Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

anti virus software detected a virus or spyware

This is a discussion on anti virus software detected a virus or spyware within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hi there, I have trend micro antivirus and it has been giving me a warning that says: "Trend Micro Antivirus


 
 
Thread Tools Search this Thread
Old 11-05-2009, 05:24 PM   #1
ml7
Guest
 
Join Date: Nov 2009
Posts: 7
OS:



Hi there,
I have trend micro antivirus and it has been giving me a warning that says:

"Trend Micro Antivirus has detected a virus or spyware and performed a scan action (spyware names have the prefix "SPYW_").

Infected file: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP928\A0144062.exe"

I'm giving my computer away to my parents and would like to clean it out before I do so. Thanks in advanced.

DDS:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 17:51:53.82 on Mon 11/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2045.1103 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WTMKM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5076E
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [readericon] "c:\program files\digital media reader\readericon45G.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
mRun: [pccguide.exe] "c:\program files\trend micro\antivirus\pccguide.exe"
mRun: [PCClient.exe] "c:\program files\trend micro\antivirus\PCClient.exe"
mRun: [TM Outbreak Agent] "c:\program files\trend micro\antivirus\TMOAgent.exe" /run
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MacrokeyManager] WTMKM.exe
mRun: [MSConfig] "c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE" /auto
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} - hxxp://s.nx.com/activex/public_new/nxpm.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\owoyumt0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-6-26 204800]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2006-9-13 205328]
R2 Tmntsrv;Trend NT Realtime Service;c:\program files\trend micro\antivirus\Tmntsrv.exe [2006-9-13 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-13 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\antivirus\tmproxy.exe [2006-9-13 204873]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe [2008-5-15 360096]
RUnknown pavboot;pavboot; [x]

=============== Created Last 30 ================

2009-10-13 22:31:16 0 d-----w- c:\program files\Hero Editor
2009-10-13 22:31:06 249856 ------w- c:\windows\Setup1.exe
2009-10-13 22:31:01 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-10-12 22:33:24 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{534D3919-DB8B-4E09-99D4-DD45918CCE66}
2009-10-12 22:33:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Linksys
2009-10-12 22:26:14 0 d-----w- c:\program files\WebEx
2009-10-12 22:25:44 23992 ----a-w- c:\windows\system32\drivers\pnarp.sys
2009-10-12 22:25:40 25272 ----a-w- c:\windows\system32\drivers\purendis.sys
2009-10-12 22:25:34 0 d-----w- c:\program files\common files\Pure Networks Shared
2009-10-12 22:25:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks
2009-10-12 21:44:48 0 d-----w- c:\program files\Linksys

==================== Find3M ====================

2009-09-25 05:49:02 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48:59 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll

============= FINISH: 17:53:18.82 ===============
Attached Files
File Type: zip Attach.zip (6.4 KB, 14 views)
ml7 is offline  
Sponsored Links
Advertisement
 
Old 11-06-2009, 01:28 PM   #2
Security Team
Analyst
 
Join Date: Jan 2009
Posts: 559
OS: N/A



Hello and welcome to TSF.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please post a fresh DDS log and a new GMER log as described in this topic. In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please note that the forum is very busy and if I donít hear from you in three-five days this thread will be closed.

With Regards,
Extremeboy
extremeboy is offline  
Old 11-09-2009, 01:40 PM   #3
Security Team
Analyst
 
Join Date: Jan 2009
Posts: 559
OS: N/A



Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. The forums here at TSF is always a busy place and if I don't hear you from within 5 days since my last reply, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
extremeboy is offline  
Sponsored Links
Advertisement
 
Old 11-09-2009, 07:49 PM   #4
ml7
Guest
 
Join Date: Nov 2009
Posts: 7
OS:



Sorry for the delay, I was out of town for the weekend.

The same warning pops up from my anti virus software. Also, my computer boots up very slow, and half of the time, after startup, the start menu and taskbar freeze and I can't do anything.

DDS:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 17:47:09.52 on Mon 11/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2045.1217 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WTMKM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\World of Warcraft\Launcher.exe
C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5076E
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Simplify Media] "c:\program files\simplify media\SimplifyMedia.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [readericon] "c:\program files\digital media reader\readericon45G.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
mRun: [pccguide.exe] "c:\program files\trend micro\antivirus\pccguide.exe"
mRun: [PCClient.exe] "c:\program files\trend micro\antivirus\PCClient.exe"
mRun: [TM Outbreak Agent] "c:\program files\trend micro\antivirus\TMOAgent.exe" /run
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MacrokeyManager] WTMKM.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} - hxxp://s.nx.com/activex/public_new/nxpm.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\owoyumt0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-6-26 204800]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2006-9-13 205328]
R2 Tmntsrv;Trend NT Realtime Service;c:\program files\trend micro\antivirus\Tmntsrv.exe [2006-9-13 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-13 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\antivirus\tmproxy.exe [2006-9-13 204873]
S2 WTService;WTService;c:\windows\system32\atwtusb.exe [2008-5-15 360096]

=============== Created Last 30 ================

2009-11-06 07:36:01 0 d-----w- c:\program files\World of Warcraft
2009-11-06 07:33:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard
2009-10-13 22:31:16 0 d-----w- c:\program files\Hero Editor
2009-10-13 22:31:06 249856 ------w- c:\windows\Setup1.exe
2009-10-13 22:31:01 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-10-12 22:33:24 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{534D3919-DB8B-4E09-99D4-DD45918CCE66}
2009-10-12 22:33:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Linksys
2009-10-12 22:26:14 0 d-----w- c:\program files\WebEx
2009-10-12 22:25:44 23992 ----a-w- c:\windows\system32\drivers\pnarp.sys
2009-10-12 22:25:40 25272 ----a-w- c:\windows\system32\drivers\purendis.sys
2009-10-12 22:25:34 0 d-----w- c:\program files\common files\Pure Networks Shared
2009-10-12 22:25:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks
2009-10-12 21:44:48 0 d-----w- c:\program files\Linksys

==================== Find3M ====================

2009-09-25 05:49:02 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48:59 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 17:48:43.98 ===============
Attached Files
File Type: zip Attach.zip (7.2 KB, 17 views)
ml7 is offline  
Old 11-10-2009, 02:26 PM   #5
Security Team
Analyst
 
Join Date: Jan 2009
Posts: 559
OS: N/A



Hello.

Please reboot your system and then run a scan with RootRepeal then followed by a scan with Malwarebytes.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the tab at the bottom.
  • Now press the button.
  • A box will pop up, check the boxes beside All Seven options/scan area
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button.
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Thanks.

~EB
extremeboy is offline  
Old 11-10-2009, 07:17 PM   #6
ml7
Guest
 
Join Date: Nov 2009
Posts: 7
OS:



ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/11/10 20:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA9B04000 Size: 876544 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7D50000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs04dfbf06-0636-4a73-8d08-706a0ce57dce.tmp
Status: Allocation size mismatch (API: 16, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs07abb02f-65e7-46c5-830f-18590a42fc85.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs07d8d2c7-df0a-48ff-9198-875bba342129.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs100d3c0b-70bd-495c-a498-37360810ffe2.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs10cf5144-0a85-44c0-8cfb-2296a1ce5289.tmp
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs11efaf0b-2419-42d8-87c5-f4007ccfe43d.tmp
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs17b8a5ca-9fb4-4dc8-9e43-8d1c7e757dbb.tmp
Status: Allocation size mismatch (API: 104, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1c2c6052-8c70-4e62-bc97-1466f222fc79.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a34baf0-b555-4c17-b602-6b20537559a6.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7c3c1032-1e79-44ca-b394-49b9369d6099.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs81b72e67-1386-453e-89ff-e5f620da3dd9.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs83c2724d-f901-4654-a6f5-a104d69f56e6.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8699c6d0-05df-4a42-8474-d0cb1e1b43e0.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs87eb9f1e-485a-4730-a137-300057ac172b.tmp
Status: Allocation size mismatch (API: 96, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs886b222f-b0b8-44cf-a29f-97c2598a6195.tmp
Status: Allocation size mismatch (API: 104, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8cea7339-8643-4460-8fa0-70df010d12e2.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8f42ab61-2b49-4627-ad8b-0e40f52478fa.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc1bc7adc-90d1-46a6-b3e1-e7afbd1e23a5.tmp
Status: Allocation size mismatch (API: 520, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc3dfa6bd-5cf9-48bd-a4c6-83ad238b5ddb.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc5bf64d7-1e09-408c-b68f-02d6cad46863.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc66be979-69ed-4a5e-a109-a1c5d9ffa827.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsca63dc3a-52aa-4528-85f4-ed0d71e1eaf4.tmp
Status: Allocation size mismatch (API: 104, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsca8b0dd8-300b-4849-9a4b-9935f01a261b.tmp
Status: Allocation size mismatch (API: 424, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs44b61f22-b28f-4296-8ca3-5e77b0ac690d.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs473cac7c-98c4-4ea9-b19d-e1271a276fa7.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs474d7b57-6076-4990-a401-b3e6e68effa2.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs479112e0-c51b-402b-bd34-830d72bc99dd.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs47cd5846-8c65-46ec-a717-8153a2ba1d42.tmp
Status: Allocation size mismatch (API: 504, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4a1a9277-392c-43f4-aa1e-f120323f21d3.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs500bbd4b-91be-41f5-adbd-abb28ce81b06.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5b6102f5-aee5-4dee-9395-cd538f4312f3.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9144b45c-bc34-4244-8846-428af4db764b.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9f1e3b20-131a-4b72-a3d8-c6b21e07e595.tmp
Status: Allocation size mismatch (API: 448, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbe4571e2-9ae4-4bde-927e-f16aa544e66e.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse5194335-4d4f-48b4-8453-619f2e551c1e.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse0276fd5-19aa-4411-89a0-4d134158c617.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse0f08e6b-9c2d-4364-a414-3f8a3f97d1a7.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse1b42ed5-841c-449f-a872-908faccc2c35.tmp
Status: Allocation size mismatch (API: 104, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse447d477-34f5-4799-8e71-8b4849dcb862.tmp
Status: Allocation size mismatch (API: 32, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse4894d7b-e962-47c5-a752-6884408f31e3.tmp
Status: Allocation size mismatch (API: 120, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa1c75c8e-8403-4247-8ffc-fbce4a2ff2bd.tmp
Status: Allocation size mismatch (API: 32, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa4708ebc-e75f-4ffb-b9e8-d45cbf43cce3.tmp
Status: Allocation size mismatch (API: 72, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsaba977c9-802e-49b7-8a44-b53f9cc5e368.tmp
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsaff19b5c-8e5b-4896-aa11-a526a63defb4.tmp
Status: Allocation size mismatch (API: 200, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs234edc5c-a4ec-4110-9eec-55c2caeefddd.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs244c8f71-b573-4988-bfe5-fc80c2961056.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs25a20822-ab3a-44c7-8f72-44dc1cf76669.tmp
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs29ee6ceb-ad7c-44aa-a460-98cb4efcf4ea.tmp
Status: Allocation size mismatch (API: 168, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs39fc7788-e371-4982-b5f7-9eaaa7422480.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3b87e682-594e-4a19-a298-5daa25e778dd.tmp
Status: Allocation size mismatch (API: 56, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3c00adbf-8af0-4449-adf5-b411af6a60b8.tmp
Status: Allocation size mismatch (API: 504, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3db539fd-4247-4d28-8a95-f651f5acf999.tmp
Status: Allocation size mismatch (API: 136, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3eae0db0-99a9-4c70-b004-69040a01e2ea.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs40e71652-126f-4af2-9027-40afd2848dad.tmp
Status: Allocation size mismatch (API: 128, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5fc68a78-084a-4c22-bf43-f73eafc7b890.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs671d5560-968e-4574-b436-ebf1a32fe017.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7421dd7a-6fd9-40cb-962e-80eafd1ed237.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs745bb6b2-23ef-4491-aa0a-315804800d84.tmp
Status: Allocation size mismatch (API: 120, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs92dad459-ccfe-4345-ad1f-5febaa0a2aa0.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs960c1633-3d48-4691-9a96-bf67bd8fa5ad.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs96370e3d-bd56-4470-9b41-64f91662ffab.tmp
Status: Allocation size mismatch (API: 504, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9a6693a3-b7d2-4060-b33f-82db7a240681.tmp
Status: Allocation size mismatch (API: 432, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb3057331-3097-4f08-83a4-f0376238cb76.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb81134c3-4ff0-4647-9f0c-d843cf24af5c.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbc4c4b88-8bf4-4e69-b7f0-f6c5ee922736.tmp
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbc602c39-7bee-47df-b716-67660909d01e.tmp
Status: Allocation size mismatch (API: 120, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsbcd2bb9b-5fa5-4aa1-9d25-9e036938d814.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf5255a12-e8dd-45f5-a7dd-4c5d9177ac56.tmp
Status: Allocation size mismatch (API: 120, Raw: 0)

Path: c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf8dd24a7-77fd-4122-b203-81567d1970f0.tmp
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\10\210-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v210-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v210-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\11\211-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v211-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v211-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\16\216-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v216-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v216-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\58\258-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v258-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v258-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\59\259-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v259-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v259-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\60\260-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v260-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v260-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\61\261-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v261-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v261-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\62\262-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v262-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v262-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\63\263-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v263-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v263-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\64\264-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v264-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v264-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\65\265-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v265-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v265-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\66\266-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v266-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v266-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\67\267-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v267-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v267-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\68\268-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v268-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v268-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\69\269-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v269-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v269-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\70\270-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v270-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v270-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\71\271-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v271-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v271-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\72\272-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v272-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v272-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\73\273-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v273-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v273-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\74\274-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v274-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v274-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\75\275-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v275-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v275-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\76\276-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v276-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v276-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\78\278-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v278-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v278-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\79\279-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v279-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v279-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\80\280-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v280-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v280-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\81\281-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v281-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v281-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\82\282-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v282-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v282-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\83\283-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v283-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v283-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\84\284-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v284-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v284-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\85\285-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v285-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v285-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\86\286-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v286-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v286-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\87\287-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v287-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v287-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\88\288-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v288-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v288-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\89\289-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v289-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v289-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\90\290-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v290-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v290-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\91\291-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v291-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v291-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\92\292-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v292-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v292-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\93\293-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v293-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v293-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\94\294-{8~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{45DBB828-6479-68F1-C8BA-F0F439CCB9C9}\95\295-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v295-{80A201FC-A804-47F2-BF8B-BE456C7FBD4B}-v295-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a9e3d50

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x8ab04a98

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8aa47ab8

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8aa47a40

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a9e3020

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8a9e70a8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8aa47b30

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xba6c5e2c

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xba6c61ba

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xba6c00b0

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xba6c6292

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xba6c6112

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8a9e3dc8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a9e3c60

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x8aa47c98

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a9e3eb8

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8aa47c20

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8aa47950

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8a9e3f30

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x8aa47ba8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8aa478d8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a9e3e40

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8aa479c8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a9e3fa8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a9e3cd8

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8aa7d1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89fd17a0 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_CREATE]
Process: System Address: 0x8aa931e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_CLOSE]
Process: System Address: 0x8aa931e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa931e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa931e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_POWER]
Process: System Address: 0x8aa931e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa931e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_PNP]
Process: System Address: 0x8aa931e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_CREATE]
Process: System Address: 0x8aa831e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_CLOSE]
Process: System Address: 0x8aa831e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa831e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa831e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_POWER]
Process: System Address: 0x8aa831e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa831e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_PNP]
Process: System Address: 0x8aa831e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_CREATE]
Process: System Address: 0x8aa801e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_CLOSE]
Process: System Address: 0x8aa801e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa801e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa801e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_POWER]
Process: System Address: 0x8aa801e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa801e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_PNP]
Process: System Address: 0x8aa801e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_CREATE]
Process: System Address: 0x8aafe1e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_CLOSE]
Process: System Address: 0x8aafe1e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aafe1e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aafe1e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_POWER]
Process: System Address: 0x8aafe1e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aafe1e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_PNP]
Process: System Address: 0x8aafe1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89f071e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_CREATE]
Process: System Address: 0x8aa921e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_CLOSE]
Process: System Address: 0x8aa921e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa921e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa921e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_POWER]
Process: System Address: 0x8aa921e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa921e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_PNP]
Process: System Address: 0x8aa921e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_CREATE]
Process: System Address: 0x8aa851e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_CLOSE]
Process: System Address: 0x8aa851e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa851e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa851e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_POWER]
Process: System Address: 0x8aa851e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa851e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_PNP]
Process: System Address: 0x8aa851e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_CREATE]
Process: System Address: 0x8aa8b1e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_CLOSE]
Process: System Address: 0x8aa8b1e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa8b1e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa8b1e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_POWER]
Process: System Address: 0x8aa8b1e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa8b1e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_PNP]
Process: System Address: 0x8aa8b1e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8aa961e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8aa961e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa961e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa961e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8aa961e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa961e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8aa961e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_CREATE]
Process: System Address: 0x8ab001e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_CLOSE]
Process: System Address: 0x8ab001e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab001e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab001e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_POWER]
Process: System Address: 0x8ab001e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab001e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_PNP]
Process: System Address: 0x8ab001e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_CREATE]
Process: System Address: 0x8aa8a1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_CLOSE]
Process: System Address: 0x8aa8a1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa8a1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa8a1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_POWER]
Process: System Address: 0x8aa8a1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa8a1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_PNP]
Process: System Address: 0x8aa8a1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8ab071e8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x89ce67a0 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x89ce67a0 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x89ce67a0 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x89ce67a0 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ce67a0 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ce67a0 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x89ce67a0 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89ce67a0 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x89ce67a0 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_CREATE]
Process: System Address: 0x8aa8f1e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_CLOSE]
Process: System Address: 0x8aa8f1e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa8f1e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa8f1e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_POWER]
Process: System Address: 0x8aa8f1e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa8f1e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_PNP]
Process: System Address: 0x8aa8f1e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89f631e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89f631e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f631e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f631e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89f631e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89f631e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89f631e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_CREATE]
Process: System Address: 0x8aa891e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_CLOSE]
Process: System Address: 0x8aa891e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa891e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa891e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_POWER]
Process: System Address: 0x8aa891e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa891e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_PNP]
Process: System Address: 0x8aa891e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_CREATE]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_CLOSE]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_POWER]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_PNP]
Process: System Address: 0x8ab061e8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_CREATE]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_CLOSE]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_POWER]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: dac960nt, IRP_MJ_PNP]
Process: System Address: 0x8ab031e8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_CREATE]
Process: System Address: 0x8aa901e8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_CLOSE]
Process: System Address: 0x8aa901e8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa901e8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa901e8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_POWER]
Process: System Address: 0x8aa901e8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa901e8 Size: 121

Object: Hidden Code [Driver: aic78u2, IRP_MJ_PNP]
Process: System Address: 0x8aa901e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8aa981e8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_CREATE]
Process: System Address: 0x8aa881e8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_CLOSE]
Process: System Address: 0x8aa881e8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa881e8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa881e8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_POWER]
Process: System Address: 0x8aa881e8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa881e8 Size: 121

Object: Hidden Code [Driver: adpu160m, IRP_MJ_PNP]
Process: System Address: 0x8aa881e8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_CREATE]
Process: System Address: 0x8aa8d1e8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_CLOSE]
Process: System Address: 0x8aa8d1e8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa8d1e8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa8d1e8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_POWER]
Process: System Address: 0x8aa8d1e8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa8d1e8 Size: 121

Object: Hidden Code [Driver: sym_u3, IRP_MJ_PNP]
Process: System Address: 0x8aa8d1e8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_CREATE]
Process: System Address: 0x8aa8c1e8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_CLOSE]
Process: System Address: 0x8aa8c1e8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa8c1e8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa8c1e8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_POWER]
Process: System Address: 0x8aa8c1e8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa8c1e8 Size: 121

Object: Hidden Code [Driver: abp480n5, IRP_MJ_PNP]
Process: System Address: 0x8aa8c1e8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_CREATE]
Process: System Address: 0x8aa861e8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_CLOSE]
Process: System Address: 0x8aa861e8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa861e8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa861e8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_POWER]
Process: System Address: 0x8aa861e8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa861e8 Size: 121

Object: Hidden Code [Driver: ql1080, IRP_MJ_PNP]
Process: System Address: 0x8aa861e8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_CREATE]
Process: System Address: 0x8ab041e8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_CLOSE]
Process: System Address: 0x8ab041e8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab041e8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab041e8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_POWER]
Process: System Address: 0x8ab041e8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab041e8 Size: 121

Object: Hidden Code [Driver: symc810, IRP_MJ_PNP]
Process: System Address: 0x8ab041e8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_CREATE]
Process: System Address: 0x8aa811e8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_CLOSE]
Process: System Address: 0x8aa811e8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa811e8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa811e8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_POWER]
Process: System Address: 0x8aa811e8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa811e8 Size: 121

Object: Hidden Code [Driver: hpn, IRP_MJ_PNP]
Process: System Address: 0x8aa811e8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_CREATE]
Process: System Address: 0x8aa841e8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_CLOSE]
Process: System Address: 0x8aa841e8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa841e8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa841e8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_POWER]
Process: System Address: 0x8aa841e8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa841e8 Size: 121

Object: Hidden Code [Driver: ql12160, IRP_MJ_PNP]
Process: System Address: 0x8aa841e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89ce57a0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89ce57a0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ce57a0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ce57a0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89ce57a0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89ce57a0 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_CREATE]
Process: System Address: 0x8aa941e8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_CLOSE]
Process: System Address: 0x8aa941e8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa941e8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa941e8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_POWER]
Process: System Address: 0x8aa941e8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa941e8 Size: 121

Object: Hidden Code [Driver: aic78xx, IRP_MJ_PNP]
Process: System Address: 0x8aa941e8 Size: 121

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x89bf4a40 Size: 382

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89c11500 Size: 519

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x89c25650 Size: 1970

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x89bef4b0 Size: 2897

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x89c1d6c0 Size: 2368

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89c36248 Size: 595

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89bf2890 Size: 1015

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x89c123d8 Size: 3113

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x89bd3b30 Size: 203

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89bf41a0 Size: 960

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89beda10 Size: 1521

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89c26198 Size: 2741

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89c26120 Size: 2861

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89bd3590 Size: 428

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89bd3518 Size: 548

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89bd34a0 Size: 668

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89c23e10 Size: 497

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89c23d98 Size: 617

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x89c23d20 Size: 737

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89c23ca8 Size: 857

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89c23c30 Size: 977

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89c23bb8 Size: 1097

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x89c23b40 Size: 1217

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89bf9d18 Size: 745

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89bf9ca0 Size: 865

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89bf9c28 Size: 985

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89bf9bb0 Size: 1105

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x89bf9b38 Size: 1225

Object: Hidden Code [Driver: amsint, IRP_MJ_CREATE]
Process: System Address: 0x8ab021e8 Size: 121

Object: Hidden Code [Driver: amsint, IRP_MJ_CLOSE]
ProShadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x89da1cc8

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x896b4958

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x894a2408

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x896b49d0

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x89be0020

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8a03f238

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x8a0334a8

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x896fee70

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x89db4688

==EOF==



Malwarebytes' Anti-Malware 1.41
Database version: 3143
Windows 5.1.2600 Service Pack 2

11/10/2009 9:02:01 PM
mbam-log-2009-11-10 (21-02-01).txt

Scan type: Quick Scan
Objects scanned: 115577
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\atapi (Rootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\atapi (Rootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> Quarantined and deleted successfully.
ml7 is offline  
Old 11-11-2009, 01:26 PM   #7
Security Team
Analyst
 
Join Date: Jan 2009
Posts: 559
OS: N/A



Thanks for those logs.

We are going to start with Combofix.

Please visit this webpage for instructions for downloading and running ComboFix:

https://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
extremeboy is offline  
Old 11-11-2009, 03:57 PM   #8
Security Team
Analyst
 
Join Date: Jan 2009
Posts: 559
OS: N/A



Just to let you know that what Malwarebytes detected were false-positives. Take a look here: https://www.malwarebytes.org/forums/i...8&#entry156278

Recent update of Malwarebytes resolved this issue. You should of updated your database of MBAM.

If you are experiencing problems:
Quote:
Please contact the help desk if you are experiencing this issue, and we will work through it with you.

To open a new ticket, simply send an e-mail to support@malwarebytes.org

Many thanks to the users who quickly brought this to our attention. ;)

Also, all users should please update Malwarebytes' Anti-Malware's database to resolve this issue for the future.
extremeboy is offline  
Old 11-11-2009, 04:57 PM   #9
ml7
Guest
 
Join Date: Nov 2009
Posts: 7
OS:



Do you want me to redo the malwarebytes logs then?
And here's the combofix:

ComboFix 09-11-11.02 - Owner 11/11/2009 17:20.7.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2045.1422 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-11 23:13 . 2009-11-11 23:13 -------- d-----w- c:\windows\LastGood
2009-11-11 02:55 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-11 02:55 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 16:01 . 2009-11-10 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-11-10 15:10 . 2009-11-10 15:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Blizzard Entertainment
2009-11-06 07:36 . 2009-11-10 17:26 -------- d-----w- c:\program files\World of Warcraft
2009-11-06 07:33 . 2009-11-06 07:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-10-13 22:31 . 2009-10-13 22:32 -------- d-----w- c:\program files\Hero Editor
2009-10-13 22:31 . 2009-10-13 22:31 249856 ------w- c:\windows\Setup1.exe
2009-10-13 22:31 . 2009-10-13 22:31 73216 ----a-w- c:\windows\ST6UNST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-11 02:55 . 2009-08-21 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 23:39 . 2006-10-23 11:22 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-11-05 04:46 . 2007-07-19 07:49 -------- d-----w- c:\program files\Warcraft III
2009-11-02 23:50 . 2008-12-14 16:41 -------- d-----w- c:\program files\Panda Security
2009-11-02 23:48 . 2007-11-26 01:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-02 23:48 . 2008-12-07 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-14 08:03 . 2006-10-16 18:54 -------- d-----w- c:\program files\Microsoft Works
2009-10-13 22:58 . 2007-04-21 21:28 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-10-13 21:10 . 2009-07-31 02:02 -------- d-----w- c:\program files\Diablo II
2009-10-12 22:33 . 2009-10-12 22:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{534D3919-DB8B-4E09-99D4-DD45918CCE66}
2009-10-12 22:33 . 2009-10-12 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Linksys
2009-10-12 22:26 . 2009-10-12 21:44 -------- d-----w- c:\program files\Linksys
2009-10-12 22:26 . 2009-10-12 22:26 -------- d-----w- c:\program files\WebEx
2009-10-12 22:25 . 2009-10-12 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-10-12 22:25 . 2009-10-12 22:25 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2009-10-12 22:23 . 2006-10-16 18:51 -------- d-----w- c:\program files\Java
2009-09-27 22:57 . 2008-12-29 02:08 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-09-26 21:01 . 2006-10-18 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-09-26 04:00 . 2009-09-26 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-26 04:00 . 2009-01-27 02:25 -------- d-----w- c:\program files\iTunes
2009-09-26 03:59 . 2009-09-26 03:59 -------- d-----w- c:\program files\iPod
2009-09-26 03:59 . 2008-03-18 00:49 -------- d-----w- c:\program files\Common Files\Apple
2009-09-26 03:54 . 2009-09-26 03:53 -------- d-----w- c:\program files\QuickTime
2009-09-26 03:41 . 2009-09-26 03:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-26 03:32 . 2008-03-18 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-26 03:28 . 2009-09-26 03:28 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-25 05:49 . 2006-06-17 09:23 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2006-10-16 18:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:03 . 2006-10-16 18:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2006-10-16 18:12 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:42 . 2009-09-26 03:32 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2008-03-18 00:49 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:16 . 2006-10-16 18:13 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 08:20 . 2006-06-19 04:25 42752 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-02 133104]
"Simplify Media"="c:\program files\Simplify Media\SimplifyMedia.exe" [2009-01-08 8079880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-27 8740864]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-08-04 3871744]
"pccguide.exe"="c:\program files\Trend Micro\Antivirus\pccguide.exe" [2006-09-14 950337]
"PCClient.exe"="c:\program files\Trend Micro\Antivirus\PCClient.exe" [2006-09-14 634949]
"TM Outbreak Agent"="c:\program files\Trend Micro\Antivirus\TMOAgent.exe" [2006-09-14 290816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-27 180269]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-09-14 648488]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]
"MacrokeyManager"="WTMKM.exe" - c:\windows\system32\WTMKM.exe [2007-05-29 1969824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Simplify Media\\SimplifyMedia.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Diablo II\\D2Loader-1.12.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [9/13/2006 9:00 PM 205328]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/13/2006 9:00 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [9/13/2006 9:00 PM 204873]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe [5/15/2008 3:47 PM 360096]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [6/26/2008 6:52 AM 204800]
S2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [9/13/2006 9:00 PM 241737]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-11-11 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4249057271.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2794298053-3006324453-4183137355-1006Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 16:40]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2794298053-3006324453-4183137355-1006UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 16:40]

2009-11-11 c:\windows\Tasks\WebReg 20090731112337.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-09 23:06]

2009-11-10 c:\windows\Tasks\wrSpySweeper_0F513D4BF8DD4901A95F2C092115A2D5.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-10-16 01:02]

2009-11-10 c:\windows\Tasks\wrSpySweeper_0F513D4BF8DD4901A95F2C092115A2D5.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-10-16 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5076E
uInternet Settings,ProxyOverride = *.local
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} - hxxp://s.nx.com/activex/public_new/nxpm.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\owoyumt0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Call of Duty - c:\progra~1\CALLOF~1\Uninstall\Unwise.exe
AddRemove-The Weather Channel Desktop 6 - c:\program files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
AddRemove-Wolfenstein - Enemy Territory - c:\progra~1\WOLFEN~1\Uninstall\Unwise.exe
AddRemove-Warcraft III - c:\windows\War3Unin.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-11-11 17:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Owner\LOCALS~1\Temp\catchme.dll 53248 bytes executable


**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, https://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AA9F1E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x8aa9f1e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 59 !
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2794298053-3006324453-4183137355-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\WRLogonNTF.dll
.
Completion time: 2009-11-11 17:35
ComboFix-quarantined-files.txt 2009-11-11 23:34
ComboFix2.txt 2008-12-14 16:39
ComboFix3.txt 2008-12-12 18:58

Pre-Run: 366,993,809,408 bytes free
Post-Run: 367,295,209,472 bytes free

- - End Of File - - 2D587E0266D58CE204DFE570F6EAB865
ml7 is offline  
Old 11-11-2009, 05:13 PM   #10
Security Team
Analyst
 
Join Date: Jan 2009
Posts: 559
OS: N/A



Hello.

Please update Malwarebytes and run a quick-scan with it. Post the log once done.

Then, please run GMER again by downloading it from >>over here<< and save it to your desktop and run it. The interface will be like before when you ran GMER. Post that log as well once it's done.

For your next reply I would like to see:
-Malwarebytes log
-GMER log

Edit to add in: Please ignore my other post, I wasn't thinking straight but continue with this step of instructions and post the logs once done please

Thanks.

~Extremeboy
extremeboy is offline  
Old 11-12-2009, 11:06 AM   #11
ml7
Guest
 
Join Date: Nov 2009
Posts: 7
OS:



Malwarebytes' Anti-Malware 1.41
Database version: 3153
Windows 5.1.2600 Service Pack 2

11/12/2009 12:38:20 AM
mbam-log-2009-11-12 (00-38-20).txt

Scan type: Quick Scan
Objects scanned: 110175
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





GMER 1.0.15.15220 - https://www.gmer.net
Rootkit scan 2009-11-12 13:02:17
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uftdqpob.sys


---- System - GMER 1.0.15 ----

SSDT 8A9E4EB8 ZwAllocateVirtualMemory
SSDT 8AAFDF30 ZwCreateKey
SSDT 8AA48C50 ZwCreateProcess
SSDT 8AA48BD8 ZwCreateProcessEx
SSDT 8AA489F8 ZwCreateThread
SSDT 8A9E7148 ZwDeleteKey
SSDT 8AA48CC8 ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey [0xBA6C5E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C61BA]
SSDT sptd.sys ZwOpenKey [0xBA6C00B0]
SSDT sptd.sys ZwQueryKey [0xBA6C6292]
SSDT sptd.sys ZwQueryValueKey [0xBA6C6112]
SSDT 8A9E4F30 ZwQueueApcThread
SSDT 8A9E4DC8 ZwReadVirtualMemory
SSDT 8AA48E30 ZwRenameKey
SSDT 8A9E4020 ZwSetContextThread
SSDT 8AA48DB8 ZwSetInformationKey
SSDT 8AA48AE8 ZwSetInformationProcess
SSDT 8AA48908 ZwSetInformationThread
SSDT 8AA48D40 ZwSetValueKey
SSDT 8AA48A70 ZwSuspendProcess
SSDT 8A9E4FA8 ZwSuspendThread
SSDT 8AA48B60 ZwTerminateProcess
SSDT 8AA48980 ZwTerminateThread
SSDT 8A9E4E40 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AA7E1E8

AttachedDevice \FileSystem\Ntfs \Ntfs SSFS0509.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Fastfat \FatCdrom 89F797A0
Device \Driver\Tcpip \Device\Ip 89D2DE90
Device \Driver\Tcpip \Device\Ip 89FFC560
Device \Driver\Tcpip \Device\Ip 89ED9170
Device \Driver\usbuhci \Device\USBPDO-0 89FF1510
Device \Driver\usbuhci \Device\USBPDO-1 89FF1510
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AAA11E8
Device \Driver\dmio \Device\DmControl\DmConfig 8AAA11E8
Device \Driver\dmio \Device\DmControl\DmPnP 8AAA11E8
Device \Driver\dmio \Device\DmControl\DmInfo 8AAA11E8
Device \Driver\usbuhci \Device\USBPDO-2 89FF1510
Device \Driver\usbuhci \Device\USBPDO-3 89FF1510
Device \Driver\usbehci \Device\USBPDO-4 89FF81E8
Device \Driver\Tcpip \Device\Tcp 89D2DE90
Device \Driver\Tcpip \Device\Tcp 89FFC560
Device \Driver\Tcpip \Device\Tcp 89ED9170

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8AAA21E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AAA21E8
Device \Driver\iaStor \Device\Ide\iaStor0 8AA9F1E8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 8AA9F1E8
Device \Driver\usbstor \Device\000000b1 89CE77A0
Device \Driver\usbstor \Device\000000b3 89CE77A0
Device \Driver\usbstor \Device\000000b4 89CE77A0
Device \Driver\usbstor \Device\000000b5 89CE77A0
Device \Driver\NetBT \Device\NetBt_Wins_Export 89D41510
Device \Driver\usbstor \Device\000000b6 89CE77A0
Device \Driver\NetBT \Device\NetbiosSmb 89D41510
Device \Driver\NetBT \Device\NetBT_Tcpip_{477A5F3F-4650-46DF-BD60-D1F7F9D81F18} 89D41510
Device \Driver\Tcpip \Device\Udp 89D2DE90
Device \Driver\Tcpip \Device\Udp 89FFC560
Device \Driver\Tcpip \Device\Udp 89ED9170
Device \Driver\Tcpip \Device\RawIp 89D2DE90
Device \Driver\Tcpip \Device\RawIp 89FFC560
Device \Driver\Tcpip \Device\RawIp 89ED9170
Device \Driver\usbuhci \Device\USBFDO-0 89FF1510
Device \Driver\usbuhci \Device\USBFDO-1 89FF1510
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89D3F7A0
Device \Driver\usbuhci \Device\USBFDO-2 89FF1510
Device \Driver\Tcpip \Device\IPMULTICAST 89D2DE90
Device \Driver\Tcpip \Device\IPMULTICAST 89FFC560
Device \Driver\Tcpip \Device\IPMULTICAST 89ED9170
Device \Driver\usbuhci \Device\USBFDO-3 89FF1510
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89D3F7A0
Device \Driver\Ftdisk \Device\FtControl 8AAA21E8
Device \Driver\usbehci \Device\USBFDO-4 89FF81E8
Device \FileSystem\Fastfat \Fat 89F797A0

AttachedDevice \FileSystem\Fastfat \Fat SSFS0509.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \Driver\iaStor -> \Driver\iaStor \Device\Harddisk0\DR0 8AA9F1E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 59: copy of MBR

---- EOF - GMER 1.0.15 ----
ml7 is offline  
Old 11-13-2009, 01:34 PM   #12
Security Team
Analyst
 
Join Date: Jan 2009
Posts: 559
OS: N/A



Hello.

Are you experiencing any redirects or any other problems currently?

When running GMER did you uncheck the following and leave the rest checked by deafult?
* Sections
* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. ( If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    Code:
    :filefind
    iaStor.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task
extremeboy is offline  
Old 11-15-2009, 04:59 PM   #13
ml7
Guest
 
Join Date: Nov 2009
Posts: 7
OS:



Hi

I'm not having any problems with anything else, and yes I did uncheck only the sections, iat/eat, and other drives.

systemlook:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 18:56 on 15/11/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "iaStor.sys"
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 508416 bytes [18:55 16/10/2006] [19:08 12/10/2005] 7C2D98D430DD91570DB63E819B9BC7E0
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 874240 bytes [18:55 16/10/2006] [19:07 12/10/2005] 309C4D86D989FB1FCF64BD30DC81C51B
C:\WINDOWS\I386\DRV\SCS\iastor.sys ------ 874240 bytes [18:27 16/10/2006] [20:07 12/10/2005] 309C4D86D989FB1FCF64BD30DC81C51B
C:\WINDOWS\system32\drivers\iaStor.sys --a--- 874240 bytes [21:13 05/07/2006] [19:07 12/10/2005] 309C4D86D989FB1FCF64BD30DC81C51B
C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\iaStor.sys --a--- 874240 bytes [18:55 16/10/2006] [20:07 12/10/2005] 309C4D86D989FB1FCF64BD30DC81C51B

-=End Of File=-
ml7 is offline  
Old 11-16-2009, 02:26 PM   #14
Security Team
Analyst
 
Join Date: Jan 2009
Posts: 559
OS: N/A



Hello.

That looks good. Please get an updated version of Combofix by first deleting the copy of Combofix you currently have and downloading a new copy from one of the two links below and save it to your desktop...

Link 1
Link 2

Double-click it to run it and post back with the Combofix log once done.

Run ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
You can refer to this animation by neomage if needed.

Thanks.

With Regards,
Extremeboy
extremeboy is offline  
Old 11-18-2009, 07:37 PM   #15
ml7
Guest
 
Join Date: Nov 2009
Posts: 7
OS:



combofix:

ComboFix 09-11-18.06 - Owner 11/18/2009 13:33.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2045.1361 [GMT -6:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys

.
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.

2009-11-18 19:33 . 2004-08-10 19:00 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2009-11-18 19:33 . 2004-08-10 19:00 36736 ----a-w- c:\windows\system32\drivers\ultra.sys
2009-11-18 19:33 . 2004-08-10 19:00 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys
2009-11-18 19:33 . 2004-08-10 19:00 30688 ----a-w- c:\windows\system32\drivers\sym_u3.sys
2009-11-18 19:33 . 2004-08-10 19:00 28384 -c--a-w- c:\windows\system32\dllcache\sym_hi.sys
2009-11-18 19:33 . 2004-08-10 19:00 28384 ----a-w- c:\windows\system32\drivers\sym_hi.sys
2009-11-18 19:33 . 2004-08-10 19:00 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2009-11-18 19:33 . 2004-08-10 19:00 32640 ----a-w- c:\windows\system32\drivers\symc8xx.sys
2009-11-18 19:33 . 2004-08-10 19:00 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2009-11-18 19:33 . 2004-08-10 19:00 16256 ----a-w- c:\windows\system32\drivers\symc810.sys
2009-11-18 19:33 . 2004-08-10 19:00 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2009-11-18 19:33 . 2004-08-10 19:00 19072 ----a-w- c:\windows\system32\drivers\sparrow.sys
2009-11-18 19:31 . 2004-08-10 19:00 14976 -c--a-w- c:\windows\system32\dllcache\cpqarray.sys
2009-11-11 02:55 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-11 02:55 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 16:01 . 2009-11-10 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-11-10 15:10 . 2009-11-10 15:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Blizzard Entertainment
2009-11-06 07:36 . 2009-11-16 22:28 -------- d-----w- c:\program files\World of Warcraft
2009-11-06 07:33 . 2009-11-06 07:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-11 02:55 . 2009-08-21 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 23:39 . 2006-10-23 11:22 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-11-05 04:46 . 2007-07-19 07:49 -------- d-----w- c:\program files\Warcraft III
2009-11-02 23:50 . 2008-12-14 16:41 -------- d-----w- c:\program files\Panda Security
2009-11-02 23:48 . 2007-11-26 01:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-02 23:48 . 2008-12-07 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-14 08:03 . 2006-10-16 18:54 -------- d-----w- c:\program files\Microsoft Works
2009-10-13 22:58 . 2007-04-21 21:28 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-10-13 22:32 . 2009-10-13 22:31 -------- d-----w- c:\program files\Hero Editor
2009-10-13 22:31 . 2009-10-13 22:31 249856 ------w- c:\windows\Setup1.exe
2009-10-13 22:31 . 2009-10-13 22:31 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-10-13 21:10 . 2009-07-31 02:02 -------- d-----w- c:\program files\Diablo II
2009-10-12 22:33 . 2009-10-12 22:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{534D3919-DB8B-4E09-99D4-DD45918CCE66}
2009-10-12 22:33 . 2009-10-12 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Linksys
2009-10-12 22:26 . 2009-10-12 21:44 -------- d-----w- c:\program files\Linksys
2009-10-12 22:26 . 2009-10-12 22:26 -------- d-----w- c:\program files\WebEx
2009-10-12 22:25 . 2009-10-12 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-10-12 22:25 . 2009-10-12 22:25 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2009-10-12 22:23 . 2006-10-16 18:51 -------- d-----w- c:\program files\Java
2009-09-27 22:57 . 2008-12-29 02:08 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-09-26 21:01 . 2006-10-18 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-09-26 04:00 . 2009-09-26 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-26 04:00 . 2009-01-27 02:25 -------- d-----w- c:\program files\iTunes
2009-09-26 03:59 . 2009-09-26 03:59 -------- d-----w- c:\program files\iPod
2009-09-26 03:59 . 2008-03-18 00:49 -------- d-----w- c:\program files\Common Files\Apple
2009-09-26 03:54 . 2009-09-26 03:53 -------- d-----w- c:\program files\QuickTime
2009-09-26 03:41 . 2009-09-26 03:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-26 03:32 . 2008-03-18 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-26 03:28 . 2009-09-26 03:28 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-25 05:49 . 2006-06-17 09:23 668672 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2006-10-16 18:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:03 . 2006-10-16 18:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2006-10-16 18:12 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:42 . 2009-09-26 03:32 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2008-03-18 00:49 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:16 . 2006-10-16 18:13 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( [email protected]_23.32.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-18 19:32 . 2004-08-10 19:00 49024 c:\windows\system32\drivers\ql1280.sys
- 2006-10-16 18:13 . 2004-08-10 19:00 49024 c:\windows\system32\drivers\ql1280.sys
- 2006-10-16 18:13 . 2004-08-10 19:00 40448 c:\windows\system32\drivers\ql1240.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 40448 c:\windows\system32\drivers\ql1240.sys
- 2006-10-16 18:13 . 2004-08-10 19:00 45312 c:\windows\system32\drivers\ql12160.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 45312 c:\windows\system32\drivers\ql12160.sys
- 2006-10-16 18:13 . 2004-08-10 19:00 33152 c:\windows\system32\drivers\ql10wnt.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 33152 c:\windows\system32\drivers\ql10wnt.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 40320 c:\windows\system32\drivers\ql1080.sys
- 2006-10-16 18:13 . 2004-08-10 19:00 40320 c:\windows\system32\drivers\ql1080.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 27296 c:\windows\system32\drivers\perc2.sys
- 2006-10-16 18:13 . 2004-08-10 19:00 27296 c:\windows\system32\drivers\perc2.sys
- 2006-10-16 18:12 . 2004-08-10 19:00 17280 c:\windows\system32\drivers\mraid35x.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 17280 c:\windows\system32\drivers\mraid35x.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 16000 c:\windows\system32\drivers\ini910u.sys
- 2006-10-16 18:11 . 2004-08-10 19:00 16000 c:\windows\system32\drivers\ini910u.sys
- 2006-10-16 18:11 . 2004-08-10 19:00 18560 c:\windows\system32\drivers\i2omp.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 18560 c:\windows\system32\drivers\i2omp.sys
- 2006-10-16 18:11 . 2004-08-10 19:00 25952 c:\windows\system32\drivers\hpn.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 25952 c:\windows\system32\drivers\hpn.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 20192 c:\windows\system32\drivers\dpti2o.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 20192 c:\windows\system32\drivers\dpti2o.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 14720 c:\windows\system32\drivers\dac960nt.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 14720 c:\windows\system32\drivers\dac960nt.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 14976 c:\windows\system32\drivers\cpqarray.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 14976 c:\windows\system32\drivers\cpqarray.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 13952 c:\windows\system32\drivers\cbidf2k.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 13952 c:\windows\system32\drivers\cbidf2k.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 14848 c:\windows\system32\drivers\asc3550.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 14848 c:\windows\system32\drivers\asc3550.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 22400 c:\windows\system32\drivers\asc3350p.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 22400 c:\windows\system32\drivers\asc3350p.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 26496 c:\windows\system32\drivers\asc.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 26496 c:\windows\system32\drivers\asc.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 12032 c:\windows\system32\drivers\amsint.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 12032 c:\windows\system32\drivers\amsint.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 56960 c:\windows\system32\drivers\aic78xx.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 56960 c:\windows\system32\drivers\aic78xx.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 55168 c:\windows\system32\drivers\aic78u2.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 55168 c:\windows\system32\drivers\aic78u2.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 12800 c:\windows\system32\drivers\aha154x.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 12800 c:\windows\system32\drivers\aha154x.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 23552 c:\windows\system32\drivers\ABP480N5.SYS
- 2006-10-16 18:10 . 2004-08-10 19:00 23552 c:\windows\system32\drivers\ABP480N5.SYS
+ 2009-11-18 19:32 . 2004-08-10 19:00 49024 c:\windows\system32\dllcache\ql1280.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 40448 c:\windows\system32\dllcache\ql1240.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 45312 c:\windows\system32\dllcache\ql12160.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 33152 c:\windows\system32\dllcache\ql10wnt.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 40320 c:\windows\system32\dllcache\ql1080.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 27296 c:\windows\system32\dllcache\perc2.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 17280 c:\windows\system32\dllcache\mraid35x.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 16000 c:\windows\system32\dllcache\ini910u.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 18560 c:\windows\system32\dllcache\i2omp.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 25952 c:\windows\system32\dllcache\hpn.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 20192 c:\windows\system32\dllcache\dpti2o.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 14720 c:\windows\system32\dllcache\dac960nt.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 13952 c:\windows\system32\dllcache\cbidf2k.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 14848 c:\windows\system32\dllcache\asc3550.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 22400 c:\windows\system32\dllcache\asc3350p.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 26496 c:\windows\system32\dllcache\asc.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 12032 c:\windows\system32\dllcache\amsint.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 56960 c:\windows\system32\dllcache\aic78xx.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 55168 c:\windows\system32\dllcache\aic78u2.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 12800 c:\windows\system32\dllcache\aha154x.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 23552 c:\windows\system32\dllcache\abp480n5.sys
- 2006-10-16 18:13 . 2004-08-10 19:00 5504 c:\windows\system32\drivers\perc2hib.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 5504 c:\windows\system32\drivers\perc2hib.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 7680 c:\windows\system32\drivers\cd20xrnt.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 7680 c:\windows\system32\drivers\cd20xrnt.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 5504 c:\windows\system32\dllcache\perc2hib.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 7680 c:\windows\system32\dllcache\cd20xrnt.sys
+ 2006-10-16 18:13 . 2007-02-09 11:23 574976 c:\windows\system32\drivers\ntfs.sys
+ 2009-11-18 19:32 . 2005-10-12 19:07 874240 c:\windows\system32\drivers\IASTOR.SYS
- 2006-07-05 21:13 . 2005-10-12 19:07 874240 c:\windows\system32\drivers\iaStor.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 179584 c:\windows\system32\drivers\dac2w2k.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 179584 c:\windows\system32\drivers\dac2w2k.sys
- 2006-10-16 18:10 . 2004-08-10 19:00 101888 c:\windows\system32\drivers\adpu160m.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 101888 c:\windows\system32\drivers\adpu160m.sys
+ 2009-11-18 19:32 . 2004-08-10 19:00 179584 c:\windows\system32\dllcache\dac2w2k.sys
+ 2009-11-18 19:31 . 2004-08-10 19:00 101888 c:\windows\system32\dllcache\adpu160m.sys
+ 2006-06-17 09:23 . 2009-08-14 12:19 1850112 c:\windows\system32\win32k.sys
- 2006-06-17 02:30 . 2009-08-15 08:20 2081968 c:\windows\system32\FNTCACHE.DAT
+ 2006-06-17 02:30 . 2009-11-12 09:18 2081968 c:\windows\system32\FNTCACHE.DAT
+ 2007-03-08 13:47 . 2009-08-14 12:19 1850112 c:\windows\system32\dllcache\win32k.sys
+ 2006-10-16 17:31 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-02 133104]
"Simplify Media"="c:\program files\Simplify Media\SimplifyMedia.exe" [2009-01-08 8079880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-27 8740864]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-08-04 3871744]
"pccguide.exe"="c:\program files\Trend Micro\Antivirus\pccguide.exe" [2006-09-14 950337]
"PCClient.exe"="c:\program files\Trend Micro\Antivirus\PCClient.exe" [2006-09-14 634949]
"TM Outbreak Agent"="c:\program files\Trend Micro\Antivirus\TMOAgent.exe" [2006-09-14 290816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-27 180269]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-09-14 648488]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]
"MacrokeyManager"="WTMKM.exe" - c:\windows\system32\WTMKM.exe [2007-05-29 1969824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Simplify Media\\SimplifyMedia.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Diablo II\\D2Loader-1.12.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [9/13/2006 9:00 PM 205328]
R2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [9/13/2006 9:00 PM 241737]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/13/2006 9:00 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [9/13/2006 9:00 PM 204873]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe [5/15/2008 3:47 PM 360096]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [6/26/2008 6:52 AM 204800]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-11-18 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4249057271.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2009-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2794298053-3006324453-4183137355-1006Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 16:40]

2009-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2794298053-3006324453-4183137355-1006UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 16:40]

2009-11-18 c:\windows\Tasks\WebReg 20090731112337.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-09 23:06]

2009-11-17 c:\windows\Tasks\wrSpySweeper_0F513D4BF8DD4901A95F2C092115A2D5.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-10-16 01:02]

2009-11-17 c:\windows\Tasks\wrSpySweeper_0F513D4BF8DD4901A95F2C092115A2D5.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-10-16 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5076E
uInternet Settings,ProxyOverride = *.local
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} - hxxp://s.nx.com/activex/public_new/nxpm.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\owoyumt0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-11-18 14:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, https://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AA9F1E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba99cfc3
\Driver\ACPI -> ACPI.sys @ 0xba67fcb8
\Driver\iaStor -> 0x8aa9f1e8
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 59 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2794298053-3006324453-4183137355-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(1196)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-11-18 14:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-18 20:19
ComboFix2.txt 2009-11-17 01:27
ComboFix3.txt 2009-11-11 23:35
ComboFix4.txt 2008-12-14 16:39
ComboFix5.txt 2009-11-18 19:27

Pre-Run: 367,636,942,848 bytes free
Post-Run: 367,640,186,880 bytes free

- - End Of File - - 4A8077CF6E1185AD0DF49B80FFB7D3E6

ESET:

C:\Program Files\Linksys\Linksys EasyLink Advisor\ExternalApp\Cisco Media Center.msi probably a variant of Win32/Genetik trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SystemHper.dll.vir a variant of Win32/PSW.WOW.NHZ trojan cleaned by deleting - quarantined
ml7 is offline  
Old 11-19-2009, 02:32 PM   #16
Security Team
Analyst
 
Join Date: Jan 2009
Posts: 559
OS: N/A



Hello.

Please follow the instructions over here: https://www.duplexsecure.com/en/faq

Scroll down to where it says "How can I remove SPTD driver on 32-bit OS?". Download the tool and run it.

Once done, please take a new GMER run for me again and post that log once done.

Run a scan with OTL as well and let me know how your computer is performing...

Download and run OTL
  1. Download OTL by OldTimer and save it to your desktop.
  2. Double click on the icon on your desktop. If you are using Vista, please right-click and select run as administrator
  3. Click the "Scan All Users" checkbox.
  4. Push the button.
  5. It will now begin to scan, please be paitent while it scans.
  6. Two reports will open once it's done.
  7. Please copy and paste them in your next reply:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

Thanks.

~EB
extremeboy is offline  
Old 11-25-2009, 11:13 AM   #17
Security Team
Analyst
 
Join Date: Jan 2009
Posts: 559
OS: N/A



Hello.

Due to lack of feedback, this topic will now be archived.
If you need continued support, please begin a new thread.

This applies only to the original topic starter.

Everyone else please begin a New Topic by following the steps outlined here:

https://www.techsupportforum.com/secu...oval-help.html

Thanks.

With Regards,
Extremeboy
extremeboy is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:21 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts