Re: Infected With Some Sort Of Rootkit Gen. Rustock New Trojan
I fixed the problem by myself. Please close this topic.
I fixed the problem by myself. Please close this topic.
[SOLVED] Infected With Some Sort Of Rootkit Gen. Rustock New Trojan
This is an update
I've picked up a very nasty malware, the first symptoms I've noticed are
1. giving me a "page fault in nonpaged area" stop blue screen whenever I try to boot windows normally. (0x00000050), effectively disabled normal booting for me.
2. Changed all google and other search engine results to the address at http://58.65.234.196/go.pho?u=***************
3. Certain sites I just can't go to directly, IE returns with an server error under safe mode, firefox simply don't start at all.
4. my research indicate that it seems to reside in a file named clbdll.dll under system32 folder
5. Whenever the save as option is selected in
notepad, notepad just quits itself
6. scanned with http://virusscan.jotti.org/, came up with different names, common among them is Rootkit.Gen, Rustock.DNI etc.
Thank you so much for your help!
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-25 12:23:43
Computer is in Safe Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-25 12:23:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Safe mode
Running processes:
L:\WINDOWS\system32\smss.exe
L:\WINDOWS\system32\winlogon.exe
L:\WINDOWS\system32\services.exe
L:\WINDOWS\system32\lsass.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\explorer.exe
L:\WINDOWS\system32\ctfmon.exe
D:\mal\dss.exe
L:\WINDOWS\system32\conime.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - L:\p\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - L:\p\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {53E91E47-C649-4811-9BEA-A337736904F5} - L:\WINDOWS\system32\tuvUlMFV.dll (file missing)
O2 - BHO: (no name) - {61A1C2F2-E1A9-4871-B4E2-493A90705E12} - L:\WINDOWS\system32\kbduzb32.dll
O2 - BHO: (no name) - {663656DF-6BAE-460C-A612-8133DF519346} - L:\WINDOWS\system32\byXPGvuu.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - L:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - L:\p\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - L:\p\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: øÏ≥µ(FlashGet) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - L:\p\FlashGet\fgiebar.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "L:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] L:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] L:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [amd_dc_opt] L:\P\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [QuickTime Task] "L:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "L:\P\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "L:\p\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [IMSCMIG40W] L:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM\..\Run: [ccApp] "L:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "L:\p\Norton\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE L:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE L:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BM5fd38cdc] Rundll32.exe "L:\WINDOWS\system32\tleqifrd.dll",s
O4 - HKLM\..\Run: [04856f1a] rundll32.exe "L:\WINDOWS\system32\qfneucsj.dll",b
O4 - HKLM\..\Run: [SDFix] L:\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "L:\P\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1774] command /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5020] cmd /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
O4 - HKLM\..\RunOnce: [SDFix] L:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [ctfmon.exe] L:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] L:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3549] command /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4810] cmd /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\p\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\p\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://L:\p\BitComet100\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: øÏ≥µ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - L:\p\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: øÏ≥µ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - L:\p\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - L:\p\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - L:\p\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - L:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - L:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - L:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - L:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - L:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - L:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - L:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - L:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: AtiExtEvent - L:\WINDOWS\system32\
O20 - Winlogon Notify: byXPGvuu - L:\WINDOWS\system32\byXPGvuu.dll
O23 - Service: Adobe LM Service - Adobe Systems - L:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - L:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - L:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - L:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - ±±æ©±©∑ÁÕ¯º ø∆ºº”–œfiπ´Àæ - L:\p\StormII\stormliv.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - L:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - L:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - L:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - L:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - L:\p\Norton\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - L:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - L:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - L:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - L:\p\Sandra\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - L:\p\Sandra\RpcSandraSrv.exe
O23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - L:\WINDOWS\system32\sfrem02.exe
O23 - Service: Symantec Core LC - Symantec Corporation - L:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - L:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9340 bytes
-- Files created between 2008-04-25 and 2008-05-25 -----------------------------
2008-05-24 19:46:24 0 d-------- L:\WINDOWS\ERUNT
2008-05-24 16:19:24 136192 --a------ L:\WINDOWS\system32\fnlncjpq.dll
2008-05-24 16:16:28 2560 --a------ L:\WINDOWS\system32\iiwphnrx.exe
2008-05-24 16:13:32 115200 --a------ L:\WINDOWS\system32\qfneucsj.dll
2008-05-24 16:13:24 126464 --a------ L:\WINDOWS\system32\tleqifrd.dll
2008-05-24 15:40:14 0 d-------- L:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 05:53:11 0 d--hs---- L:\System Volume Information
2008-05-24 04:11:05 894648 --ahs---- L:\WINDOWS\system32\VFMlUvut.ini2
2008-05-24 03:56:49 59392 --a------ L:\WINDOWS\system32\pmnnOFvS.dll
2008-05-24 03:55:24 7168 --a------ L:\WINDOWS\system32\beep.sys
2008-05-24 03:55:18 93696 --a------ L:\WINDOWS\system32\ntpl.bin
2008-05-24 03:55:16 69042 --a------ L:\WINDOWS\system32\sywtdxaz.sys
2008-05-24 03:55:09 59392 --a------ L:\WINDOWS\system32\byXPGvuu.dll
2008-05-24 03:30:59 0 d-------- L:\3gptemp
2008-05-24 03:28:12 0 d-------- L:\Program Files\MIKSOFT
2008-05-10 18:19:53 57344 --a------ L:\WINDOWS\system32\sticversion.exe <Not Verified; SoftTech InterCorp; pRegFix>
2008-05-10 18:19:53 561152 --a------ L:\WINDOWS\system32\AltST.dll <Not Verified; SoftTech InterCorp; AltST>
2008-05-10 18:19:53 0 d-------- L:\Program Files\Common Files\SoftTech InterCorp
2008-05-10 02:58:23 3543 --a------ L:\WINDOWS\system32\drivers\XSpaceWg.sys <Not Verified; SPACE INT'L, Inc.; CDSpace>
2008-05-10 02:58:23 11120 --a------ L:\WINDOWS\system32\drivers\TwoRabts.sys <Not Verified; Two Rabbits, Inc.; Two Rabbits live bus>
2008-05-10 02:58:23 22570 --a------ L:\WINDOWS\system32\drivers\CDSPACEX.sys <Not Verified; SPACE INT'L, Inc.; CDSpace5>
2008-05-10 02:58:23 22048 --a------ L:\WINDOWS\system32\cocpyinf.dll <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
2008-05-06 21:19:44 0 d-------- L:\WINDOWS\Downloaded Installations
2008-05-05 13:56:25 0 d-------- L:\Documents and Settings\Roi\Application Data\HP
2008-05-05 13:55:03 0 d-------- L:\Program Files\Hewlett-Packard
2008-05-05 13:40:53 11634 --a------ L:\WINDOWS\hpomdl11.dat
2008-05-01 19:51:05 0 d-------- L:\WINDOWS\Ω¿∞ƒ “∆≠∞
2008-05-01 17:09:58 0 d-------- L:\WINDOWS\nview
2008-04-30 03:41:00 2368 --a------ L:\WINDOWS\system32\STEC3.sys <Not Verified; AntiCracking; SVKP driver for NT>
-- Find3M Report ---------------------------------------------------------------
2008-05-24 03:55:21 577536 --a------ L:\WINDOWS\system32\user32.DLL <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-05-21 13:34:41 0 d-------- L:\Program Files\Common Files\Symantec Shared
2008-05-18 21:22:04 43520 --a------ L:\WINDOWS\system32\CmdLineExt03.dll
2008-05-15 02:04:17 0 d--h----- L:\Program Files\InstallShield Installation Information
2008-05-10 18:19:53 0 d-------- L:\Program Files\Common Files
2008-05-07 16:03:59 98304 --a------ L:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-05-05 13:56:03 116976 --a------ L:\WINDOWS\hpoins11.dat
2008-04-01 20:20:08 2560 --a------ L:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-03-29 18:09:46 409600 --a------ L:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-29 18:09:46 114688 --a------ L:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-03-29 18:09:46 0 d-------- L:\Program Files\OpenAL
2008-03-10 11:55:54 14848 --a------ L:\WINDOWS\system32\kbduzb32.dll
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
06/28/2007 05:25 PM 57344 --a------ C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53E91E47-C649-4811-9BEA-A337736904F5}]
L:\WINDOWS\system32\tuvUlMFV.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61A1C2F2-E1A9-4871-B4E2-493A90705E12}]
03/10/2008 11:55 AM 14848 --a------ L:\WINDOWS\system32\kbduzb32.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{663656DF-6BAE-460C-A612-8133DF519346}]
05/24/2008 03:55 AM 59392 --a------ L:\WINDOWS\system32\byXPGvuu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
02/22/2008 05:57 PM 58960 --a------ C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="L:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 08:00 AM]
"PHIME2002ASync"="L:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 AM]
"PHIME2002A"="L:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 AM]
"RTHDCPL"="RTHDCPL.EXE" [08/10/2007 03:21 AM L:\WINDOWS\RTHDCPL.exe]
"amd_dc_opt"="L:\P\Dual-Core Optimizer\amd_dc_opt.exe" [07/23/2007 12:06 PM]
"QuickTime Task"="L:\Program Files\QuickTime\QTTask.exe" [11/15/2007 12:43 AM]
"Acrobat Assistant 7.0"="L:\P\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [12/14/2004 03:12 AM]
"StormCodec_Helper"="L:\p\Storm Codec\StormSet.exe" [11/26/2006 02:30 PM]
"IMSCMIG40W"="L:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.exe" [03/20/2006 05:10 PM]
"ccApp"="L:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/23/2008 10:02 PM]
"osCheck"="L:\p\Norton\osCheck.exe" [01/23/2008 09:07 PM]
"NvCplDaemon"="L:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM L:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="L:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"KernelFaultCheck"="L:\WINDOWS\system32\dumprep 0 -k" []
"BM5fd38cdc"="L:\WINDOWS\system32\tleqifrd.dll" [05/24/2008 04:13 PM]
"04856f1a"="L:\WINDOWS\system32\qfneucsj.dll" [05/24/2008 04:13 PM]
"SDFix"="L:\SDFix\RunThis.bat /second" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="L:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=L:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
"SpybotDeletingB3549"=command /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
"SpybotDeletingD4810"=cmd /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="L:\P\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"SpybotDeletingA1774"=command /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
"SpybotDeletingC5020"=cmd /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
"SDFix"=L:\SDFix\RunThis.bat /second
L:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - L:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [11/25/2007 1:55:20 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{663656DF-6BAE-460C-A612-8133DF519346}"= L:\WINDOWS\system32\byXPGvuu.dll [05/24/2008 03:55 AM 59392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPGvuu]
byXPGvuu.dll 05/24/2008 03:55 AM 59392 L:\WINDOWS\system32\byXPGvuu.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 L:\WINDOWS\system32\tuvUlMFV
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=L:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=L:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^All Users^Start Menu^Programs^Startup^Call of Duty(R) 4 - Modern Warfare(TM) Multiplayer.lnk]
path=L:\Documents and Settings\All Users\Start Menu\Programs\Startup\Call of Duty(R) 4 - Modern Warfare(TM) Multiplayer.lnk
backup=L:\WINDOWS\pss\Call of Duty(R) 4 - Modern Warfare(TM) Multiplayer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^All Users^Start Menu^Programs^Startup^Call of Duty(R) 4 - Modern Warfare(TM) Singleplayer.lnk]
path=L:\Documents and Settings\All Users\Start Menu\Programs\Startup\Call of Duty(R) 4 - Modern Warfare(TM) Singleplayer.lnk
backup=L:\WINDOWS\pss\Call of Duty(R) 4 - Modern Warfare(TM) Singleplayer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^All Users^Start Menu^Programs^Startup^LCDPlayer.lnk]
path=L:\Documents and Settings\All Users\Start Menu\Programs\Startup\LCDPlayer.lnk
backup=L:\WINDOWS\pss\LCDPlayer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall Call of Duty(R) 4 - Modern Warfare(TM).lnk]
path=L:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall Call of Duty(R) 4 - Modern Warfare(TM).lnk
backup=L:\WINDOWS\pss\Uninstall Call of Duty(R) 4 - Modern Warfare(TM).lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\04856f1a]
rundll32.exe "L:\WINDOWS\system32\ukwsqnsm.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
L:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
L:\P\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"L:\P\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
L:\Program Files\MSI\Live Update 3\LMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"L:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"L:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
L:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
L:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"sfrem02"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=L:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
AutoRun\command- M:\autorun.exe
-- End of Deckard's System Scanner: finished at 2008-05-25 12:24:47 ------------
I've picked up a very nasty malware, the first symptoms I've noticed are
1. giving me a "page fault in nonpaged area" stop blue screen whenever I try to boot windows normally. (0x00000050), effectively disabled normal booting for me.
2. Changed all google and other search engine results to the address at http://58.65.234.196/go.pho?u=***************
3. Certain sites I just can't go to directly, IE returns with an server error under safe mode, firefox simply don't start at all.
4. my research indicate that it seems to reside in a file named clbdll.dll under system32 folder
5. Whenever the save as option is selected in
notepad, notepad just quits itself
6. scanned with http://virusscan.jotti.org/, came up with different names, common among them is Rootkit.Gen, Rustock.DNI etc.
Thank you so much for your help!
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-25 12:23:43
Computer is in Safe Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-25 12:23:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Safe mode
Running processes:
L:\WINDOWS\system32\smss.exe
L:\WINDOWS\system32\winlogon.exe
L:\WINDOWS\system32\services.exe
L:\WINDOWS\system32\lsass.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\explorer.exe
L:\WINDOWS\system32\ctfmon.exe
D:\mal\dss.exe
L:\WINDOWS\system32\conime.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - L:\p\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - L:\p\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {53E91E47-C649-4811-9BEA-A337736904F5} - L:\WINDOWS\system32\tuvUlMFV.dll (file missing)
O2 - BHO: (no name) - {61A1C2F2-E1A9-4871-B4E2-493A90705E12} - L:\WINDOWS\system32\kbduzb32.dll
O2 - BHO: (no name) - {663656DF-6BAE-460C-A612-8133DF519346} - L:\WINDOWS\system32\byXPGvuu.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - L:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - L:\p\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - L:\p\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: øÏ≥µ(FlashGet) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - L:\p\FlashGet\fgiebar.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "L:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] L:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] L:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [amd_dc_opt] L:\P\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [QuickTime Task] "L:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "L:\P\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "L:\p\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [IMSCMIG40W] L:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM\..\Run: [ccApp] "L:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "L:\p\Norton\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE L:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE L:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BM5fd38cdc] Rundll32.exe "L:\WINDOWS\system32\tleqifrd.dll",s
O4 - HKLM\..\Run: [04856f1a] rundll32.exe "L:\WINDOWS\system32\qfneucsj.dll",b
O4 - HKLM\..\Run: [SDFix] L:\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "L:\P\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1774] command /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5020] cmd /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
O4 - HKLM\..\RunOnce: [SDFix] L:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [ctfmon.exe] L:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] L:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3549] command /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4810] cmd /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] L:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\p\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\p\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://L:\p\BitComet100\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: øÏ≥µ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - L:\p\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: øÏ≥µ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - L:\p\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - L:\p\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - L:\p\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - L:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - L:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - L:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - L:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - L:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - L:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - L:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - L:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: AtiExtEvent - L:\WINDOWS\system32\
O20 - Winlogon Notify: byXPGvuu - L:\WINDOWS\system32\byXPGvuu.dll
O23 - Service: Adobe LM Service - Adobe Systems - L:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - L:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - L:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - L:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - ±±æ©±©∑ÁÕ¯º ø∆ºº”–œfiπ´Àæ - L:\p\StormII\stormliv.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - L:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - L:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - L:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - L:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - L:\p\Norton\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - L:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - L:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - L:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - L:\p\Sandra\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - L:\p\Sandra\RpcSandraSrv.exe
O23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - L:\WINDOWS\system32\sfrem02.exe
O23 - Service: Symantec Core LC - Symantec Corporation - L:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - L:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9340 bytes
-- Files created between 2008-04-25 and 2008-05-25 -----------------------------
2008-05-24 19:46:24 0 d-------- L:\WINDOWS\ERUNT
2008-05-24 16:19:24 136192 --a------ L:\WINDOWS\system32\fnlncjpq.dll
2008-05-24 16:16:28 2560 --a------ L:\WINDOWS\system32\iiwphnrx.exe
2008-05-24 16:13:32 115200 --a------ L:\WINDOWS\system32\qfneucsj.dll
2008-05-24 16:13:24 126464 --a------ L:\WINDOWS\system32\tleqifrd.dll
2008-05-24 15:40:14 0 d-------- L:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 05:53:11 0 d--hs---- L:\System Volume Information
2008-05-24 04:11:05 894648 --ahs---- L:\WINDOWS\system32\VFMlUvut.ini2
2008-05-24 03:56:49 59392 --a------ L:\WINDOWS\system32\pmnnOFvS.dll
2008-05-24 03:55:24 7168 --a------ L:\WINDOWS\system32\beep.sys
2008-05-24 03:55:18 93696 --a------ L:\WINDOWS\system32\ntpl.bin
2008-05-24 03:55:16 69042 --a------ L:\WINDOWS\system32\sywtdxaz.sys
2008-05-24 03:55:09 59392 --a------ L:\WINDOWS\system32\byXPGvuu.dll
2008-05-24 03:30:59 0 d-------- L:\3gptemp
2008-05-24 03:28:12 0 d-------- L:\Program Files\MIKSOFT
2008-05-10 18:19:53 57344 --a------ L:\WINDOWS\system32\sticversion.exe <Not Verified; SoftTech InterCorp; pRegFix>
2008-05-10 18:19:53 561152 --a------ L:\WINDOWS\system32\AltST.dll <Not Verified; SoftTech InterCorp; AltST>
2008-05-10 18:19:53 0 d-------- L:\Program Files\Common Files\SoftTech InterCorp
2008-05-10 02:58:23 3543 --a------ L:\WINDOWS\system32\drivers\XSpaceWg.sys <Not Verified; SPACE INT'L, Inc.; CDSpace>
2008-05-10 02:58:23 11120 --a------ L:\WINDOWS\system32\drivers\TwoRabts.sys <Not Verified; Two Rabbits, Inc.; Two Rabbits live bus>
2008-05-10 02:58:23 22570 --a------ L:\WINDOWS\system32\drivers\CDSPACEX.sys <Not Verified; SPACE INT'L, Inc.; CDSpace5>
2008-05-10 02:58:23 22048 --a------ L:\WINDOWS\system32\cocpyinf.dll <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
2008-05-06 21:19:44 0 d-------- L:\WINDOWS\Downloaded Installations
2008-05-05 13:56:25 0 d-------- L:\Documents and Settings\Roi\Application Data\HP
2008-05-05 13:55:03 0 d-------- L:\Program Files\Hewlett-Packard
2008-05-05 13:40:53 11634 --a------ L:\WINDOWS\hpomdl11.dat
2008-05-01 19:51:05 0 d-------- L:\WINDOWS\Ω¿∞ƒ “∆≠∞
2008-05-01 17:09:58 0 d-------- L:\WINDOWS\nview
2008-04-30 03:41:00 2368 --a------ L:\WINDOWS\system32\STEC3.sys <Not Verified; AntiCracking; SVKP driver for NT>
-- Find3M Report ---------------------------------------------------------------
2008-05-24 03:55:21 577536 --a------ L:\WINDOWS\system32\user32.DLL <Not Verified; Microsoft Corporation; Microsoft? Windows? Operating System>
2008-05-21 13:34:41 0 d-------- L:\Program Files\Common Files\Symantec Shared
2008-05-18 21:22:04 43520 --a------ L:\WINDOWS\system32\CmdLineExt03.dll
2008-05-15 02:04:17 0 d--h----- L:\Program Files\InstallShield Installation Information
2008-05-10 18:19:53 0 d-------- L:\Program Files\Common Files
2008-05-07 16:03:59 98304 --a------ L:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-05-05 13:56:03 116976 --a------ L:\WINDOWS\hpoins11.dat
2008-04-01 20:20:08 2560 --a------ L:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-03-29 18:09:46 409600 --a------ L:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-29 18:09:46 114688 --a------ L:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-03-29 18:09:46 0 d-------- L:\Program Files\OpenAL
2008-03-10 11:55:54 14848 --a------ L:\WINDOWS\system32\kbduzb32.dll
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
06/28/2007 05:25 PM 57344 --a------ C:\Program Files\eREAD6.0\eREAD6.0\IEeREAD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53E91E47-C649-4811-9BEA-A337736904F5}]
L:\WINDOWS\system32\tuvUlMFV.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61A1C2F2-E1A9-4871-B4E2-493A90705E12}]
03/10/2008 11:55 AM 14848 --a------ L:\WINDOWS\system32\kbduzb32.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{663656DF-6BAE-460C-A612-8133DF519346}]
05/24/2008 03:55 AM 59392 --a------ L:\WINDOWS\system32\byXPGvuu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
02/22/2008 05:57 PM 58960 --a------ C:\Program Files\eREAD6.0\eREAD6.0\WebHook.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="L:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 08:00 AM]
"PHIME2002ASync"="L:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 AM]
"PHIME2002A"="L:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 AM]
"RTHDCPL"="RTHDCPL.EXE" [08/10/2007 03:21 AM L:\WINDOWS\RTHDCPL.exe]
"amd_dc_opt"="L:\P\Dual-Core Optimizer\amd_dc_opt.exe" [07/23/2007 12:06 PM]
"QuickTime Task"="L:\Program Files\QuickTime\QTTask.exe" [11/15/2007 12:43 AM]
"Acrobat Assistant 7.0"="L:\P\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [12/14/2004 03:12 AM]
"StormCodec_Helper"="L:\p\Storm Codec\StormSet.exe" [11/26/2006 02:30 PM]
"IMSCMIG40W"="L:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.exe" [03/20/2006 05:10 PM]
"ccApp"="L:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/23/2008 10:02 PM]
"osCheck"="L:\p\Norton\osCheck.exe" [01/23/2008 09:07 PM]
"NvCplDaemon"="L:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM L:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="L:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"KernelFaultCheck"="L:\WINDOWS\system32\dumprep 0 -k" []
"BM5fd38cdc"="L:\WINDOWS\system32\tleqifrd.dll" [05/24/2008 04:13 PM]
"04856f1a"="L:\WINDOWS\system32\qfneucsj.dll" [05/24/2008 04:13 PM]
"SDFix"="L:\SDFix\RunThis.bat /second" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="L:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=L:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
"SpybotDeletingB3549"=command /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
"SpybotDeletingD4810"=cmd /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="L:\P\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"SpybotDeletingA1774"=command /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
"SpybotDeletingC5020"=cmd /c del "L:\WINDOWS\system32\tuvUlMFV.dll_old"
"SDFix"=L:\SDFix\RunThis.bat /second
L:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - L:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [11/25/2007 1:55:20 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{663656DF-6BAE-460C-A612-8133DF519346}"= L:\WINDOWS\system32\byXPGvuu.dll [05/24/2008 03:55 AM 59392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPGvuu]
byXPGvuu.dll 05/24/2008 03:55 AM 59392 L:\WINDOWS\system32\byXPGvuu.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 L:\WINDOWS\system32\tuvUlMFV
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=L:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=L:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^All Users^Start Menu^Programs^Startup^Call of Duty(R) 4 - Modern Warfare(TM) Multiplayer.lnk]
path=L:\Documents and Settings\All Users\Start Menu\Programs\Startup\Call of Duty(R) 4 - Modern Warfare(TM) Multiplayer.lnk
backup=L:\WINDOWS\pss\Call of Duty(R) 4 - Modern Warfare(TM) Multiplayer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^All Users^Start Menu^Programs^Startup^Call of Duty(R) 4 - Modern Warfare(TM) Singleplayer.lnk]
path=L:\Documents and Settings\All Users\Start Menu\Programs\Startup\Call of Duty(R) 4 - Modern Warfare(TM) Singleplayer.lnk
backup=L:\WINDOWS\pss\Call of Duty(R) 4 - Modern Warfare(TM) Singleplayer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^All Users^Start Menu^Programs^Startup^LCDPlayer.lnk]
path=L:\Documents and Settings\All Users\Start Menu\Programs\Startup\LCDPlayer.lnk
backup=L:\WINDOWS\pss\LCDPlayer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\L:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall Call of Duty(R) 4 - Modern Warfare(TM).lnk]
path=L:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall Call of Duty(R) 4 - Modern Warfare(TM).lnk
backup=L:\WINDOWS\pss\Uninstall Call of Duty(R) 4 - Modern Warfare(TM).lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\04856f1a]
rundll32.exe "L:\WINDOWS\system32\ukwsqnsm.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
L:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
L:\P\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"L:\P\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
L:\Program Files\MSI\Live Update 3\LMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"L:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"L:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
L:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
L:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"sfrem02"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=L:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
AutoRun\command- M:\autorun.exe
-- End of Deckard's System Scanner: finished at 2008-05-25 12:24:47 ------------
- Status
- Not open for further replies.
1 - 2 of 2 Posts
1 - 2 of 2 Posts
- Status
- Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Recommended Communities
