Author Topic: GMER shows rootkit in registry but cannot delete??? (Read 19307 times)

soilsenasuil · « **on:** July 16, 2009, 06:23:52 PM »

Hi, GMER found the rootkit UACd.sys in registry but I can only manipulate the keys it will not let me delete any of them within GMER... and I can see them in the registry when I regedit but only the files under the control sets not the whole tree... can I delete them manually and hope it deletes all information in the registry or should I allow another software to remove them. I twill not let me delte the UACd.sys file either but it is still hidden on my drive so I cannot do it manually.

Also I am finally able to get back in to my disk manager viewer and it shows 4 drives: C, D (backup) and two others no name... is this seen after a attack of this sort? I have never seen this before I was infected and I do not know what these drives are...also it does not show my DVD drive....thank you

mroilfield · « **Reply #1 on:** July 17, 2009, 09:51:49 AM »

Welcome to the forum.

You need to follow the below link, run the scans, and post the requested logs. Then a specialist will be along to help you.

http://www.computerhope.com/forum/index.php/topic,46313.0.html

Once you have posted the logs please be patient as the specialist are all volunteers. They usual work from the oldest post to the newest so try not bump your post if you can help it as it will only delay the amount of time it takes for the specialist to look at it.

soilsenasuil · « **Reply #2 on:** July 17, 2009, 02:47:18 PM »

Hi, I am posting logs I have generated. I was infected with "security system" "trojan.tdss?" "UACd.sys".....All anti-virus/malware programs have supposedly captured all malware and viruses but I ran COMBOFIX yesterday evening and it seemed to find more. I still find some leftover keys in my registry that will not delete manually so I do not if everything has been deleted or not. I have attached a screen capture of the registry. Thank you.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/17/2009 at 03:16 PM

Application Version : 4.26.1006

Core Rules Database Version : 4002
Trace Rules Database Version: 1942

Scan type : Complete Scan
Total Scan Time : 01:31:37

Memory items scanned : 897
Memory threats detected : 0
Registry items scanned : 7057
Registry threats detected : 0
File items scanned : 109362
File threats detected : 0

MALWAREBYTES LOG

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

7/17/2009 3:30:57 PM
mbam-log-2009-07-17 (15-30-57).txt

Scan type: Quick Scan
Objects scanned: 97252
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OLD LOG

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 2

7/11/2009 9:02:12 PM
mbam-log-2009-07-11 (21-02-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 224386
Time elapsed: 30 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

[attachment deleted by admin]

soilsenasuil · « **Reply #3 on:** July 17, 2009, 02:47:47 PM »

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:40 PM, on 7/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Embarq Online Security 8\Anti-Virus\fsgk32st.exe
C:\Program Files\Embarq Online Security 8\Common\FSMA32.EXE
C:\Program Files\Embarq Online Security 8\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Embarq Online Security 8\Common\FSMB32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Embarq Online Security 8\Common\FCH32.EXE
C:\Program Files\Embarq Online Security 8\Anti-Virus\fsqh.exe
C:\Program Files\Embarq Online Security 8\Common\FAMEH32.EXE
C:\Program Files\Embarq Online Security 8\FSPC\fspc.exe
C:\Program Files\Embarq Online Security 8\FSAUA\program\fsaua.exe
C:\Program Files\Embarq Online Security 8\Anti-Virus\fssm32.exe
C:\Program Files\Embarq Online Security 8\FWES\Program\fsdfwd.exe
C:\Program Files\Embarq Online Security 8\FSAUA\program\fsus.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Embarq Online Security 8\Anti-Virus\fsav32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Embarq Online Security 8\Common\FSM32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Embarq Online Security 8\FSGUI\fsguidll.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Hunter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?ctid=CT1978305
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8100
R3 - URLSearchHook: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMin1.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMin1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMin1.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Embarq Online Security 8\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Embarq Online Security 8\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Embarq Online Security 8\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Embarq Online Security 8\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Embarq Online Security 8\FSPC\fspcmsie.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.bartholomewco.com/mgaxctrl.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://content.embarq.synacor.com/gigantes/embarq/support/OnlineScanner/fscax.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Embarq Online Security 8\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Embarq Online Security 8\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Embarq Online Security 8\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Embarq Online Security 8\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Embarq Online Security 8\ORSP Client\fsorsp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13997 bytes

soilsenasuil · « **Reply #4 on:** July 17, 2009, 02:49:05 PM »

GMER LOG

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-16 16:20:42
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

INT 0x62 ? 8A651BF8
INT 0x82 ? 8A651BF8
INT 0x84 ? 8A5E2BF8
INT 0x94 ? 8A5E2BF8
INT 0xB4 ? 8A5E2BF8

Code 8A3A3948 ZwEnumerateKey
Code 8A1443A0 ZwFlushInstructionCache
Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice
Code 8A217076 IofCallDriver
Code 8A21B8DE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A0 5 Bytes JMP 8A21707B
.text ntkrnlpa.exe!IofCompleteRequest 804EF230 5 Bytes JMP 8A21B8E3
PAGE ntkrnlpa.exe!IoCreateDevice 80574830 5 Bytes JMP B9D01FA8 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B5642 5 Bytes JMP 8A1443A4
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622DE0 5 Bytes JMP 8A3A394C
? spdi.sys The system cannot find the file specified. !
PAGENPNP NDIS.SYS!NdisRegisterProtocol B9CD217D 5 Bytes JMP B9D01DBA fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisOpenAdapter B9CD2397 5 Bytes JMP B9D02342 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisCloseAdapter B9CDC61E 5 Bytes JMP B9D01EC6 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisDeregisterProtocol B9CDC7FD 5 Bytes JMP B9D0215E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisReturnPackets B9CDF800 5 Bytes JMP B9D02BF4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisRequest B9CDF96B 5 Bytes JMP B9D0255A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSend B9CE2977 5 Bytes JMP B9D03574 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSendPackets B9CE2994 5 Bytes JMP B9D03646 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisTransferData B9CE29AF 5 Bytes JMP B9D02CF2 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoCreateVc B9CE929F 5 Bytes JMP B9D01E24 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoDeleteVc B9CEA670 5 Bytes JMP B9D01E92 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoSendPackets B9CEAC0A 5 Bytes JMP B9D0335E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
.text USBPORT.SYS!DllUnload B992362C 5 Bytes JMP 8A5E21D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[196] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0074000A
.text C:\WINDOWS\System32\svchost.exe[352] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0074000A
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[424] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003C000A
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[432] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 08A6000A
.text C:\WINDOWS\system32\srvany.exe[632] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 006A000A
.text ...
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3772] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Embarq Online Security 8\FSAUA\program\fsus.exe[3920] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0073000A
.text C:\WINDOWS\system32\wuauclt.exe[6056] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003B000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spdi.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spdi.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spdi.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spdi.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spdi.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spdi.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5E11F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BBDA2F56-AEA3-4802-97FF-3EF65B3D72AC} 89F90480
Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A3921F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5E31F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5E31F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5E31F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5E31F8
Device \Driver\usbuhci \Device\USBPDO-1 8A3921F8
Device \Driver\usbuhci \Device\USBPDO-2 8A3921F8
Device \Driver\usbuhci \Device\USBPDO-3 8A3921F8
Device \Driver\usbehci \Device\USBPDO-4 8A3911F8
Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6521F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6521F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A6521F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A6521F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89F90480
Device \Driver\NetBT \Device\NetbiosSmb 89F90480
Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\USBSTOR \Device\00000089 89F9F1F8
Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbuhci \Device\USBFDO-0 8A3921F8
Device \Driver\usbuhci \Device\USBFDO-1 8A3921F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A12D500
Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbuhci \Device\USBFDO-2 8A3921F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A12D500
Device \Driver\usbuhci \Device\USBFDO-3 8A3921F8
Device \Driver\usbehci \Device\USBFDO-4 8A3911F8
Device \Driver\Ftdisk \Device\FtControl 8A6521F8
Device \Driver\USBSTOR \Device\0000008c 89F9F1F8
Device \FileSystem\Fastfat \Fat 89F9D500
Device \FileSystem\Fastfat \Fat ACF491F9

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs 89F8F500
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Processes - GMER 1.0.15 ----

soilsenasuil · « **Reply #5 on:** July 17, 2009, 02:50:21 PM »

GMER ROOTKIT SCAN
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-16 19:47:38
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT spqm.sys ZwCreateKey [0xB9EA80E0]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwCreateProcess [0xB97ADC26]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwCreateProcessEx [0xB97ADC40]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwCreateThread [0xB97ACDE4]
SSDT spqm.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spqm.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwLoadDriver [0xB97AD10C]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwMapViewOfSection [0xB97ACB30]
SSDT spqm.sys ZwOpenKey [0xB9EA80C0]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwOpenSection [0xB97AD53E]
SSDT spqm.sys ZwQueryKey [0xB9EC7108]
SSDT spqm.sys ZwQueryValueKey [0xB9EC6F88]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwRenameKey [0xB97AE7DC]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSetSystemInformation [0xB97AD38E]
SSDT spqm.sys ZwSetValueKey [0xB9EC719A]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSuspendProcess [0xB97AC9B6]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSuspendThread [0xB97ACE18]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSystemDebugControl [0xB97ACF92]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwTerminateProcess [0xB97AC916]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwTerminateThread [0xB97ACA6C]
SSDT \??\C:\Program Files\Embarq Online Security 8\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwWriteVirtualMemory [0xB97ACEDC]

INT 0x62 ? 8A651BF8
INT 0x82 ? 8A651BF8
INT 0x84 ? 8A5E2BF8
INT 0x94 ? 8A5E2BF8
INT 0xB4 ? 8A5E2BF8

Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FB0 8050481C 12 Bytes [B6, C9, 7A, B9, 18, CE, 7A, ...] {MOV DH, 0xc9; JP 0xffffffffffffffbd; SBB DH, CL; JP 0xffffffffffffffc1; XCHG EDX, EAX; IRET ; JP 0xffffffffffffffc5}
PAGE ntkrnlpa.exe!IoCreateDevice 80574830 5 Bytes JMP B9D01FA8 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
? spqm.sys The system cannot find the file specified. !
PAGENPNP NDIS.SYS!NdisRegisterProtocol B9CD217D 5 Bytes JMP B9D01DBA fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisOpenAdapter B9CD2397 5 Bytes JMP B9D02342 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisCloseAdapter B9CDC61E 5 Bytes JMP B9D01EC6 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisDeregisterProtocol B9CDC7FD 5 Bytes JMP B9D0215E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisReturnPackets B9CDF800 5 Bytes JMP B9D02BF4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisRequest B9CDF96B 5 Bytes JMP B9D0255A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSend B9CE2977 5 Bytes JMP B9D03574 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSendPackets B9CE2994 5 Bytes JMP B9D03646 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisTransferData B9CE29AF 5 Bytes JMP B9D02CF2 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoCreateVc B9CE929F 5 Bytes JMP B9D01E24 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoDeleteVc B9CEA670 5 Bytes JMP B9D01E92 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoSendPackets B9CEAC0A 5 Bytes JMP B9D0335E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
.text USBPORT.SYS!DllUnload B992362C 5 Bytes JMP 8A5E21D8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3728] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spqm.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spqm.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spqm.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spqm.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spqm.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spqm.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5E11F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BBDA2F56-AEA3-4802-97FF-3EF65B3D72AC} 8A261328
Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 89F861F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5E31F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5E31F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5E31F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5E31F8
Device \Driver\usbuhci \Device\USBPDO-1 89F861F8
Device \Driver\usbuhci \Device\USBPDO-2 89F861F8
Device \Driver\usbuhci \Device\USBPDO-3 89F861F8
Device \Driver\usbehci \Device\USBPDO-4 8A1DE4D8
Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6521F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6521F8
Device \Driver\Cdrom \Device\CdRom0 89FBA500
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A6521F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A6511F8
Device \Driver\atapi \Device\Ide\IdePort0 8A6511F8
Device \Driver\atapi \Device\Ide\IdePort1 8A6511F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8A6511F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A6521F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A261328
Device \Driver\NetBT \Device\NetbiosSmb 8A261328
Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\USBSTOR \Device\00000089 89F9A500
Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbuhci \Device\USBFDO-0 89F861F8
Device \Driver\usbuhci \Device\USBFDO-1 89F861F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89FC7500
Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\usbuhci \Device\USBFDO-2 89F861F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89FC7500
Device \Driver\usbuhci \Device\USBFDO-3 89F861F8
Device \Driver\usbehci \Device\USBFDO-4 8A1DE4D8
Device \Driver\Ftdisk \Device\FtControl 8A6521F8
Device \Driver\USBSTOR \Device\0000008c 89F9A500
Device \FileSystem\Fastfat \Fat 8A1F8500
Device \FileSystem\Fastfat \Fat AD04D1F9

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs 8A12C500
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil@imagepath \systemroot\system32\drivers\hjgruiwrspyojn.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\main\connections
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\[email protected] \systemroot\system32\drivers\hjgruiwrspyojn.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\[email protected] \systemroot\system32\hjgruidqoptyea.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\[email protected] \systemroot\system32\hjgruiptvcpcjx.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\[email protected] \systemroot\system32\hjgruixjkcaxuj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruidmydckil\[email protected] \systemroot\system32\hjgruiexlaudsp.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACjsmwallgklpqoxqqa.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACjsmwallgklpqoxqqa.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACluuvduapxuongnqlm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACcptaixppncrdxnhbo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACblaxmfpjenvthsxud.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACyoneriwrocknjixfa.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACvafrrinwdioyupdxt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACocvohoaomesgnhnsq.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UAChscevsxasamkytlep.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil@imagepath \systemroot\system32\drivers\hjgruiwrspyojn.sys
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\main
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\main\connections
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\modules
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\[email protected] \systemroot\system32\drivers\hjgruiwrspyojn.sys
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\[email protected] \systemroot\system32\hjgruidqoptyea.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruidmydckil\[email protected] \systemroot\system32\hjgruiptvcpcjx.dat
Reg HKLM\SYSTEM\ControlSet002\Services\

soilsenasuil · « **Reply #6 on:** July 17, 2009, 02:50:59 PM »

COMBO FIX

ComboFix 09-07-14.08 - 07/16/2009 22:05.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1390 [GMT -4:00]
Running from: c:\documents and settings\\Desktop\ComboFix.exe

AV: EMBARQ® Online Security 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: EMBARQ® Online Security 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\Installer\75521e.msp
c:\windows\Installer\a4610.msp
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\hjgruidqoptyea.dll
c:\windows\system32\hjgruiexlaudsp.dat
c:\windows\system32\hjgruiptvcpcjx.dat
c:\windows\system32\hjgruixjkcaxuj.dll
c:\windows\system32\tmp.reg
c:\windows\system32\UACblaxmfpjenvthsxud.dat
c:\windows\system32\UACocvohoaomesgnhnsq.db
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-17 00:02 . 2009-07-17 00:02   --------   d-----w-   c:\program files\Alwil Software
2009-07-16 19:56 . 2009-07-16 19:56   --------   d-----w-   c:\documents and settings\\Application Data\ImgBurn
2009-07-16 19:50 . 2009-07-16 19:50   --------   d-----w-   c:\program files\ImgBurn
2009-07-16 14:17 . 2008-06-13 13:10   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2009-07-16 14:17 . 2008-10-24 11:10   453632   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2009-07-16 14:15 . 2009-02-06 09:49   2020864   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-16 14:15 . 2009-02-06 09:49   2062976   -c----w-   c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-16 02:44 . 2009-07-16 02:44   717296   ----a-w-   c:\windows\system32\drivers\sptd.sys
2009-07-16 00:09 . 2009-07-16 00:27   --------   d-----w-   C:\UBCD4Win
2009-07-15 21:02 . 2001-08-17 18:56   66048   -c--a-w-   c:\windows\system32\dllcache\s3legacy.dll
2009-07-15 20:29 . 2009-07-15 20:29   410984   ----a-w-   c:\windows\system32\deploytk.dll
2009-07-15 20:28 . 2009-07-15 20:28   152576   ----a-w-   c:\documents and settings\0\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-15 19:30 . 2009-07-15 19:30   3775176   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-15 17:29 . 2004-08-04 10:00   456704   -c--a-w-   c:\windows\system32\dllcache\smtpsvc.dll
2009-07-15 17:28 . 2004-08-04 10:00   10129408   -c--a-w-   c:\windows\system32\dllcache\hwxkor.dll
2009-07-15 17:27 . 2004-08-04 10:00   829440   -c--a-w-   c:\windows\system32\dllcache\inetmgr.dll
2009-07-15 17:24 . 2004-08-04 10:00   16384   -c--a-w-   c:\windows\system32\dllcache\isignup.exe
2009-07-15 17:08 . 2004-08-04 10:00   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2009-07-15 17:08 . 2004-08-04 10:00   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2009-07-15 17:08 . 2004-08-04 10:00   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2009-07-15 17:08 . 2004-08-04 10:00   13312   ----a-w-   c:\windows\system32\irclass.dll
2009-07-15 17:08 . 2009-07-15 17:08   --------   d-s---w-   c:\windows\system32\config\systemprofile\History
2009-07-15 12:54 . 2009-07-15 12:54   --------   d-----w-   c:\windows\dell
2009-07-14 19:35 . 2009-07-14 19:35   --------   d-----w-   c:\program files\Windows Resource Kits
2009-07-14 18:09 . 2009-07-14 18:09   --------   d-sh--w-   c:\documents and settings\0\PrivacIE
2009-07-14 18:05 . 2009-07-14 18:05   --------   d-sh--w-   c:\documents and settings\\IETldCache
2009-07-14 18:04 . 2009-07-14 18:04   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2009-07-14 18:03 . 2009-07-14 18:03   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2009-07-14 18:01 . 2009-07-14 18:01   --------   d-----w-   c:\windows\ie8updates
2009-07-14 17:59 . 2009-07-14 18:00   --------   dc-h--w-   c:\windows\ie8
2009-07-13 00:22 . 2009-07-13 00:22   --------   d-----w-   c:\documents and settings\0\Application Data\Apple Computer
2009-07-12 23:52 . 2009-07-12 23:52   --------   d-----w-   c:\program files\Trend Micro
2009-07-12 00:29 . 2009-07-12 00:29   --------   d-----w-   c:\documents and settings\0\Application Data\Malwarebytes
2009-07-12 00:29 . 2009-07-13 17:36   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 00:29 . 2009-07-15 19:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-07-12 00:29 . 2009-07-13 17:36   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-07-12 00:29 . 2009-07-12 00:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-11 01:26 . 2009-07-11 01:26   --------   d--h--w-   c:\windows\system32\GroupPolicy
2009-07-09 00:00 . 2009-07-09 00:01   --------   d-----w-   c:\program files\QuickTime
2009-07-09 00:00 . 2009-07-09 00:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-09 00:00 . 2009-07-09 00:00   --------   d-----w-   c:\documents and settings\0\Local Settings\Application Data\Apple
2009-07-08 23:59 . 2009-07-09 00:00   --------   d-----w-   c:\program files\Apple Software Update
2009-07-08 23:59 . 2009-07-08 23:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2009-07-08 23:59 . 2009-07-08 23:59   --------   d-----w-   c:\documents and settings\0\Local Settings\Application Data\Apple Computer
2009-06-29 21:10 . 2009-06-29 21:10   --------   d-----w-   c:\program files\IKEA HomePlanner
2009-06-29 21:10 . 2009-06-29 21:10   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-06-23 12:14 . 2009-06-23 12:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-06-23 12:14 . 2009-06-23 12:14   --------   d-----w-   c:\documents and settings\0\Application Data\HPAppData
2009-06-23 12:11 . 2009-06-23 12:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-06-23 12:07 . 2009-07-09 13:46   145901   ----a-w-   c:\windows\hpoins21.dat
2009-06-23 12:07 . 2007-09-05 18:26   8138   ----a-w-   c:\windows\hpomdl21.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 20:27 . 2008-11-14 22:09   --------   d-----w-   c:\program files\Embarq Online Security 8
2009-07-16 02:44 . 2006-05-30 20:26   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-07-16 02:30 . 2009-06-05 16:12   --------   d-----w-   c:\program files\Mozilla Thunderbird
2009-07-15 23:13 . 2008-09-15 14:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2009-07-15 20:29 . 2006-05-30 20:23   --------   d-----w-   c:\program files\Java
2009-07-15 19:21 . 2006-06-07 22:14   302   ----a-w-   c:\windows\system32\wacom.dat
2009-07-15 17:23 . 2004-08-11 22:12   23428   ----a-w-   c:\windows\system32\emptyregdb.dat
2009-07-13 00:21 . 2006-06-04 16:29   204744   ----a-w-   c:\documents and settings\0\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 00:58 . 2006-06-14 20:25   163712   ----a-w-   c:\windows\system32\drivers\vidstub.*censored*
2009-07-08 13:44 . 2008-11-14 22:21   33920   ----a-w-   c:\windows\system32\drivers\fsbts.sys
2009-06-23 12:14 . 2006-10-15 23:19   --------   d-----w-   c:\program files\HP
2009-06-23 00:57 . 2006-10-15 23:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\HP
2009-06-16 14:55 . 2004-08-04 10:00   82432   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-11 14:55 . 2009-06-11 14:56   25784   ----a-w-   c:\windows\Fonts\ROTORCAP.TTF
2009-06-11 14:43 . 2009-06-11 14:44   37388   ----a-w-   c:\windows\Fonts\visitor2.ttf
2009-06-11 14:43 . 2009-06-11 14:44   3520   ----a-w-   c:\windows\Fonts\VISITOR.FON
2009-06-11 14:43 . 2009-06-11 14:44   3856   ----a-w-   c:\windows\Fonts\mints-strong.fon
2009-06-11 14:39 . 2009-06-11 14:40   256880   ----a-w-   c:\windows\Fonts\Calibribold.ttf
2009-06-11 14:39 . 2009-06-11 14:40   367620   ----a-w-   c:\windows\Fonts\CalibriIz.TTF
2009-06-11 14:39 . 2009-06-11 14:40   36648   ----a-w-   c:\windows\Fonts\MARKEN__.TTF
2009-06-11 14:39 . 2009-06-11 14:40   36552   ----a-w-   c:\windows\Fonts\MARKEN__CAPS.ttf
2009-06-11 14:35 . 2009-06-11 14:36   52680   ----a-w-   c:\windows\Fonts\STAN0757CAPS.TTF
2009-06-11 14:35 . 2009-06-11 14:36   316876   ----a-w-   c:\windows\Fonts\arialcaps.ttf
2009-06-11 02:44 . 2009-06-11 02:45   46596   ----a-w-   c:\windows\Fonts\Arial Special G1 Caps.ttf
2009-06-11 02:12 . 2009-06-11 02:13   71132   ----a-w-   c:\windows\Fonts\ITC Avant Garde Gothic LT Bold.ttf
2009-06-11 02:12 . 2009-06-11 02:13   70040   ----a-w-   c:\windows\Fonts\ITC Avant Garde Gothic LT Medium.ttf
2009-06-11 02:12 . 2009-06-11 02:13   6928   ----a-w-   c:\windows\Fonts\HaxrCorp 4088.fon
2009-06-11 02:12 . 2009-06-11 02:13   64396   ----a-w-   c:\windows\Fonts\ITC Avant Garde Gothic LT Medium Caps.ttf
2009-06-11 02:12 . 2009-06-11 02:13   4240   ----a-w-   c:\windows\Fonts\HaxrCorp Caps.FON
2009-06-11 02:12 . 2009-06-11 02:13   254296   ----a-w-   c:\windows\Fonts\calibri.ttf
2009-06-11 02:03 . 2009-06-11 02:03   --------   d-----w-   c:\program files\Free RAR Extract Frog
2009-06-07 03:15 . 2009-06-07 03:15   47792   ----a-w-   c:\windows\Fonts\HOOG0554.TTF
2009-06-07 02:52 . 2009-06-07 02:53   46368   ----a-w-   c:\windows\Fonts\Kroe0555caps.ttf
2009-06-07 02:52 . 2009-06-07 02:53   3952   ----a-w-   c:\windows\Fonts\Kroeger0.fon
2009-06-07 02:52 . 2009-06-07 02:53   22464   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_extended.ttf
2009-06-07 02:52 . 2009-06-07 02:53   22176   ----a-w-   c:\windows\Fonts\pf_tempesta_seven.ttf
2009-06-07 02:52 . 2009-06-07 02:53   22160   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_extended_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53   21780   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53   21616   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_condensed.ttf
2009-06-07 02:52 . 2009-06-07 02:53   21160   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_condensed_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53   20796   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_compressed_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53   20396   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_compressed.ttf
2009-06-07 02:37 . 2009-06-07 02:38   48080   ----a-w-   c:\windows\Fonts\KROE0555.TTF
2009-06-07 02:37 . 2009-06-07 02:38   365264   ----a-w-   c:\windows\Fonts\Segoe UI .ttf
2009-06-07 02:37 . 2009-06-07 02:38   12056   ----a-w-   c:\windows\Fonts\Blank.ttf
2009-06-05 16:13 . 2009-06-05 16:13   --------   d-----w-   c:\documents and settings\0\Application Data\Thunderbird
2009-06-03 19:27 . 2004-08-04 10:00   1290752   ----a-w-   c:\windows\system32\quartz.dll
2009-05-07 15:44 . 2004-08-04 10:00   344064   ----a-w-   c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2006-03-04 03:33   659456   ----a-w-   c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 10:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-06-15 14:37 . 2008-09-17 21:10   134648   ----a-w-   c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-06-05 22:05 . 2006-06-05 22:05   56   --sha-r-   c:\windows\system32\0E1A64F2CB.sys
2006-06-05 22:05 . 2006-06-05 22:05   1890   --sha-w-   c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2009-07-10 2215960]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]
2009-07-10 21:40   2215960   ----a-w-   c:\program files\Mininova-Vuze\tbMin1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2009-07-10 2215960]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D51D388B-F5DC-471A-A1CE-5E2D671091C0}"= "c:\program files\Mininova-Vuze\tbMin1.dll" [2009-07-10 2215960]

[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-16 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"F-Secure Manager"="c:\program files\Embarq Online Security 8\Common\FSM32.EXE" [2008-09-23 182936]
"F-Secure TNB"="c:\program files\Embarq Online Security 8\FSGUI\TNBUtil.exe" [2008-09-23 957024]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-15 148888]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-16 397312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-4 98304]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-4 98304]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-30 24576]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"TabletService"=2 (0x2)
"stllssvr"=3 (0x3)
"gusvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [11/14/2008 6:21 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [11/14/2008 6:10 PM 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Embarq Online Security 8\HIPS\drivers\fshs.sys [11/14/2008 6:10 PM 66720]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [7/22/2006 10:40 AM 8192]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Embarq Online Security 8\Anti-Virus\minifilter\fsgk.sys [11/14/2008 6:09 PM 99960]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Embarq Online Security 8\ORSP Client\fsorsp.exe [11/14/2008 6:10 PM 55904]
S2 BootScreen;BootScreen;c:\windows\system32\drivers\vidstub.sys --> c:\windows\system32\drivers\vidstub.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/13/2008 5:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/13/2008 5:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [11/13/2008 5:49 PM 23680]
S3 VirtualDK;VirtualDK;\??\c:\ubcd4win\vdk.sys --> c:\ubcd4win\vdk.sys [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Embarq Online Security 8\Anti-Virus\win2k\fsfilter.sys [11/14/2008 6:09 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Embarq Online Security 8\Anti-Virus\win2k\fsrec.sys [11/14/2008 6:09 PM 25184]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - AVAST!_ANTIVIRUS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ     hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-14 03:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com/?ctid=CT1978305
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 127.0.0.1:8100
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Embarq Online Security 8\FSPS\program\fslsp.dll
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\0\Application Data\Mozilla\Firefox\Profiles\9lqkiec1.Default User\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?continue=http://www.google.com/ig&followup=http://www.google.com/ig&service=ig&passive=true&cd=US&hl=en&nui=1&ltmpl=default
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 22:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\Æ 3*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
c:\program files\Embarq Online Security 8\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(768)
c:\program files\Embarq Online Security 8\FSPS\program\fslsp.dll
c:\program files\Embarq Online Security 8\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(676)
c:\program files\Embarq Online Security 8\FWES\Program\fsdc32.dll
.
Completion time: 2009-07-17 22:11
ComboFix-quarantined-files.txt 2009-07-17 02:10

Pre-Run: 9,309,712,384 bytes free
Post-Run: 10,666,979,328 bytes free

424   --- E O F ---   2009-07-16 14:41

soilsenasuil · « **Reply #7 on:** July 17, 2009, 03:00:09 PM »

GMER ROOTSCAN Libraries Report

Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [196] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [220] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [352] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [424] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [432] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\Common\FCH32.EXE [568] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\srvany.exe [632] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [700] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [744] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [756] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\Anti-Virus\fsav32.exe [896] 0x00A60000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\Anti-Virus\fsqh.exe [912] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [940] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [956] 0x01020000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\Common\FAMEH32.EXE [1004] 0x00870000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\pvsw\bin\w3dbsmgr.exe [1020] 0x00770000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [1060] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1096] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1136] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\FSPC\fspc.exe [1164] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1196] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\DellSupport\DSAgnt.exe [1256] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [1276] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [1296] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [1320] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [1368] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [1400] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1472] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1564] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Dell\QuickSet\quickset.exe [1700] 0x00BE0000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Documents and Settings\0\Desktop\y5nouyli.exe [1704] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1736] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1808] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1836] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\Anti-Virus\fsgk32st.exe [1900] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Dell Support Center\bin\sprtsvc.exe [1912] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\Common\FSMA32.EXE [1948] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\Anti-Virus\FSGK32.EXE [1956] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\Common\FSMB32.EXE [2040] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2080] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2148] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe [2156] 0x00A20000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2200] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Dell\Media Experience\PCMService.exe [2324] 0x00A50000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2336] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\dla\tfswctrl.exe [2348] 0x00A20000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2492] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\QuickTime\QTTask.exe [2620] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\FSGUI\fsguidll.exe [2844] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [2860] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\Common\FSM32.EXE [2920] 0x003D0000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2944] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [2956] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [3016] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe [3036] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [3068] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\stsystra.exe [3096] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [3196] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\FSAUA\program\fsaua.exe [3248] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\Anti-Virus\fssm32.exe [3272] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\ORSP Client\fsorsp.exe [3292] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3328] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [3352] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\FWES\Program\fsdfwd.exe [3376] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\NetWaiting\netWaiting.exe [3404] 0x00A30000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Microsoft Money\System\mnyexpr.exe [3444] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Digital Line Detect\DLG.exe [3472] 0x00AB0000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3656] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Palm\Hotsync.exe [3772] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Embarq Online Security 8\FSAUA\program\fsus.exe [3920] 0x00710000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Dell Support Center\gs_agent\dsc.exe [4564] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [5036] 0x009F0000
Library \\?\globalroot\systemroot\system32\hjgruixjkcaxuj.dll (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [6056] 0x10000000

---- EOF - GMER 1.0.15 ----

harry 48 · « **Reply #8 on:** July 17, 2009, 04:21:10 PM »

you would need to wait and let evil look at these , i can only see 1 that i know is bad and that is viewpoint read below

http://www.computerhope.com/forum/index.php?topic=85628.0

evilfantasy · « **Reply #9 on:** July 17, 2009, 06:48:04 PM »

Hello...

Don't worry too much about the GMER log. It can be very confusing without knowing exactly what you are seeing.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Registry::
[-HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[-HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Your version of MBAM needs to be updated and then run a new scan and post that log please.

Open Malwarebytes' Anti-Malware.

Click the Update tab.
Click Check for Updates
If an update is found, it will download and install.
Click the Scanner tab.
Select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download Rooter.exe to your desktop

* Double click Rooter.exe to start the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at %systemdrive%\Rooter.txt (Where %systemdrive% is usually C: or the drive that you have Windows installed).

----------

Next post please add:

ComboFix log
MBAM log
Rooter log

soilsenasuil · « **Reply #10 on:** July 17, 2009, 09:28:32 PM »

Hi, I will be posting my logs here. First I noticed when I ran GMER again it found a catchme.sys when I ran agian it disappeared but it is in my registry as "swearware" and "legacy_catchme" i read this is a keylogger should I delete out of registry? I could not find the system file..... none of the other software I ran found this....

ComboFix 09-07-14.08 - Suil 07/17/2009 22:40.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1431 [GMT -4:00]
Running from: c:\documents and settings\Suil\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Suil\Desktop\CFscript.txt

AV: EMBARQ® Online Security 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: EMBARQ® Online Security 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\f821.msi

.
((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))
.

2009-07-17 17:38 . 2009-07-17 19:22   117760   ----a-w-   c:\documents and settings\Suil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-17 17:37 . 2009-07-17 17:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-17 17:37 . 2009-07-17 17:37   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-07-17 17:37 . 2009-07-17 17:37   --------   d-----w-   c:\documents and settings\Suil\Application Data\SUPERAntiSpyware.com
2009-07-17 17:00 . 2009-07-17 17:00   --------   d-----w-   c:\program files\CCleaner
2009-07-17 00:02 . 2009-07-17 00:02   --------   d-----w-   c:\program files\Alwil Software
2009-07-16 19:56 . 2009-07-16 19:56   --------   d-----w-   c:\documents and settings\Suil\Application Data\ImgBurn
2009-07-16 19:50 . 2009-07-16 19:50   --------   d-----w-   c:\program files\ImgBurn
2009-07-16 14:17 . 2008-06-13 13:10   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2009-07-16 14:17 . 2008-10-24 11:10   453632   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2009-07-16 14:15 . 2009-02-06 09:49   2020864   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-16 14:15 . 2009-02-06 09:49   2062976   -c----w-   c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-16 02:44 . 2009-07-16 02:44   717296   ----a-w-   c:\windows\system32\drivers\sptd.sys
2009-07-16 00:09 . 2009-07-16 00:27   --------   d-----w-   C:\UBCD4Win
2009-07-15 21:02 . 2001-08-17 18:56   66048   -c--a-w-   c:\windows\system32\dllcache\s3legacy.dll
2009-07-15 20:29 . 2009-07-15 20:29   410984   ----a-w-   c:\windows\system32\deploytk.dll
2009-07-15 20:28 . 2009-07-15 20:28   152576   ----a-w-   c:\documents and settings\Suil\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-15 19:30 . 2009-07-15 19:30   3775176   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-15 17:29 . 2004-08-04 10:00   456704   -c--a-w-   c:\windows\system32\dllcache\smtpsvc.dll
2009-07-15 17:28 . 2004-08-04 10:00   10129408   -c--a-w-   c:\windows\system32\dllcache\hwxkor.dll
2009-07-15 17:27 . 2004-08-04 10:00   829440   -c--a-w-   c:\windows\system32\dllcache\inetmgr.dll
2009-07-15 17:24 . 2004-08-04 10:00   16384   -c--a-w-   c:\windows\system32\dllcache\isignup.exe
2009-07-15 17:08 . 2004-08-04 10:00   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2009-07-15 17:08 . 2004-08-04 10:00   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2009-07-15 17:08 . 2004-08-04 10:00   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2009-07-15 17:08 . 2004-08-04 10:00   13312   ----a-w-   c:\windows\system32\irclass.dll
2009-07-15 17:08 . 2009-07-15 17:08   --------   d-s---w-   c:\windows\system32\config\systemprofile\History
2009-07-15 12:54 . 2009-07-15 12:54   --------   d-----w-   c:\windows\dell
2009-07-14 19:35 . 2009-07-14 19:35   --------   d-----w-   c:\program files\Windows Resource Kits
2009-07-14 18:09 . 2009-07-14 18:09   --------   d-sh--w-   c:\documents and settings\Suil\PrivacIE
2009-07-14 18:05 . 2009-07-14 18:05   --------   d-sh--w-   c:\documents and settings\Suil\IETldCache
2009-07-14 18:04 . 2009-07-14 18:04   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2009-07-14 18:03 . 2009-07-14 18:03   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2009-07-14 18:01 . 2009-07-14 18:01   --------   d-----w-   c:\windows\ie8updates
2009-07-14 17:59 . 2009-07-14 18:00   --------   dc-h--w-   c:\windows\ie8
2009-07-13 00:22 . 2009-07-13 00:22   --------   d-----w-   c:\documents and settings\Suil\Application Data\Apple Computer
2009-07-12 23:52 . 2009-07-12 23:52   --------   d-----w-   c:\program files\Trend Micro
2009-07-12 00:29 . 2009-07-12 00:29   --------   d-----w-   c:\documents and settings\Suil\Application Data\Malwarebytes
2009-07-12 00:29 . 2009-07-13 17:36   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 00:29 . 2009-07-15 19:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-07-12 00:29 . 2009-07-13 17:36   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-07-12 00:29 . 2009-07-12 00:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-11 01:26 . 2009-07-11 01:26   --------   d--h--w-   c:\windows\system32\GroupPolicy
2009-07-09 00:00 . 2009-07-09 00:01   --------   d-----w-   c:\program files\QuickTime
2009-07-09 00:00 . 2009-07-09 00:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-09 00:00 . 2009-07-09 00:00   --------   d-----w-   c:\documents and settings\Suil\Local Settings\Application Data\Apple
2009-07-08 23:59 . 2009-07-09 00:00   --------   d-----w-   c:\program files\Apple Software Update
2009-07-08 23:59 . 2009-07-08 23:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2009-07-08 23:59 . 2009-07-08 23:59   --------   d-----w-   c:\documents and settings\Suil\Local Settings\Application Data\Apple Computer
2009-06-29 21:10 . 2009-06-29 21:10   --------   d-----w-   c:\program files\IKEA HomePlanner
2009-06-29 21:10 . 2009-07-17 17:37   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-06-23 12:14 . 2009-06-23 12:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-06-23 12:14 . 2009-06-23 12:14   --------   d-----w-   c:\documents and settings\Suil\Application Data\HPAppData
2009-06-23 12:11 . 2009-06-23 12:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-06-23 12:07 . 2009-07-09 13:46   145901   ----a-w-   c:\windows\hpoins21.dat
2009-06-23 12:07 . 2007-09-05 18:26   8138   ----a-w-   c:\windows\hpomdl21.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 02:05 . 2008-09-15 14:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2009-07-17 20:59 . 2009-06-05 16:12   --------   d-----w-   c:\program files\Mozilla Thunderbird
2009-07-17 19:35 . 2006-05-30 20:23   --------   d-----w-   c:\program files\Java
2009-07-17 16:47 . 2008-11-14 22:09   --------   d-----w-   c:\program files\Embarq Online Security 8
2009-07-17 02:28 . 2006-06-04 16:29   204744   ----a-w-   c:\documents and settings\Suil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-16 02:44 . 2006-05-30 20:26   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-07-15 19:21 . 2006-06-07 22:14   302   ----a-w-   c:\windows\system32\wacom.dat
2009-07-15 17:23 . 2004-08-11 22:12   23428   ----a-w-   c:\windows\system32\emptyregdb.dat
2009-07-11 00:58 . 2006-06-14 20:25   163712   ----a-w-   c:\windows\system32\drivers\vidstub.*censored*
2009-07-08 13:44 . 2008-11-14 22:21   33920   ----a-w-   c:\windows\system32\drivers\fsbts.sys
2009-06-23 12:14 . 2006-10-15 23:19   --------   d-----w-   c:\program files\HP
2009-06-23 00:57 . 2006-10-15 23:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\HP
2009-06-16 14:55 . 2004-08-04 10:00   82432   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-11 14:55 . 2009-06-11 14:56   25784   ----a-w-   c:\windows\Fonts\ROTORCAP.TTF
2009-06-11 14:43 . 2009-06-11 14:44   37388   ----a-w-   c:\windows\Fonts\visitor2.ttf
2009-06-11 14:43 . 2009-06-11 14:44   3520   ----a-w-   c:\windows\Fonts\VISITOR.FON
2009-06-11 14:43 . 2009-06-11 14:44   3856   ----a-w-   c:\windows\Fonts\mints-strong.fon
2009-06-11 14:39 . 2009-06-11 14:40   256880   ----a-w-   c:\windows\Fonts\Calibribold.ttf
2009-06-11 14:39 . 2009-06-11 14:40   367620   ----a-w-   c:\windows\Fonts\CalibriIz.TTF
2009-06-11 14:39 . 2009-06-11 14:40   36648   ----a-w-   c:\windows\Fonts\MARKEN__.TTF
2009-06-11 14:39 . 2009-06-11 14:40   36552   ----a-w-   c:\windows\Fonts\MARKEN__CAPS.ttf
2009-06-11 14:35 . 2009-06-11 14:36   52680   ----a-w-   c:\windows\Fonts\STAN0757CAPS.TTF
2009-06-11 14:35 . 2009-06-11 14:36   316876   ----a-w-   c:\windows\Fonts\arialcaps.ttf
2009-06-11 02:44 . 2009-06-11 02:45   46596   ----a-w-   c:\windows\Fonts\Arial Special G1 Caps.ttf
2009-06-11 02:12 . 2009-06-11 02:13   71132   ----a-w-   c:\windows\Fonts\ITC Avant Garde Gothic LT Bold.ttf
2009-06-11 02:12 . 2009-06-11 02:13   70040   ----a-w-   c:\windows\Fonts\ITC Avant Garde Gothic LT Medium.ttf
2009-06-11 02:12 . 2009-06-11 02:13   6928   ----a-w-   c:\windows\Fonts\HaxrCorp 4088.fon
2009-06-11 02:12 . 2009-06-11 02:13   64396   ----a-w-   c:\windows\Fonts\ITC Avant Garde Gothic LT Medium Caps.ttf
2009-06-11 02:12 . 2009-06-11 02:13   4240   ----a-w-   c:\windows\Fonts\HaxrCorp Caps.FON
2009-06-11 02:12 . 2009-06-11 02:13   254296   ----a-w-   c:\windows\Fonts\calibri.ttf
2009-06-11 02:03 . 2009-06-11 02:03   --------   d-----w-   c:\program files\Free RAR Extract Frog
2009-06-07 03:15 . 2009-06-07 03:15   47792   ----a-w-   c:\windows\Fonts\HOOG0554.TTF
2009-06-07 02:52 . 2009-06-07 02:53   46368   ----a-w-   c:\windows\Fonts\Kroe0555caps.ttf
2009-06-07 02:52 . 2009-06-07 02:53   3952   ----a-w-   c:\windows\Fonts\Kroeger0.fon
2009-06-07 02:52 . 2009-06-07 02:53   22464   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_extended.ttf
2009-06-07 02:52 . 2009-06-07 02:53   22176   ----a-w-   c:\windows\Fonts\pf_tempesta_seven.ttf
2009-06-07 02:52 . 2009-06-07 02:53   22160   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_extended_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53   21780   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53   21616   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_condensed.ttf
2009-06-07 02:52 . 2009-06-07 02:53   21160   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_condensed_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53   20796   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_compressed_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53   20396   ----a-w-   c:\windows\Fonts\pf_tempesta_seven_compressed.ttf
2009-06-07 02:37 . 2009-06-07 02:38   48080   ----a-w-   c:\windows\Fonts\KROE0555.TTF
2009-06-07 02:37 . 2009-06-07 02:38   365264   ----a-w-   c:\windows\Fonts\Segoe UI .ttf
2009-06-07 02:37 . 2009-06-07 02:38   12056   ----a-w-   c:\windows\Fonts\Blank.ttf
2009-06-05 16:13 . 2009-06-05 16:13   --------   d-----w-   c:\documents and settings\Suil\Application Data\Thunderbird
2009-06-03 19:27 . 2004-08-04 10:00   1290752   ----a-w-   c:\windows\system32\quartz.dll
2009-05-07 15:44 . 2004-08-04 10:00   344064   ----a-w-   c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2006-03-04 03:33   659456   ----a-w-   c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 10:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-06-15 14:37 . 2008-09-17 21:10   134648   ----a-w-   c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-06-05 22:05 . 2006-06-05 22:05   56   --sha-r-   c:\windows\system32\0E1A64F2CB.sys
2006-06-05 22:05 . 2006-06-05 22:05   1890   --sha-w-   c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.09.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-18 02:46 . 2009-07-18 02:46   16384 c:\windows\temp\Perflib_Perfdata_5ec.dat
+ 2009-07-17 17:37 . 2009-07-17 17:37   65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-07-17 17:37 . 2009-07-17 17:37   18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2004-08-11 22:13 . 2009-07-17 14:59   4922 c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2009-07-17 17:37 . 2009-07-17 17:37   1516544 c:\windows\Installer\a19965.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-16 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"F-Secure Manager"="c:\program files\Embarq Online Security 8\Common\FSM32.EXE" [2008-09-23 182936]
"F-Secure TNB"="c:\program files\Embarq Online Security 8\FSGUI\TNBUtil.exe" [2008-09-23 957024]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-15 148888]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-16 397312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-4 98304]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-4 98304]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-30 24576]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"TabletService"=2 (0x2)
"stllssvr"=3 (0x3)
"gusvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [11/14/2008 6:21 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [11/14/2008 6:10 PM 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Embarq Online Security 8\HIPS\drivers\fshs.sys [11/14/2008 6:10 PM 66720]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [7/22/2006 10:40 AM 8192]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Embarq Online Security 8\Anti-Virus\minifilter\fsgk.sys [11/14/2008 6:09 PM 99960]
S2 BootScreen;BootScreen;c:\windows\system32\drivers\vidstub.sys --> c:\windows\system32\drivers\vidstub.sys [?]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\Embarq Online Security 8\ORSP Client\fsorsp.exe [11/14/2008 6:10 PM 55904]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/13/2008 5:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/13/2008 5:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [11/13/2008 5:49 PM 23680]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 VirtualDK;VirtualDK;\??\c:\ubcd4win\vdk.sys --> c:\ubcd4win\vdk.sys [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Embarq Online Security 8\Anti-Virus\win2k\fsfilter.sys [11/14/2008 6:09 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Embarq Online Security 8\Anti-Virus\win2k\fsrec.sys [11/14/2008 6:09 PM 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ     hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-14 03:06]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{d51d388b-f5dc-471a-a1ce-5e2d671091c0} - (no file)
BHO-{d51d388b-f5dc-471a-a1ce-5e2d671091c0} - (no file)
Toolbar-{d51d388b-f5dc-471a-a1ce-5e2d671091c0} - (no file)
WebBrowser-{D51D388B-F5DC-471A-A1CE-5E2D671091C0} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com/?ctid=CT1978305
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 127.0.0.1:8100
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Embarq Online Security 8\FSPS\program\fslsp.dll
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Suil\Application Data\Mozilla\Firefox\Profiles\9lqkiec1.Default User\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?continue=http://www.google.com/ig&followup=http://www.google.com/ig&service=ig&passive=true&cd=US&hl=en&nui=1&ltmpl=default
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-17 22:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\Æ 3*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Embarq Online Security 8\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(576)
c:\program files\Embarq Online Security 8\FSPS\program\fslsp.dll
c:\program files\Embarq Online Security 8\FWES\Program\fsdc32.dll

- - - - - - - > 'explorer.exe'(2468)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(492)
c:\program files\Embarq Online Security 8\FWES\Program\fsdc32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Embarq Online Security 8\Anti-Virus\fsgk32st.exe
c:\program files\Embarq Online Security 8\Common\FSMA32.EXE
c:\program files\Embarq Online Security 8\Anti-Virus\fsgk32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\pvsw\bin\w3dbsmgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Embarq Online Security 8\Anti-Virus\fssm32.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Embarq Online Security 8\Common\FSLAUNCH.EXE
c:\program files\Dell Support Center\gs_agent\dsc.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-07-18 22:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-18 02:52
ComboFix2.txt 2009-07-17 02:11

Pre-Run: 10,743,201,792 bytes free
Post-Run: 10,722,295,808 bytes free

449   --- E O F ---   2009-07-16 14:41

soilsenasuil · « **Reply #11 on:** July 17, 2009, 09:29:31 PM »

Malwarebytes' Anti-Malware 1.39
Database version: 2453
Windows 5.1.2600 Service Pack 2

7/17/2009 10:58:19 PM
mbam-log-2009-07-17 (22-58-19).txt

Scan type: Quick Scan
Objects scanned: 97106
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 2
[32_bits] - x86 Family 6 Model 14 Stepping 8, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 6.0.2900.2180
.
C:\ [Fixed-NTFS] .. ( Total:38 Go - Free:10 Go )
D:\ [Fixed-NTFS] .. ( Total:12 Go - Free:3 Go )
E:\ [CD_Rom]
.
Scan : 23:00.03
Path : C:\Documents and Settings\Suil\Desktop\Rooter.exe
User : Suil ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (444)
______ \??\C:\WINDOWS\system32\csrss.exe (492)
______ \??\C:\WINDOWS\system32\winlogon.exe (520)
______ C:\WINDOWS\system32\services.exe (564)
______ C:\WINDOWS\system32\lsass.exe (576)
______ C:\WINDOWS\system32\Ati2evxx.exe (760)
______ C:\WINDOWS\system32\svchost.exe (776)
______ C:\WINDOWS\system32\svchost.exe (860)
______ C:\WINDOWS\System32\svchost.exe (900)
______ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (956)
______ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (984)
______ C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (1004)
______ C:\WINDOWS\system32\svchost.exe (1164)
______ C:\WINDOWS\system32\svchost.exe (1188)
______ C:\WINDOWS\system32\spoolsv.exe (1264)
______ C:\WINDOWS\system32\svchost.exe (1336)
______ C:\Program Files\Embarq Online Security 8\Anti-Virus\fsgk32st.exe (1384)
______ C:\Program Files\Embarq Online Security 8\Common\FSMA32.EXE (1396)
______ C:\Program Files\Embarq Online Security 8\Anti-Virus\FSGK32.EXE (1404)
______ C:\WINDOWS\system32\svchost.exe (1488)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1516)
______ C:\WINDOWS\System32\svchost.exe (1548)
______ C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (1576)
______ C:\WINDOWS\system32\srvany.exe (1640)
______ C:\pvsw\bin\w3dbsmgr.exe (1656)
______ C:\WINDOWS\System32\svchost.exe (1664)
______ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (1768)
______ C:\Program Files\Dell Support Center\bin\sprtsvc.exe (1816)
______ C:\WINDOWS\system32\svchost.exe (1864)
______ C:\Program Files\Embarq Online Security 8\Anti-Virus\fssm32.exe (2124)
______ C:\WINDOWS\System32\alg.exe (2188)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2484)
______ C:\WINDOWS\system32\Ati2evxx.exe (2832)
______ C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (3984)
______ C:\WINDOWS\system32\wuauclt.exe (4028)
______ C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (4036)
______ C:\Program Files\Dell\QuickSet\quickset.exe (1860)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (2068)
______ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (2176)
______ C:\Program Files\Dell\Media Experience\PCMService.exe (1380)
______ C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (2252)
______ C:\WINDOWS\system32\dla\tfswctrl.exe (276)
______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (2868)
______ C:\Program Files\QuickTime\QTTask.exe (2888)
______ C:\Program Files\Dell Support Center\bin\sprtcmd.exe (3256)
______ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (3152)
______ C:\WINDOWS\stsystra.exe (2628)
______ C:\Program Files\Java\jre6\bin\jusched.exe (3140)
______ C:\Program Files\NetWaiting\netWaiting.exe (3372)
______ C:\Program Files\Microsoft Money\System\mnyexpr.exe (3544)
______ C:\Program Files\DellSupport\DSAgnt.exe (1480)
______ C:\WINDOWS\system32\ctfmon.exe (3672)
______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (3704)
______ C:\Program Files\Digital Line Detect\DLG.exe (3112)
______ C:\WINDOWS\system32\wscntfy.exe (4076)
______ C:\Program Files\Embarq Online Security 8\Common\FSLAUNCH.EXE (2248)
______ C:\Program Files\Palm\Hotsync.exe (2528)
______ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (2640)
______ C:\Program Files\Dell Support Center\gs_agent\dsc.exe (3976)
______ C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe (472)
______ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (2688)
______ C:\WINDOWS\explorer.exe (2468)
______ C:\Documents and Settings\Suil\Desktop\Rooter.exe (2228)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:49319424)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:49351680 | Length:41595240960)
\Device\Harddisk0\Partition3 (Start_Offset:41644592640 | Length:13127546880)
\Device\Harddisk0\Partition4 (Start_Offset:54772139520 | Length:3734277120)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Google Software Updater.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\DOCUME~1\Suil\My Documents\Creatures\COB C2\Food\Cheese\cobc2cracker.zip
C:\DOCUME~1\Suil\My Documents\Creatures\COB C2\Holiday\cobc2firecracker.zip
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 23:00.05
.
C:\Rooter$\Rooter_1.txt - (17/07/2009 | 23:00.05).c

evilfantasy · « **Reply #12 on:** July 17, 2009, 10:06:22 PM »

Quote

First I noticed when I ran GMER again it found a catchme.sys when I ran agian it disappeared but it is in my registry as "swearware" and "legacy_catchme" i read this is a keylogger should I delete out of registry?

No! Catchme is part of ComboFix.

Be right back. Looking at the logs now.

evilfantasy · « **Reply #13 on:** July 17, 2009, 10:21:28 PM »

Quote

uStart Page = hxxp://search.conduit.com/?ctid=CT1978305

Conduit is NOT a good search engine. They don't filter or monitor the links for malicious sites. I typed in 'Malware' and got a bunch of fraudulent sites in the results.

Delete these files/folders, as follows: [I don't need this log]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Firefox::
uStart Page = hxxp://search.conduit.com/?ctid=CT1978305

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
I do not need this log...

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

After runing ComboFix.

* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

.
When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

.

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 and 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

If needed, this animation will guide you through the process.

evilfantasy · « **Reply #14 on:** July 17, 2009, 10:23:47 PM »

Also please run GMER again but use the settings as described here.

Close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click gmer.exe to run it.
Let the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO
Click the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
Then click the Scan button. Wait for the scan to finish.
Once done, click the Copy button.
This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop.
Add this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

Computer Hope Forum

News:

Author Topic: GMER shows rootkit in registry but cannot delete??? (Read 19307 times)

soilsenasuil

GMER shows rootkit in registry but cannot delete???

mroilfield

Re: GMER shows rootkit in registry but cannot delete???

soilsenasuil

Re: GMER shows rootkit in registry but cannot delete???

soilsenasuil

Re: GMER shows rootkit in registry but cannot delete???

soilsenasuil

Re: GMER shows rootkit in registry but cannot delete???

soilsenasuil

Re: GMER shows rootkit in registry but cannot delete???

soilsenasuil

Re: GMER shows rootkit in registry but cannot delete???

soilsenasuil

Re: GMER shows rootkit in registry but cannot delete???

harry 48

Re: GMER shows rootkit in registry but cannot delete???

evilfantasy

Re: GMER shows rootkit in registry but cannot delete???

soilsenasuil

Re: GMER shows rootkit in registry but cannot delete???

soilsenasuil

Re: GMER shows rootkit in registry but cannot delete???

evilfantasy

Re: GMER shows rootkit in registry but cannot delete???

evilfantasy

Re: GMER shows rootkit in registry but cannot delete???

evilfantasy

Re: GMER shows rootkit in registry but cannot delete???