Jump to content

Help with TDSServ infection


Recommended Posts

Something has taken over my laptop and browser that is blocking access to several computer security/virusscan websites and redirecting me to bogus "antispyware" sites after clicking links in google searches. Right now I'm using my girlfriend's PC and a flash drive to get info, cleaning tools, etc.

This started happening on Sunday after NOD32 caught and "quarantined" something called "Win32/Adware.UltimateDefender." A later NOD32 scan came up with nothing bad, but the problems didn't stop. I scanned with GMER and it notified me of TDSServ infection

 

I would greatly appreciate any help as I need my laptop for school. Here's my HJT log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:48:33 PM, on 11/11/2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16757)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\RtHDVCpl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\COMODO\Firewall\cfp.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\igfxext.exe

C:\Users\Owner\AppData\Local\Temp\RtkBtMnt.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wbem\unsecapp.exe

G:\HiJackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe

O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe

O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

--

End of file - 6310 bytes

Link to post
Share on other sites

Please do the following to get a diagnostic of what is there…

 

Please go to Start > Run, type in msconfig

In msconfig go to the Boot.ini tab

Check: /Bootlog

Press: Apply and then: OK

Restart the computer

 

Now, search for and delete C:\Windows\ntbtlog.txt

Restart the computer once again

Begin tapping the F8 key on startup to enable the Advanced Start Menu

Select: Enable Boot Logging from the list

 

Once you are logged on, navigate to and open C:\Windows\ntbtlog.txt

 

1. --> Please post the contents of C:\Windows\ntbtlog.txt

 

~~~~

Now, download GMER

Save it to the Desktop.

 

Right click on gmer.zip and select Extract All....

Follow the prompts.

 

Double click on gmer.exe to run it. (Note: Do not run any programs while GMER is running.)

Select the Rootkit tab

On the right hand side, check all the items to be scanned, but uncheck Show All

Select all drives to scan

Click on the Scan button.

 

2. --> Please save the GMER scan log and post it in your reply.

Close: GMER

 

~~~~

Download Random's System Information Tool (RSIT)

  • Save it to the Desktop
  • Double click on RSIT.exe to run the programRSIT (Note: If you are using Windows Vista, right click at RSIT.exe and select 'Run as administrator'.)

  • Click Continue at the disclaimer screen
  • Once the tool finishes, two logs open. Log.txt is maximized , and info.txt is minimized.(The logs are also contained in C:\rsit
3. -->Please provide the RSIT: Log.txt and info.txt logs.

 

You may need to do consecutive posts (one after the other) if the logs are too long.

Link to post
Share on other sites

Microsoft ® Windows ® Version 6.0 (Build 6000)

 

11 12 2008 09:07:50.375

 

Loaded driver \SystemRoot\system32\ntkrnlpa.exe

 

Loaded driver \SystemRoot\system32\hal.dll

 

Loaded driver \SystemRoot\system32\kdcom.dll

 

Loaded driver \SystemRoot\system32\mcupdate_GenuineIntel.dll

 

Loaded driver \SystemRoot\system32\PSHED.dll

 

Loaded driver \SystemRoot\system32\BOOTVID.dll

 

Loaded driver \SystemRoot\system32\CLFS.SYS

 

Loaded driver \SystemRoot\system32\CI.dll

 

Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys

 

Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS

 

Loaded driver \SystemRoot\system32\drivers\acpi.sys

 

Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS

 

Loaded driver \SystemRoot\system32\drivers\msisadrv.sys

 

Loaded driver \SystemRoot\system32\drivers\pci.sys

 

Loaded driver \SystemRoot\system32\drivers\volmgr.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\compbatt.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\BATTC.SYS

 

Loaded driver \SystemRoot\System32\drivers\mountmgr.sys

 

Loaded driver \SystemRoot\system32\drivers\intelide.sys

 

Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS

 

Loaded driver \SystemRoot\system32\DRIVERS\pcmcia.sys

 

Loaded driver \SystemRoot\System32\drivers\volmgrx.sys

 

Loaded driver \SystemRoot\system32\drivers\atapi.sys

 

Loaded driver \SystemRoot\system32\drivers\ataport.SYS

 

Loaded driver \SystemRoot\system32\drivers\fltmgr.sys

 

Loaded driver \SystemRoot\system32\drivers\fileinfo.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\psdfilter.sys

 

Loaded driver \SystemRoot\system32\drivers\ndis.sys

 

Loaded driver \SystemRoot\system32\drivers\msrpc.sys

 

Loaded driver \SystemRoot\system32\drivers\NETIO.SYS

 

Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys

 

Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys

 

Loaded driver \SystemRoot\system32\drivers\volsnap.sys

 

Loaded driver \SystemRoot\System32\Drivers\spldr.sys

 

Loaded driver \SystemRoot\system32\drivers\psdvdisk.sys

 

Loaded driver \SystemRoot\system32\drivers\PSDNServ.sys

 

Loaded driver \SystemRoot\System32\drivers\partmgr.sys

 

Loaded driver \SystemRoot\System32\Drivers\mup.sys

 

Loaded driver \SystemRoot\System32\drivers\ecache.sys

 

Loaded driver \SystemRoot\system32\drivers\disk.sys

 

Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS

 

Loaded driver \SystemRoot\system32\drivers\crcdisk.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\tunmp.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\wmiacpi.sys

 

Loaded driver \SystemRoot\System32\drivers\dxgkrnl.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\igdkmd32.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\NETw4v32.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\bcm4sbxp.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\EMS7SK.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\sdbus.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\ESM7SK.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\ESD7SK.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\DKbFltr.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\SynTP.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\NTIDrvr.sys

 

Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\msiscsi.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\inspect.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\umbus.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

 

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

 

Loaded driver \SystemRoot\system32\drivers\RTKVHDA.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\HSXHWAZL.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\HSX_DPV.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\HSX_CNXT.sys

 

Loaded driver \SystemRoot\system32\drivers\modem.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys

 

Loaded driver \SystemRoot\System32\Drivers\BisonC07.sys

 

Loaded driver \SystemRoot\System32\DRIVERS\cmdguard.sys

 

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

 

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

 

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

 

Loaded driver \SystemRoot\System32\drivers\vga.sys

 

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

 

Loaded driver \SystemRoot\system32\drivers\rdpencdd.sys

 

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

 

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

 

Loaded driver \systemroot\system32\drivers\TDSSigmc.sys

 

Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys

 

Loaded driver \SystemRoot\System32\drivers\tcpip.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\tdx.sys

 

Loaded driver \SystemRoot\System32\DRIVERS\cmdhlp.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\smb.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\epfwtdir.sys

 

Loaded driver \SystemRoot\system32\drivers\afd.sys

 

Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\pacer.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

 

Loaded driver \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys

 

Loaded driver \SystemRoot\system32\drivers\nsiproxy.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\easdrv.sys

 

Loaded driver \SystemRoot\System32\Drivers\dfsc.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\monitor.sys

 

Loaded driver \SystemRoot\system32\drivers\luafv.sys

 

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\lltdio.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\nwifi.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\rspndr.sys

 

Loaded driver \SystemRoot\system32\drivers\HTTP.sys

 

Loaded driver \SystemRoot\System32\DRIVERS\srvnet.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\bowser.sys

 

Loaded driver \SystemRoot\System32\drivers\mpsdrv.sys

 

Loaded driver \SystemRoot\system32\drivers\mrxdav.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb10.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb20.sys

 

Loaded driver \SystemRoot\System32\DRIVERS\srv2.sys

 

Loaded driver \SystemRoot\System32\DRIVERS\srv.sys

 

Did not load driver \SystemRoot\System32\DRIVERS\srv.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\eamon.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS

 

Loaded driver \SystemRoot\System32\Drivers\fastfat.SYS

 

Loaded driver \SystemRoot\system32\DRIVERS\cdfs.sys

 

Loaded driver \??\C:\Acer\Empowering Technology\eRecovery\int15.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys

 

Loaded driver \SystemRoot\system32\drivers\peauth.sys

 

Loaded driver \SystemRoot\System32\Drivers\secdrv.SYS

 

Loaded driver \SystemRoot\System32\drivers\tcpipreg.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\WUDFRd.sys

 

Loaded driver \SystemRoot\system32\DRIVERS\xaudio.sys

 

Loaded driver \SystemRoot\system32\drivers\tdtcp.sys

 

Loaded driver \SystemRoot\System32\DRIVERS\tssecsrv.sys

 

Loaded driver \SystemRoot\System32\Drivers\RDPWD.SYS

 

 

------------------------------------------------------------------------

 

GMER 1.0.14.14536 - http://www.gmer.net

 

Rootkit scan 2008-11-12 09:18:06

 

Windows 6.0.6000

 

 

 

 

 

---- System - GMER 1.0.14 ----

 

 

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0x8C234D50]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAlpcConnectPort [0x8C235B38]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAlpcCreatePort [0x8C23517C]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0x8C234346]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0x8C234964]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0x8C2340A8]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0x8C2347D6]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0x8C234F36]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateThread [0x8C233C78]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0x8C233B2A]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0x8C2357D8]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenFile [0x8C234B74]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenProcess [0x8C23384A]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0x8C23467A]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenThread [0x8C2339D2]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0x8C2341BE]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSecureConnectPort [0x8C2355B6]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0x8C235978]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0x8C234508]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSystemDebugControl [0x8C23456E]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateProcess [0x8C233F72]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0x8C233E40]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateThreadEx [0x8C235282]

 

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateUserProcess [0x8C235D82]

 

 

 

Code 8B28B120 ZwEnumerateKey

 

Code 8B28BC80 ZwFlushInstructionCache

 

Code 8B28B5FD IofCallDriver

 

 

 

---- Kernel code sections - GMER 1.0.14 ----

 

 

 

.text ntkrnlpa.exe!IofCallDriver 82027F37 5 Bytes JMP 8B28B602

 

.text ntkrnlpa.exe!ZwCallbackReturn + 2D8 820807E4 2 Bytes [ 50, 4D ]

 

.text ntkrnlpa.exe!ZwCallbackReturn + 5B2 82080ABE 2 Bytes [ 23, 8C ]

 

PAGE ntkrnlpa.exe!ZwEnumerateKey 82137F06 5 Bytes JMP 8B28B124

 

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 821E849F 5 Bytes JMP 8B28BC84

 

 

 

---- User code sections - GMER 1.0.14 ----

 

 

 

.text C:\Users\Owner\Desktop\gmer\gmer.exe[1276] ntdll.dll!NtCreateFile + 3 771FF417 2 Bytes [ E5, FA ]

 

.text C:\Windows\Explorer.EXE[1976] WS2_32.dll!closesocket 76BF3847 5 Bytes JMP 00B8000A

 

.text C:\Windows\Explorer.EXE[1976] WS2_32.dll!send 76BF3A8A 5 Bytes JMP 00B9000A

 

.text C:\Windows\Explorer.EXE[1976] WS2_32.dll!connect 76BF4BA7 5 Bytes JMP 00B7000A

 

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2544] kernel32.dll!SetUnhandledExceptionFilter 76ABD187 4 Bytes [ C2, 04, 00, 00 ]

 

 

 

---- User IAT/EAT - GMER 1.0.14 ----

 

 

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [742AFD78] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7427BBF1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7426A31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [7426CBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74268AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7427D168] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74267D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74267CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74266A54] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [742FC1BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [742880FE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [742690CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7427223C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74272267] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [7427771C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [7427753E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

IAT C:\Windows\Explorer.EXE[1976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [742A8585] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

 

 

 

---- Devices - GMER 1.0.14 ----

 

 

 

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

 

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

 

AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

 

AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

 

AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

 

AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

 

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

 

AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

 

 

 

---- Modules - GMER 1.0.14 ----

 

 

 

Module \systemroot\system32\drivers\TDSSigmc.sys (*** hidden *** ) 8C508000-8C51A000 (73728 bytes)

 

 

 

---- Threads - GMER 1.0.14 ----

 

 

 

Thread 4:336 8C50AD66

 

 

 

---- Services - GMER 1.0.14 ----

 

 

 

Service C:\Windows\system32\drivers\TDSSigmc.sys (*** hidden *** ) [sYSTEM] TDSSserv.sys <-- ROOTKIT !!!

 

 

 

---- Registry - GMER 1.0.14 ----

 

 

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\system32\drivers\TDSSigmc.sys

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] file system

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSigmc.sys

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSwgom.dll

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSxdxd.dat

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSStmei.dll

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlfpe.dll

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSuscv.dll

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSbonm.dll

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSxgoi.log

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSqycn.dll

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSfmtf.log

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSyilq.log

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys

 

Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1

 

Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1

 

Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] \systemroot\system32\drivers\TDSSigmc.sys

 

Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] file system

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSigmc.sys

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSwgom.dll

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSxdxd.dat

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSStmei.dll

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlfpe.dll

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSuscv.dll

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSbonm.dll

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSxgoi.log

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSqycn.dll

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSfmtf.log

 

Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSyilq.log

 

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

 

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 81

 

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] v3av

 

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 0x09 0x19 0x1F 0x16 ...

 

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10010

 

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] pagead2.googlesyndication.com

 

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 1

 

 

 

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

Logfile of random's system information tool 1.04 (written by random/random)

 

Run by Owner at 2008-11-12 09:20:26

 

Microsoft® Windows Vista™ Home Premium

 

System drive C: has 46 GB (65%) free of 71 GB

 

Total RAM: 2038 MB (66% free)

 

 

 

HijackThis download failed

 

 

 

======Registry dump======

 

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

 

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-01-28 1554256]

 

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]

 

Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-26 2210608]

 

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

 

{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Windows\system32\eDStoolbar.dll [2007-02-06 151552]

 

{DE9C389F-3316-41A7-809B-AA305ED9D922}

 

 

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

 

"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-02-28 4390912]

 

"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-10-22 815104]

 

"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2007-12-21 1443072]

 

"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-03-25 141848]

 

"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-03-25 166424]

 

"Persistence"=C:\Windows\system32\igfxpers.exe [2008-03-25 133656]

 

"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2007-06-29 286720]

 

"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2006-12-08 614400]

 

"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-26 31016]

 

"COMODO Firewall Pro"=C:\Program Files\COMODO\Firewall\cfp.exe [2008-08-16 1655552]

 

"MSConfig"=C:\Windows\system32\msconfig.exe [2006-11-02 222208]

 

 

 

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

 

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

 

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

 

C:\Windows\system32\igfxdev.dll [2008-03-25 204800]

 

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

 

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-26 2210608]

 

 

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

 

"EnableLUA"=0

 

"dontdisplaylastusername"=0

 

"legalnoticecaption"=

 

"legalnoticetext"=

 

"shutdownwithoutlogon"=1

 

"undockwithoutlogon"=1

 

 

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

 

"NoDriveTypeAutoRun"=145

 

 

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

 

 

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56031d16-705f-11dc-8938-0016d4dddd7e}]

 

shell\AutoRun\command - H:\LaunchU3.exe -a

 

 

 

 

 

======List of files/folders created in the last 1 months======

 

 

 

2008-11-12 09:20:26 ----D---- C:\rsit

 

2008-11-12 09:20:26 ----D---- C:\Program Files\trend micro

 

2008-11-12 09:08:06 ----A---- C:\Windows\ntbtlog.txt

 

2008-11-11 11:49:44 ----A---- C:\Windows\gmer.ini

 

2008-11-11 11:49:25 ----A---- C:\Windows\gmer_uninstall.cmd

 

2008-11-11 11:49:25 ----A---- C:\Windows\gmer.dll

 

2008-11-11 11:49:24 ----A---- C:\Windows\gmer.exe

 

2008-11-10 21:23:06 ----D---- C:\HiJackThis

 

2008-11-06 23:01:41 ----D---- C:\Users\Owner\AppData\Roaming\Real

 

2008-10-17 21:35:54 ----A---- C:\Windows\system32\winipsec.dll

 

2008-10-17 21:35:54 ----A---- C:\Windows\system32\polstore.dll

 

2008-10-17 21:35:54 ----A---- C:\Windows\system32\IPSECSVC.DLL

 

2008-10-17 21:35:54 ----A---- C:\Windows\system32\FwRemoteSvr.dll

 

2008-10-17 21:33:55 ----A---- C:\Windows\system32\shell32.dll

 

2008-10-17 21:32:49 ----A---- C:\Windows\system32\tzres.dll

 

2008-10-17 21:31:46 ----A---- C:\Windows\system32\es.dll

 

2008-10-17 21:31:18 ----A---- C:\Windows\system32\wmpeffects.dll

 

2008-10-17 21:29:40 ----A---- C:\Windows\system32\NlsLexicons0046.dll

 

2008-10-17 21:29:40 ----A---- C:\Windows\system32\NlsLexicons0045.dll

 

2008-10-17 21:29:39 ----A---- C:\Windows\system32\NlsLexicons0049.dll

 

2008-10-17 21:29:39 ----A---- C:\Windows\system32\NlsLexicons0047.dll

 

2008-10-17 21:29:39 ----A---- C:\Windows\system32\NlsLexicons0020.dll

 

2008-10-17 21:29:38 ----A---- C:\Windows\system32\NlsLexicons0039.dll

 

2008-10-17 21:29:38 ----A---- C:\Windows\system32\NlsLexicons0021.dll

 

2008-10-17 21:29:37 ----A---- C:\Windows\system32\NlsLexicons0022.dll

 

2008-10-17 21:29:36 ----A---- C:\Windows\system32\NlsLexicons0024.dll

 

2008-10-17 21:29:34 ----A---- C:\Windows\system32\NlsLexicons0026.dll

 

2008-10-17 21:29:33 ----A---- C:\Windows\system32\NlsLexicons0027.dll

 

2008-10-17 21:29:33 ----A---- C:\Windows\system32\NlsLexicons0010.dll

 

2008-10-17 21:29:32 ----A---- C:\Windows\system32\NlsLexicons0011.dll

 

2008-10-17 21:29:31 ----A---- C:\Windows\system32\NlsLexicons0013.dll

 

2008-10-17 21:29:30 ----A---- C:\Windows\system32\NlsLexicons0018.dll

 

2008-10-17 21:29:29 ----A---- C:\Windows\system32\NlsLexicons0019.dll

 

2008-10-17 21:29:27 ----A---- C:\Windows\system32\NlsLexicons0003.dll

 

2008-10-17 21:29:27 ----A---- C:\Windows\system32\NlsLexicons0002.dll

 

2008-10-17 21:29:27 ----A---- C:\Windows\system32\NlsLexicons0001.dll

 

2008-10-17 21:29:26 ----A---- C:\Windows\system32\NlsLexicons0007.dll

 

2008-10-17 21:29:25 ----A---- C:\Windows\system32\NlsLexicons004b.dll

 

2008-10-17 21:29:25 ----A---- C:\Windows\system32\NlsLexicons004a.dll

 

2008-10-17 21:29:25 ----A---- C:\Windows\system32\NlsLexicons0009.dll

 

2008-10-17 21:29:24 ----A---- C:\Windows\system32\NlsLexicons004c.dll

 

2008-10-17 21:29:23 ----A---- C:\Windows\system32\NlsLexicons004e.dll

 

2008-10-17 21:29:22 ----A---- C:\Windows\system32\NlsLexicons003e.dll

 

2008-10-17 21:29:22 ----A---- C:\Windows\system32\NlsLexicons002a.dll

 

2008-10-17 21:29:21 ----A---- C:\Windows\system32\NlsLexicons001a.dll

 

2008-10-17 21:29:20 ----A---- C:\Windows\system32\NlsLexicons001b.dll

 

2008-10-17 21:29:18 ----A---- C:\Windows\system32\NlsLexicons001d.dll

 

2008-10-17 21:29:17 ----A---- C:\Windows\system32\NlsLexicons000a.dll

 

2008-10-17 21:29:16 ----A---- C:\Windows\system32\NlsLexicons000c.dll

 

2008-10-17 21:29:15 ----A---- C:\Windows\system32\NlsLexicons000d.dll

 

2008-10-17 21:29:14 ----A---- C:\Windows\system32\NlsLexicons000f.dll

 

2008-10-17 21:29:13 ----A---- C:\Windows\system32\NlsLexicons0414.dll

 

2008-10-17 21:29:12 ----A---- C:\Windows\system32\NlsLexicons0816.dll

 

2008-10-17 21:29:12 ----A---- C:\Windows\system32\NlsLexicons0416.dll

 

2008-10-17 21:29:10 ----A---- C:\Windows\system32\NlsLexicons081a.dll

 

2008-10-17 21:29:09 ----A---- C:\Windows\system32\NlsModels0011.dll

 

2008-10-17 21:29:09 ----A---- C:\Windows\system32\NlsData0046.dll

 

2008-10-17 21:29:09 ----A---- C:\Windows\system32\NlsData0045.dll

 

2008-10-17 21:29:08 ----A---- C:\Windows\system32\NlsData0049.dll

 

2008-10-17 21:29:08 ----A---- C:\Windows\system32\NlsData0047.dll

 

2008-10-17 21:29:08 ----A---- C:\Windows\system32\NlsData0039.dll

 

2008-10-17 21:29:07 ----A---- C:\Windows\system32\NlsData0021.dll

 

2008-10-17 21:29:07 ----A---- C:\Windows\system32\NlsData0020.dll

 

2008-10-17 21:29:06 ----A---- C:\Windows\system32\NlsData0024.dll

 

2008-10-17 21:29:06 ----A---- C:\Windows\system32\NlsData0022.dll

 

2008-10-17 21:29:05 ----A---- C:\Windows\system32\NlsData0027.dll

 

2008-10-17 21:29:05 ----A---- C:\Windows\system32\NlsData0026.dll

 

2008-10-17 21:29:05 ----A---- C:\Windows\system32\NlsData0011.dll

 

2008-10-17 21:29:05 ----A---- C:\Windows\system32\NlsData0010.dll

 

2008-10-17 21:29:04 ----A---- C:\Windows\system32\NlsData0018.dll

 

2008-10-17 21:29:04 ----A---- C:\Windows\system32\NlsData0013.dll

 

2008-10-17 21:29:03 ----A---- C:\Windows\system32\NlsData0000.dll

 

2008-10-17 21:29:02 ----A---- C:\Windows\system32\NlsData0019.dll

 

2008-10-17 21:29:02 ----A---- C:\Windows\system32\NlsData0001.dll

 

2008-10-17 21:29:01 ----A---- C:\Windows\system32\NlsData0003.dll

 

2008-10-17 21:29:01 ----A---- C:\Windows\system32\NlsData0002.dll

 

2008-10-17 21:29:00 ----A---- C:\Windows\system32\NlsData004a.dll

 

2008-10-17 21:29:00 ----A---- C:\Windows\system32\NlsData0009.dll

 

2008-10-17 21:29:00 ----A---- C:\Windows\system32\NlsData0007.dll

 

2008-10-17 21:28:59 ----A---- C:\Windows\system32\NlsData004c.dll

 

2008-10-17 21:28:59 ----A---- C:\Windows\system32\NlsData004b.dll

 

2008-10-17 21:28:58 ----A---- C:\Windows\system32\NlsData004e.dll

 

2008-10-17 21:28:58 ----A---- C:\Windows\system32\NlsData003e.dll

 

2008-10-17 21:28:57 ----A---- C:\Windows\system32\NlsData002a.dll

 

2008-10-17 21:28:57 ----A---- C:\Windows\system32\NlsData001a.dll

 

2008-10-17 21:28:56 ----A---- C:\Windows\system32\NlsData001b.dll

 

2008-10-17 21:28:55 ----A---- C:\Windows\system32\NlsData001d.dll

 

2008-10-17 21:28:54 ----A---- C:\Windows\system32\NlsData000a.dll

 

2008-10-17 21:28:53 ----A---- C:\Windows\system32\NlsData000d.dll

 

2008-10-17 21:28:53 ----A---- C:\Windows\system32\NlsData000c.dll

 

2008-10-17 21:28:52 ----A---- C:\Windows\system32\NlsData000f.dll

 

2008-10-17 21:28:51 ----A---- C:\Windows\system32\NlsData0416.dll

 

2008-10-17 21:28:51 ----A---- C:\Windows\system32\NlsData0414.dll

 

2008-10-17 21:28:51 ----A---- C:\Windows\system32\NaturalLanguage6.dll

 

2008-10-17 21:28:50 ----A---- C:\Windows\system32\NlsData081a.dll

 

2008-10-17 21:28:50 ----A---- C:\Windows\system32\NlsData0816.dll

 

2008-10-17 21:28:49 ----A---- C:\Windows\system32\NlsLexicons0c1a.dll

 

2008-10-17 21:28:49 ----A---- C:\Windows\system32\NlsData0c1a.dll

 

2008-10-17 21:24:09 ----A---- C:\Windows\system32\srclient.dll

 

2008-10-17 21:24:09 ----A---- C:\Windows\system32\rstrui.exe

 

2008-10-17 21:24:08 ----A---- C:\Windows\system32\winload.exe

 

2008-10-17 21:24:08 ----A---- C:\Windows\system32\srdelayed.exe

 

2008-10-17 21:24:08 ----A---- C:\Windows\system32\srcore.dll

 

2008-10-17 21:24:08 ----A---- C:\Windows\system32\kd1394.dll

 

2008-10-17 21:24:07 ----A---- C:\Windows\system32\kbd106n.dll

 

2008-10-17 21:24:07 ----A---- C:\Windows\system32\f3ahvoas.dll

 

2008-10-17 21:24:07 ----A---- C:\Windows\system32\ci.dll

 

2008-10-17 21:21:44 ----A---- C:\Windows\system32\gdi32.dll

 

2008-10-17 21:21:18 ----A---- C:\Windows\system32\wshrm.dll

 

2008-10-17 21:20:47 ----A---- C:\Windows\system32\dnsrslvr.dll

 

2008-10-17 21:20:47 ----A---- C:\Windows\system32\dnscacheugc.exe

 

2008-10-17 21:20:47 ----A---- C:\Windows\system32\dnsapi.dll

 

2008-10-17 21:20:27 ----A---- C:\Windows\system32\INETRES.dll

 

2008-10-17 21:20:27 ----A---- C:\Windows\system32\inetcomm.dll

 

2008-10-17 21:20:02 ----A---- C:\Windows\system32\quartz.dll

 

2008-10-17 21:19:40 ----A---- C:\Windows\system32\poqexec.exe

 

2008-10-17 21:19:18 ----A---- C:\Windows\system32\ntoskrnl.exe

 

2008-10-17 21:19:18 ----A---- C:\Windows\system32\ntkrnlpa.exe

 

2008-10-17 21:17:05 ----A---- C:\Windows\system32\ieapfltr.dll

 

2008-10-17 21:17:05 ----A---- C:\Windows\system32\advpack.dll

 

2008-10-17 21:17:04 ----A---- C:\Windows\system32\wininet.dll

 

2008-10-17 21:17:04 ----A---- C:\Windows\system32\jsproxy.dll

 

2008-10-17 21:17:04 ----A---- C:\Windows\system32\dxtrans.dll

 

2008-10-17 21:17:03 ----A---- C:\Windows\system32\dxtmsft.dll

 

2008-10-17 21:17:02 ----A---- C:\Windows\system32\ieui.dll

 

2008-10-17 21:17:02 ----A---- C:\Windows\system32\ieframe.dll

 

2008-10-17 21:17:00 ----A---- C:\Windows\system32\mshtmled.dll

 

2008-10-17 21:16:59 ----A---- C:\Windows\system32\mshtml.dll

 

2008-10-17 21:16:57 ----A---- C:\Windows\system32\mstime.dll

 

2008-10-17 21:16:57 ----A---- C:\Windows\system32\icardie.dll

 

2008-10-17 21:16:53 ----A---- C:\Windows\system32\ieUnatt.exe

 

2008-10-17 21:16:52 ----A---- C:\Windows\system32\urlmon.dll

 

2008-10-17 21:16:51 ----A---- C:\Windows\system32\pngfilt.dll

 

2008-10-17 21:16:51 ----A---- C:\Windows\system32\iesetup.dll

 

2008-10-17 21:16:51 ----A---- C:\Windows\system32\iertutil.dll

 

2008-10-17 21:16:51 ----A---- C:\Windows\system32\iernonce.dll

 

2008-10-17 21:16:51 ----A---- C:\Windows\system32\ie4uinit.exe

 

 

 

======List of files/folders modified in the last 1 months======

 

 

 

2008-11-12 09:20:28 ----D---- C:\Windows\Temp

 

2008-11-12 09:20:26 ----RD---- C:\Program Files

 

2008-11-12 09:19:42 ----D---- C:\Windows\System32

 

2008-11-12 09:19:42 ----D---- C:\Windows\inf

 

2008-11-12 09:19:42 ----A---- C:\Windows\system32\PerfStringBackup.INI

 

2008-11-12 09:19:26 ----A---- C:\Windows\win.ini

 

2008-11-12 09:19:23 ----SHD---- C:\Windows\Installer

 

2008-11-12 09:19:23 ----HD---- C:\Config.Msi

 

2008-11-12 09:08:06 ----D---- C:\Windows

 

2008-11-12 09:04:13 ----D---- C:\Windows\pss

 

2008-11-11 11:49:26 ----D---- C:\Windows\system32\drivers

 

2008-11-11 11:44:08 ----D---- C:\Program Files\Mozilla Firefox

 

2008-11-10 21:45:12 ----D---- C:\Windows\Prefetch

 

2008-11-06 23:01:25 ----D---- C:\Program Files\JetAudio

 

2008-10-25 21:00:16 ----D---- C:\Windows\system32\catroot2

 

2008-10-22 16:01:18 ----D---- C:\Windows\system32\LogFiles

 

2008-10-17 22:02:20 ----D---- C:\Windows\system32\catroot

 

2008-10-17 22:02:00 ----D---- C:\Windows\winsxs

 

2008-10-17 22:01:43 ----ASH---- C:\Program Files\desktop.ini

 

2008-10-17 22:01:38 ----D---- C:\Windows\rescache

 

2008-10-17 21:57:15 ----D---- C:\Windows\system32\en-US

 

2008-10-17 21:56:37 ----D---- C:\Windows\system32\migration

 

2008-10-17 21:56:37 ----D---- C:\Program Files\Internet Explorer

 

2008-10-17 21:56:34 ----D---- C:\Windows\AppPatch

 

2008-10-14 21:42:37 ----D---- C:\ProgramData\Spybot - Search & Destroy

 

 

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

 

 

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver; C:\Windows\System32\DRIVERS\cmdguard.sys [2008-08-16 85008]

 

R1 cmdHlp;COMODO Firewall Pro Helper Driver; C:\Windows\System32\DRIVERS\cmdhlp.sys [2008-08-16 25104]

 

R1 DritekPortIO;Dritek General Port I/O; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [2006-11-02 20112]

 

R1 easdrv;easdrv; C:\Windows\system32\DRIVERS\easdrv.sys [2007-12-21 30216]

 

R1 epfwtdir;epfwtdir; C:\Windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]

 

R2 eamon;EAMON; C:\Windows\system32\DRIVERS\eamon.sys [2007-12-21 39944]

 

R2 int15;int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [2006-12-07 76584]

 

R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]

 

R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]

 

R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-01 45056]

 

R3 Cam5607;Acer OrbiCam; C:\Windows\System32\Drivers\BisonC07.sys [2006-12-26 817968]

 

R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]

 

R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2006-11-02 21264]

 

R3 EMSCR;EMSCR; C:\Windows\system32\DRIVERS\EMS7SK.sys [2006-10-24 62208]

 

R3 ESDCR;ESDCR; C:\Windows\system32\DRIVERS\ESD7SK.sys [2006-10-24 42240]

 

R3 ESMCR;ESMCR; C:\Windows\system32\DRIVERS\ESM7SK.sys [2006-10-24 76928]

 

R3 GEARAspiWDM;GEARAspiWDM; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]

 

R3 gmer;gmer; C:\Windows\System32\DRIVERS\gmer.sys [2008-11-11 85969]

 

R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-11-08 986624]

 

R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-11-08 206848]

 

R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-03-25 2307072]

 

R3 Inspect;Comodo Firewall Network Driver; C:\Windows\system32\DRIVERS\inspect.sys [2008-08-16 73232]

 

R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-03-01 1744928]

 

R3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2008-03-13 2555392]

 

R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2007-04-10 6144]

 

R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2007-10-09 82432]

 

R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2006-10-22 179896]

 

R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-11-08 659968]

 

R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2006-11-02 11264]

 

S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-12-18 534016]

 

S3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-12-18 534016]

 

S3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2006-11-02 131584]

 

S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2006-11-02 16384]

 

S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2006-11-02 36864]

 

S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]

 

S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-01 235520]

 

S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-01 200704]

 

S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-03-25 2307072]

 

S3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\Windows\system32\DRIVERS\mcdbus.sys []

 

S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]

 

S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]

 

S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]

 

S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]

 

S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2006-11-02 35328]

 

S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]

 

S4 UIUSys;Conexant Setup API; C:\Windows\system32\DRIVERS\UIUSYS.SYS []

 

 

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

 

 

R2 ALaunchService;ALaunch Service; C:\Acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]

 

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]

 

R2 cmdAgent;COMODO Firewall Pro Helper Service; C:\Program Files\COMODO\Firewall\cmdagent.exe [2008-08-16 519936]

 

R2 eDataSecurity Service;eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe [2007-02-06 457512]

 

R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]

 

R2 eLockService;eLock Service; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [2006-12-22 24576]

 

R2 eNet Service;eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [2006-12-28 126976]

 

R2 eRecoveryService;eRecovery Service; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [2007-01-31 53248]

 

R2 eSettingsService;eSettings Service; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-04-24 24576]

 

R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2006-11-02 22016]

 

R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-12-14 61440]

 

R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 107008]

 

R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2006-11-02 22016]

 

R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2006-11-02 22016]

 

R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2006-07-19 262247]

 

R2 WMIService;ePower Service; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-01-02 135168]

 

R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]

 

R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2006-11-02 22016]

 

S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []

 

S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2007-12-21 19200]

 

S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-09-26 503608]

 

S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-26 65824]

 

S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]

 

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

 

 

 

-----------------EOF-----------------

 

 

info.txt logfile of random's system information tool 1.04 2008-11-12 09:21:33

 

 

 

======Uninstall list======

 

 

 

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31403E22-2FDB-452F-AE9E-20854633226D}\Setup.exe" -uninst

 

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\setup.exe" -uninstall

 

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.exe" -uninstall

 

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\setup.exe" -uninstall

 

32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}

 

Acer Arcade Deluxe-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\setup.exe" -uninstall

 

Acer Assist-->C:\Program Files\Acer Assist\uninstall.exe

 

Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL

 

Acer eLock Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x9 -removeonly

 

Acer Empowering Technology-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly

 

Acer eNet Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\setup.exe" -l0x9 -removeonly

 

Acer ePower Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -l0x9 -removeonly

 

Acer ePresentation Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF839132-BD43-4056-ACBF-4377F4A88E2A}\setup.exe" -l0x9 -removeonly

 

Acer eSettings Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE65A9A0-9686-45C6-9098-3C9543A412F0}\setup.exe" -l0x9 -removeonly

 

Acer GridVista-->C:\Windows\UnInst32.exe GridV.UNI

 

Acer Mobility Center Plug-In-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11316260-6666-467B-AC34-183FCB5D4335}\setup.exe" -l0x9 -removeonly

 

Acer OrbiCam -->C:\Program Files\InstallShield Installation Information\{DD1DED37-2486-4F56-8F89-56AA814003F5}\setup.exe -runfromtemp -l0x0009 -removeonly

 

Acer OrbiCam-->Rundll32.exe BisonR07.dll,WinMainRmv

 

Acer Registration-->C:\Program Files\Acer Registration\uninstall.exe

 

Acer ScreenSaver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly

 

Acer Tour-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94389919-B0AA-4882-9BE8-9F0B004ECA35}\setup.exe" -l0x9 -removeonly

 

Adobe Flash Player 9 ActiveX-->C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete

 

Adobe Flash Player Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe

 

Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}

 

AIM 6-->C:\Program Files\AIM6\uninst.exe

 

Apple Mobile Device Support-->MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}

 

Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}

 

CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"

 

COMODO Firewall Pro-->C:\Program Files\COMODO\Firewall\cfpconfg.exe -u

 

COWON Media Center - jetAudio Plus VX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\setup.exe" -l0x9 -removeonly

 

Creative Element Power Tools-->C:\Program Files\Creative Element Power Tools\uninstall.exe

 

DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

 

ESET NOD32 Antivirus-->MsiExec.exe /I{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}

 

ffdshow [rev 1723] [2007-12-24]-->"C:\Program Files\ffdshow\unins000.exe"

 

GTK+ Runtime 2.10.13 rev a (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe

 

HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\HXFSETUP.EXE -U -IAcrZUn32z.inf

 

HijackThis 2.0.2-->"G:\HijackThis.exe" /uninstall

 

HP Imaging Device Functions 8.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat

 

HP OCR Software 8.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat

 

HP Photosmart All-In-One Software 8.0-->C:\Program Files\HP\Digital Imaging\{8641C1CB-03B3-41d4-8DEC-79826A4B5C0E}\setup\hpzscr01.exe -datfile hposcr13.dat

 

HP Solution Center 8.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat

 

HP Update-->MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}

 

Intel® Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall

 

iTunes-->MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}

 

Java 2 Runtime Environment, SE v1.4.1_07-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA532E73-1BB7-11D8-9D6A-00010240CE95}\setup.exe" Anytext

 

Java Web Start-->"C:\Program Files\Java Web Start\uninst-javaws.exe"

 

Launch Manager-->C:\Windows\UnInst32.exe LManager.UNI

 

MATLAB R2008a-->C:\Program Files\MATLAB\R2008a\uninstall\uninstall.exe C:\Program Files\MATLAB\R2008a\

 

Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}

 

Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}

 

Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL

 

Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}

 

Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}

 

Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}

 

Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}

 

Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}

 

Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}

 

Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}

 

Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}

 

Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}

 

Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}

 

Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}

 

Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}

 

Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}

 

Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}

 

Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}

 

Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}

 

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

 

Mozilla Firefox (3.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

 

MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

 

NTI Backup NOW! 4.7-->"C:\Program Files\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly

 

NTI CD & DVD-Maker-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7

 

PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.EXE" -uninstall

 

QuickSFV (Remove only)-->C:\Program Files\QuickSFV\QSFVUNST.EXE C:\Program Files\QuickSFV\

 

QuickTime-->MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}

 

Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly

 

SimCity 4-->C:\Program Files\Maxis\SimCity 4\EAUninstall.exe

 

SMSC Fast Infrared Driver-->C:\Program Files\InstallShield Installation Information\{1AEC7728-1640-4E98-AABC-5EBE3FB57FE4}\setup.exe -runfromtemp -l0x0009 -removeonly

 

Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"

 

Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall

 

WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

 

Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

 

 

 

======Security center information======

 

 

 

FW: COMODO Firewall Pro

 

 

 

======Environment variables======

 

 

 

"ComSpec"=%SystemRoot%\system32\cmd.exe

 

"FP_NO_HOST_CHECK"=NO

 

"OS"=Windows_NT

 

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\MATLAB\R2008a\bin;C:\Program Files\MATLAB\R2008a\bin\win32

 

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

 

"PROCESSOR_ARCHITECTURE"=x86

 

"TEMP"=%SystemRoot%\TEMP

 

"TMP"=%SystemRoot%\TEMP

 

"USERNAME"=SYSTEM

 

"windir"=%SystemRoot%

 

"PROCESSOR_LEVEL"=6

 

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 2, GenuineIntel

 

"PROCESSOR_REVISION"=0f02

 

"NUMBER_OF_PROCESSORS"=2

 

"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip

 

"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

 

 

 

-----------------EOF-----------------

Link to post
Share on other sites

Additional instructions….

 

 

Next, see if you can download SDFix

Save it to the Desktop

 

^^Above is no-go. You are running Vista!!^^

 

Next, download Malwarebytes' Anti-Malware (MBAM)

Save the program to the Desktop

Close all Windows, including this one.

 

On the Desktop, double-click mbam-setup.exe to install the program, and follow the prompts

  • If an update is found, MBAM will download and install the latest.
  • Click OK
At the main program window
  • Make sure the following is checked: Perform Quick Scan
  • Click: Scan (The scan may take some time to finish, so please be patient.)
  • When the scan completes, a message box appears
  • Click OK
At the main Scanner screen:
  • Click on: Show Results
  • A screen displaying the malware found shows
  • Make sure everything found is checked, and click: Remove Selected
  • When the disinfection is complete, you may be prompted to Restart. Please do so.
  • When MBAM finishes removing the malware, a log opens in Notepad
  • The log is automatically saved and can be viewed by clicking the Logs tab.
~~~~

Download Random's System Information Tool (RSIT)

  • Save it to the Desktop
  • Double click on RSIT.exe to run the programRSIT
  • Click Continue at the disclaimer screen
  • Once the tool finishes, two logs open. Log.txt is maximized , and info.txt is minimized.(The logs are also contained in C:\rsit
~~~~

 

Please provide the following in your reply:

The contents of the SDFix Report.txt

The MBAM report

The RSIT: Log.txt and info.txt logs.

 

You may need to do consecutive osts (one after the other) if the logs are too long.

Edited by Aaflac
Link to post
Share on other sites

We need some preliminary information. Need to get a copy of the System Registry hive file to take out the reg entries for the rootkit. Then you can replace the old hive. Need the Software hive also, to reverse some changes there.

 

If the Windows partition is mounted by Linux, do the following:

(Mount Windows Partition)

 

Part I

From Linux, navigate to the drive where Vista is installed

Go to C:\WINDOWS\erdnt\subs\system

Right-click system

What is its size?

 

Then, go to C:\Windows\System32\Config\system

Select: system (with no extension)

What is its size? Do the sizes match?

 

If not, go to C:\WINDOWS\erdnt\Hiv-backup\system

Right-click system

What is its size?

Does the size match C:\Windows\System32\Config\system?

 

Part II

Next, go to C:\WINDOWS\erdnt\subs\software

Right-click software

What is its size?

 

Then, go to C:\Windows\System32\Config\software

Select: software (with no extension)

What is its size? Do the sizes match?

 

If not, go to C:\WINDOWS\erdnt\Hiv-backup\software

Right-click software

What is its size?

Does the size match C:\Windows\System32\Config\software?

Link to post
Share on other sites

We still have some cards to play…

 

From Linux, navigate to the drive where Vista is installed

Go to C:\Windows\System32\Config\system

Select: System (with no extension)

Right-click and zip the file

 

Next, go to: C:\Windows\System32\config\software

Select: Software (with no extension)

Right-click and zip the file

 

 

Now, please send both files as attachments to:

noahdfear

Title the email: WillM Hives

 

The work on these hives will not be done tonight, though.

 

We will get back with you as soon as we have something ready for you.

Edited by noahdfear
Link to post
Share on other sites

When I tried to boot normally, I got this error message:

 

LogonUI.exe - Bad Image

 

C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\COMCTL32.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.

 

Link to post
Share on other sites

Tried both by booting off the Vista disc and by using the recovery partition that came with the computer. With both methods Startup Repair reported no errors found. The sfc /scannow command didn't work for either method--via the Vista DVD I get the line "Windows Resource Protection could not perform the requested operation," and every time I tried the command in the recovery partition I get "There is a system repair pending which requires reboot to complete. Restart Windows and run sfc again". :pullhair:

 

Can you boot with the Vista CD, and run the Windows Recovery Environment

 

Try doing a Startup Repair

 

Or, use the Command Prompt and run sfc /scannow

 

Link to post
Share on other sites

WillM,

 

Does this file actually exist (Yes/No):

C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\COMCTL32.dll

 

If so, please zip and send to [email protected]

 

Also send noahdfear a zipped copy of the C:\Qoobox folder, if it's not too large once zipped, and the C:\QooBox\ComboFix-quarantined-files.txt

 

Let me know when you have done this, and we will press on.

Link to post
Share on other sites

Sent the Qoobox folder and the COMCTL32.dll file. I couldn't find C:\QooBox\ComboFix-quarantined-files.txt though. Is the file path correct?

 

WillM,

 

Does this file actually exist (Yes/No):

C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\COMCTL32.dll

 

If so, please zip and send to [email protected]

 

Also send noahdfear a zipped copy of the C:\Qoobox folder, if it's not too large once zipped, and the C:\QooBox\ComboFix-quarantined-files.txt

 

Let me know when you have done this, and we will press on.

 

Link to post
Share on other sites

I couldn't find C:\QooBox\ComboFix-quarantined-files.txt though. Is the file path correct?

Yes!

 

 

Does this file actually exist:

C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\COMCTL32.dll

 

Do you also have this file:

C:\Windows\WinSxS\x86_microsoft-windows-shell-comctl32-v5_***_***_none_*** folder (where *** is a random string of numbers)\comctl32.dll

Link to post
Share on other sites

Yes, both these files exist.

 

Does this file actually exist:

C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\COMCTL32.dll

 

Do you also have this file:

C:\Windows\WinSxS\x86_microsoft-windows-shell-comctl32-v5_***_***_none_*** folder (where *** is a random string of numbers)\comctl32.dll

 

Link to post
Share on other sites

Rename this one to comctl32.dll.old

C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\COMCTL32.dll

 

 

Then copy this one to that folder.

C:\Windows\WinSxS\x86_microsoft-windows-shell-comctl32-v5_***_***_none_*** folder (where *** is a random string of numbers)\comctl32.dll

 

Reboot and if successful bootup, update and run MBAM then post the log.

Edited by noahdfear
Link to post
Share on other sites

Renamed the old file and copied the new file as instructed but still no successful boot. This is the new error message I received:

LogonUI.exe - Ordinal not found

 

The ordinal 343 could not be located in the dynamic link library COMCTL32.dll

 

Link to post
Share on other sites

Seems to be running normal now...

 

Malwarebytes' Anti-Malware 1.30

Database version: 1399

Windows 6.0.6000

 

11/15/2008 00:29:19

mbam-log-2008-11-15 (00-29-19).txt

 

Scan type: Quick Scan

Objects scanned: 50028

Time elapsed: 4 minute(s), 26 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 11

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Windows\System32\TDSSlfpe.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Windows\System32\TDSStmei.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Windows\System32\TDSSuscv.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Windows\System32\TDSSwgom.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Windows\System32\drivers\TDSSigmc.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Windows\System32\av.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Owner\AppData\Local\Temp\TDSS9d8c.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Owner\AppData\Local\Temp\TDSS9e37.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Users\Owner\AppData\Local\Temp\TDSSd3d7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Windows\System32\TDSSbonm.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\TDSSyilq.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Link to post
Share on other sites

:clap: Great job!!

 

Also, thanks noahdfear, for your help!! :adios:

 

WillM,

 

Remove the old copy of RSIT and once again download Random's System Information Tool (RSIT)

  • Save it to the Desktop
  • Double click on RSIT.exe to run the programRSIT (Note: If you are using Windows Vista, right click at RSIT.exe and select Run as administrator)

  • Click Continue at the disclaimer screen
  • Once the tool finishes, two logs open. Log.txt is maximized , and info.txt is minimized.(The logs are also contained in C:\rsit
--> Please provide the RSIT: Log.txt and info.txt logs. (The last RSIT log posted did not look right, hence the reason for the new download.)

 

You may need to do consecutive posts (one after the other) if the logs are too long.

Edited by Aaflac
Link to post
Share on other sites
×
×
  • Create New...