:\WINDOWS\system32\lsass.exe[784] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9482E
.text C:\WINDOWS\system32\Ati2evxx.exe[932] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\Ati2evxx.exe[932] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\Ati2evxx.exe[932] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\Ati2evxx.exe[932] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\Ati2evxx.exe[932] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\Ati2evxx.exe[932] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1388] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1388] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1388] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1388] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1388] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1388] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1444] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1444] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1444] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1444] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1444] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1444] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1548] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1548] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1548] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1548] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1548] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1548] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\spoolsv.exe[1636] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\spoolsv.exe[1636] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\spoolsv.exe[1636] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\spoolsv.exe[1636] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\spoolsv.exe[1636] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\spoolsv.exe[1636] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1744] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1744] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1744] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1744] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1744] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1744] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1764] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1764] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1764] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1764] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1764] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1764] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\Java\jre6\bin\jqs.exe[1788] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\Java\jre6\bin\jqs.exe[1788] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1788] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\Java\jre6\bin\jqs.exe[1788] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\Java\jre6\bin\jqs.exe[1788] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\Java\jre6\bin\jqs.exe[1788] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1828] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1828] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1828] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1828] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1828] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[1828] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1876] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1876] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1876] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1876] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1876] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1876] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1908] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1908] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1908] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1908] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1908] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[1908] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\mnmsrvc.exe[1920] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\mnmsrvc.exe[1920] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\mnmsrvc.exe[1920] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\mnmsrvc.exe[1920] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\mnmsrvc.exe[1920] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\mnmsrvc.exe[1920] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\Sygate\SPF\smc.exe[1952] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\Sygate\SPF\smc.exe[1952] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\Sygate\SPF\smc.exe[1952] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\Sygate\SPF\smc.exe[1952] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\Sygate\SPF\smc.exe[1952] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\Sygate\SPF\smc.exe[1952] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\rundll32.exe[1964] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\rundll32.exe[1964] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\rundll32.exe[1964] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\rundll32.exe[1964] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\rundll32.exe[1964] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\rundll32.exe[1964] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text c:\gmer\gmer.exe[2060] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text c:\gmer\gmer.exe[2060] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text c:\gmer\gmer.exe[2060] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text c:\gmer\gmer.exe[2060] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text c:\gmer\gmer.exe[2060] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text c:\gmer\gmer.exe[2060] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\Ati2evxx.exe[2896] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\Ati2evxx.exe[2896] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\Ati2evxx.exe[2896] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\Ati2evxx.exe[2896] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\Ati2evxx.exe[2896] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\Ati2evxx.exe[2896] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\wscntfy.exe[2984] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\wscntfy.exe[2984] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\wscntfy.exe[2984] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\wscntfy.exe[2984] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\wscntfy.exe[2984] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\wscntfy.exe[2984] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\Explorer.EXE[3048] Explorer.EXE 0101E26B 4 Bytes [FF, 15, 98, 10]
.text C:\WINDOWS\Explorer.EXE[3048] C:\WINDOWS\Explorer.EXE section is writeable [0x01001000, 0x44689, 0xE0000060]
.reloc C:\WINDOWS\Explorer.EXE[3048] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040]
.text C:\WINDOWS\Explorer.EXE[3048] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\Explorer.EXE[3048] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\Explorer.EXE[3048] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\Explorer.EXE[3048] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\Explorer.EXE[3048] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\Explorer.EXE[3048] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe[3272] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe[3272] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe[3272] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe[3272] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe[3272] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe[3272] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\Program Files\MMTaskbar\MultiMon.exe[3280] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\Program Files\MMTaskbar\MultiMon.exe[3280] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\Program Files\MMTaskbar\MultiMon.exe[3280] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\Program Files\MMTaskbar\MultiMon.exe[3280] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\Program Files\MMTaskbar\MultiMon.exe[3280] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\Program Files\MMTaskbar\MultiMon.exe[3280] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E
.text C:\WINDOWS\system32\HPZipm12.exe[3460] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA4751
.text C:\WINDOWS\system32\HPZipm12.exe[3460] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA47E0
.text C:\WINDOWS\system32\HPZipm12.exe[3460] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA47ED
.text C:\WINDOWS\system32\HPZipm12.exe[3460] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4A67
.text C:\WINDOWS\system32\HPZipm12.exe[3460] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA47D6
.text C:\WINDOWS\system32\HPZipm12.exe[3460] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA482E

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA584DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA584D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BA584C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA584A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA584A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA584D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA584DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BA584C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BA584C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA584A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA584D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA584DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA584A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA584DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA584D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BA584C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA584DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA584D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA584A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA584C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA584A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA584D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA584DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA584A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA584C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA584DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA584D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs Null.SYS
Device \FileSystem\Ntfs \Ntfs 89D42818

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \FatCdrom 897F0170

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Null.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Maestro1.sys (KeyMaestro Sys for Windows NT, 2000, .../BTC)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Maestro1.sys (KeyMaestro Sys for Windows NT, 2000, .../BTC)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Null.SYS

Device \Driver\Cdrom \Device\CdRom0 897341D0
Device \FileSystem\Rdbss \Device\FsWrap 8984EB98
Device \Driver\Cdrom \Device\CdRom1 897341D0
Device \Driver\nvatabus \Device\00000085 89808F00
Device \Driver\nvatabus \Device\00000086 89808F00
Device \Driver\nvatabus \Device\00000087 89808F00
Device \FileSystem\Srv \Device\LanmanServer 8984DFB0
Device \Driver\nvatabus \Device\00000088 89808F00

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Null.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp Null.SYS

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8984EDF8
Device \Driver\SYMTDI \Device\SymTDI wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\SYMTDI \Device\SymTDI Null.SYS
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8984EDF8
Device \Driver\nvatabus \Device\NvAta2 89808F00
Device \FileSystem\Npfs \Device\NamedPipe 899CC0D8
Device \FileSystem\Msfs \Device\Mailslot 8991E0D8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 89716288
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 89716288
Device \FileSystem\Fastfat \Fat 897F0170

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 898B5130
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 898B5130
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 898B5130
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 898B5130
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 898B5130
Device \FileSystem\Cdfs \Cdfs 89868120

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 8192/4096 bytes

---- EOF - GMER 1.0.15 ----

Shaba · Apr 28, 2009

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

Denali · Apr 28, 2009

ComboFix Error

I downloaded ComboFix on a clean PC and copied it to a flash drive. Copied the file from the flash drive to infected PC desktop. Disabled all AV software. Got this warning.

!!ALERT !! It is NOT SAFE to continue!
The contents of the ComboFix package has been compromised.
Please download a fresh copy from:

URL

Note: You may be infected with a file patching virus (Virut)

Shaba · Apr 28, 2009

Yes I was afraid of that before due to symptoms.

You have virut which is file infector and able to infect all exe files.

Only sensible solution is reformatting as it is not curable in most cases.

You can backup all files except the ones with .exe, .scr, .htm and .html.

If you need help with that, let me know.

Denali · Apr 28, 2009

Virut

I have a home network with many PC and many many hard drives. It infected PC has 6 hard drives in it. Are my other PCs and other drives at risk?

Currently have the infected PC isolated with no connection to the network or internet.

I certainly appreciate all your help

Shaba · Apr 28, 2009

Virut can spread at least using USB sticks. I recommend that you check other computers in a way that if they can access security sites first.

Virtumonde

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus