Jump to content

MBAM file now clean, but still dns errors, can't open IE7, no access for AV upgrades


noahas
 Share

Recommended Posts

I downloaded and opened a Codec, which also asked me to install "freshplay" which like a dope, I did.

I ran MBAM and it found and cleaned some issues (I'll post the original log further down), then I ran Hijack this and reran MBAM (logs also included). In trying to find some idea of what the problem is, I also ran GMER which indicated a rootkit still present. I have attached that log also. I have run ATF cleaner as well. I also notice that the system clock in the lower right corner has been changed to be 24 hours, rather than 12. In addition, during bootup, the windows popup comes up saying there is no firewall, and I am not protected, even though when I check, the windows firewall is active. Any help would be greatly appreciated!! Thanks very much in advance. Here are the various logs:

Original MBAM log

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Windows 5.1.2600 Service Pack 3

2/13/2009 9:10:40 PM

mbam-log-2009-02-13 (21-10-40).txt

Scan type: Full Scan (C:\|)

Objects scanned: 174278

Time elapsed: 31 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 1

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{548befc1-7b4d-4b95-b660-2b4c6bbc4238}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{548befc1-7b4d-4b95-b660-2b4c6bbc4238}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Home\Start Menu\Programs\freshplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\SORNQCN7\mediacodec[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.

C:\RECYCLER\S-8-7-42-100008605-100012922-100010988-4158.com (Trojan.Agent) -> Quarantined and deleted successfully.

HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:43:47, on 2/14/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe

C:\Program Files\Galleon\bin\Wrapper.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\java.exe

c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\SugarSync\SugarSyncManager.exe

C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

C:\Program Files\TiVo\Desktop\TiVoNotify.exe

C:\Program Files\RocketDock\RocketDock.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Rainlendar2\Rainlendar2.exe

C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Evernote\Evernote3\EvernoteTray.exe

C:\Program Files\Digsby\lib\digsby-app.exe

C:\Program Files\Orb Networks\Orb\bin\Orb.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\PROGRA~1\WinTV\HCWTVS~1.EXE

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Home\Desktop\HiJackThis.exe

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: CDelHotkeys Object - {78875F5C-A685-4405-8DC5-D48DC65452B0} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Delicious Toolbar - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [EasyTuneVPro] C:\Program Files\Gigabyte\ET5Pro\ETcall.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [sugarSync] "C:\Program Files\SugarSync\SugarSyncManager.exe" -startInTray

O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry

O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background

O4 - Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe

O4 - Startup: Evernote.lnk = C:\Program Files\Evernote\Evernote3\EvernoteTray.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: Delicious - {2C887991-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Bookmarks - {2C887992-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Tag - {2C887993-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll

O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://ushousecall02.trendmicro.com/housec...ivex/hcImpl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe

O23 - Service: Galleon - Unknown owner - C:\Program Files\Galleon\bin\Wrapper.exe

O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--

End of file - 13729 bytes

Next MBAM log

Malwarebytes' Anti-Malware 1.34

Database version: 1736

Windows 5.1.2600 Service Pack 3

2/14/2009 2:38:22 PM

mbam-log-2009-02-14 (14-38-22).txt

Scan type: Quick Scan

Objects scanned: 67404

Time elapsed: 2 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Laslty, GMER log

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-02-15 06:34:42

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

Code 8AE711B0 ZwEnumerateKey

Code 8ADF61B0 ZwFlushInstructionCache

Code 8ADFE098 ZwQueryValueKey

Code 8AE69096 IofCallDriver

Code 8ACB382E IofCompleteRequest

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8AE6909B

.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8ACB3833

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 8ADF61B4

PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 5 Bytes JMP 8ADFE09C

PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 4 Bytes JMP 8AE711B4

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1320] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

.text C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe[3308] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 00413E50 C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe (Orb/Orb Networks)

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3544] kernel32.dll!ExitProcess 7C81CAFA 2 Bytes JMP 050520B4 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3544] kernel32.dll!ExitProcess + 3 7C81CAFD 2 Bytes [ 83, 88 ]

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3544] USER32.dll!MessageBoxA 7E4507EA 5 Bytes JMP 0505205E C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3544] USER32.dll!MessageBoxW 7E466534 5 Bytes JMP 05052089 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

.text C:\Program Files\Orb Networks\Orb\bin\Orb.exe[3988] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 00402CD0 C:\Program Files\Orb Networks\Orb\bin\Orb.exe (Orb Application/Orb Networks, Inc.)

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [ 25, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [ 65, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [ A5, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes [ E5, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [ A5, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [ 65, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [ 65, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes [ E5, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [ A5, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes [ E5, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [ 25, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [ 25, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4632] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [ 25, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [ 65, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [ A5, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes [ E5, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [ A5, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [ 65, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [ 65, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes [ E5, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [ A5, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes [ E5, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [ 25, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [ 25, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5748] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [ 25, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [ 65, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [ A5, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes [ E5, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [ A5, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [ 65, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [ 65, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes [ E5, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [ A5, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes [ E5, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [ 25, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [ 25, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5764] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [ 25, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [ 65, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [ A5, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes [ E5, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [ A5, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [ 65, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [ 65, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes [ E5, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [ A5, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes [ E5, 00, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [ 25, 01, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [ E2 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [ 25, 02, 16, 00 ]

.text C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5780] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [ E2 ]

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\gaopdxikusjrmi.sys (*** hidden *** ) B575F000-B5789000 (172032 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\gaopdxikusjrmi.sys (*** hidden *** ) [sYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxikusjrmi.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@userdata -1

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxikusjrmi.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxlxodpqvc.dll

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxikusjrmi.sys

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@userdata -1

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxikusjrmi.sys

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxlxodpqvc.dll

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

Hi. :D

I'm curious who asked you to run GMER? You should never run tools like that unless instructed.

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:C:\WINDOWS\system32\drivers\gaopdxikusjrmi.sys
    Drivers to delete:gaopdxserv
    Registry keys to delete:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gaopdxserv.sysHKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gaopdxserv.sys


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Link to post
Share on other sites

Thanks so much for your prompt reply. I followed the instructions and the avenger.txt results are:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gaopdxserv.sys" found!

ImagePath: \systemroot\system32\drivers\gaopdxikusjrmi.sys

Start Type: 1 (System)

Rootkit scan completed.

File "C:\WINDOWS\system32\drivers\gaopdxikusjrmi.sys" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv" not found!

Deletion of driver "gaopdxserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys" deleted successfully.

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gaopdxserv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Combofix.txt:

ComboFix 09-02-14.01 - Home 2009-02-15 15:34:24.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2642 [GMT -6:00]

Running from: c:\documents and settings\Home\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Home\Application Data\inst.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\dumphive.exe

c:\windows\system32\gaopdxcounter

c:\windows\system32\gaopdxlxodpqvc.dll

c:\windows\system32\IEDFix.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

E:\Autorun.inf

e:\recycler\S-8-7-42-100008605-100012922-100010988-4158.com

F:\Autorun.inf

f:\recycler\S-8-7-42-100008605-100012922-100010988-4158.com

.

((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))

.

2009-02-15 15:37 . 2009-02-15 15:37 4 --a------ c:\windows\system32\GVTunner.ref

2009-02-15 07:25 . 2009-02-15 07:25 <DIR> d-------- C:\Rooter$

2009-02-15 07:23 . 2009-02-15 07:23 <DIR> d-------- c:\program files\ERUNT

2009-02-15 06:32 . 2009-02-15 07:49 250 --a------ c:\windows\gmer.ini

2009-02-15 06:29 . 2009-02-15 06:29 <DIR> d-------- C:\rsit

2009-02-15 06:29 . 2009-02-15 06:29 <DIR> d-------- c:\program files\trend micro

2009-02-14 12:20 . 2009-02-14 12:20 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-14 12:20 . 2009-02-14 12:20 <DIR> d-------- c:\documents and settings\Home\Application Data\SUPERAntiSpyware.com

2009-02-14 12:20 . 2009-02-14 12:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-14 08:19 . 2009-02-14 08:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-14 08:10 . 2009-02-14 08:10 <DIR> d-------- c:\program files\AVG

2009-02-14 08:10 . 2009-02-14 15:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-02-14 07:57 . 2009-02-14 07:57 <DIR> d-------- c:\windows\system32\HouseCall 6.6

2009-02-14 07:57 . 2009-02-14 07:57 <DIR> d-------- c:\documents and settings\Home\Application Data\HouseCall 6.6

2009-02-13 22:45 . 2009-02-14 14:32 664 --a------ c:\windows\system32\d3d9caps.dat

2009-02-13 22:35 . 2009-02-14 09:28 7,680 --ahs---- c:\windows\Thumbs.db

2009-02-13 22:08 . 2009-02-14 08:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-12 00:00 . 2009-02-12 00:00 <DIR> d-------- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$

2009-02-11 23:58 . 2009-02-11 23:58 <DIR> d-------- c:\windows\SQL9_KB960089_ENU

2009-02-11 02:00 . 2009-02-11 02:00 <DIR> d-------- C:\3C2000 NIC

2009-02-10 21:02 . 2009-02-14 09:55 4,566 --a------ c:\windows\imsins.BAK

2009-01-22 17:13 . 2005-01-31 04:18 372,736 -ra------ c:\windows\system32\LVUI2RC.dll

2009-01-22 17:13 . 2005-01-31 04:20 211,712 -ra------ c:\windows\system32\drivers\LV561AV.SYS

2009-01-22 17:13 . 2005-01-31 04:10 204,800 -ra------ c:\windows\system32\LVUI2.dll

2009-01-22 17:13 . 2005-01-31 04:08 204,800 -ra------ c:\windows\system32\lvcodec2.dll

2009-01-22 17:13 . 2005-01-31 04:00 106,496 -ra------ c:\windows\system32\lvcoinst.dll

2009-01-22 17:13 . 2005-01-31 04:12 22,016 -ra------ c:\windows\system32\drivers\LVUSBSta.sys

2009-01-22 17:13 . 2005-01-31 02:37 9,255 -ra------ c:\windows\system32\lvcoinst.ini

2009-01-17 22:08 . 2009-01-17 22:08 <DIR> d-------- c:\program files\CCleaner

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-15 21:37 24,944 ----a-w c:\windows\system32\drivers\GVTDrv.sys

2009-02-15 21:28 --------- d-----w c:\documents and settings\Home\Application Data\Delicious IE Extension

2009-02-15 18:54 --------- d-----w c:\program files\WinTV

2009-02-14 18:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-14 04:35 --------- d-----w c:\program files\Windows Media Connect 2

2009-02-14 04:35 --------- d-----w c:\program files\QT Lite

2009-02-14 04:35 --------- d-----w c:\program files\gAttach

2009-02-14 04:35 --------- d-----w c:\program files\Delicious Add-on for Internet Explorer

2009-02-14 04:35 --------- d-----w c:\program files\CrossLoop

2009-02-14 01:29 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-13 09:11 --------- d-----w c:\documents and settings\Home\Application Data\uTorrent

2009-02-12 05:58 --------- d-----w c:\program files\Microsoft SQL Server

2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-08 04:36 --------- d-----w c:\program files\IEPro

2009-02-06 16:44 --------- d-----w c:\documents and settings\Home\Application Data\Mapi2Xml

2009-01-23 23:35 --------- d-----w c:\program files\SugarSync

2009-01-18 04:23 --------- d-----w c:\program files\Microsoft ActiveSync

2009-01-15 03:01 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-15 03:00 --------- d-----w c:\program files\TradeStation 8.4 (Build 1693)

2009-01-04 13:05 --------- d-----w c:\program files\OpenOffice.org 2.4

2009-01-04 13:02 --------- d-----w c:\program files\Azureus

2009-01-02 16:42 --------- d-----w c:\documents and settings\Home\Application Data\DVD Flick

2009-01-02 00:23 --------- d-----w c:\program files\DVD Flick

2008-12-29 04:32 --------- d-----w c:\program files\pyTivo

2008-12-28 23:38 --------- d-----w c:\program files\MediaCoder Audio Edition

2008-12-28 22:22 --------- d-----w c:\program files\eRightSoft

2008-12-21 16:44 --------- d-----w c:\program files\uTorrent

2008-12-18 02:49 --------- d-----w c:\program files\Digsby

2008-12-17 22:09 119,552 ----a-w c:\windows\system32\drivers\Rtenicxp.sys

2008-12-17 14:55 --------- d-----w c:\documents and settings\Home\Application Data\Epson

2008-12-15 23:00 --------- d-----w c:\documents and settings\Home\Application Data\Leadertech

2008-12-15 22:59 --------- d-----w c:\program files\EpsonNet

2008-12-15 22:59 --------- d-----w c:\program files\Common Files\EPSON

2008-12-15 22:59 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON

2008-12-15 22:54 --------- d-----w c:\program files\epson

2008-12-15 22:53 --------- d-----w c:\program files\Epson Software

2008-12-15 22:53 --------- d-----w c:\program files\Common Files\InstallShield

2008-05-18 16:32 47,360 ----a-w c:\documents and settings\Home\Application Data\pcouffin.sys

2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll

2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll

2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-08 68856]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]

"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2009-01-23 364544]

"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-07-19 160592]

"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]

"Google Update"="c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-20 133104]

"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2009-01-08 510416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"EasyTuneVPro"="c:\program files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 20480]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-27 29744]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]

"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.exe]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

c:\documents and settings\Home\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

Evernote.lnk - c:\program files\Evernote\Evernote3\EvernoteTray.exe [2008-07-14 350656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--a------ 2007-06-01 10:05 1057328 c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

--a------ 2007-06-01 10:06 1629744 c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\IEPro\\MiniDM.exe"=

"c:\\Program Files\\Galleon\\bin\\Wrapper.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=

"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=

"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:UDP"= 5353:UDP:HME

"7288:TCP"= 7288:TCP:HME

"2190:UDP"= 2190:UDP:HMO

"2190:TCP"= 2190:TCP:HMO

"8081:TCP"= 8081:TCP:HMO

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R2 Galleon;Galleon;c:\program files\Galleon\bin\Wrapper.exe [2007-11-20 204800]

R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2008-04-04 868864]

R3 CT200xN51;NDIS5.1 Miniport Driver for 3Com 3C2000 Ethernet Controller;c:\windows\system32\drivers\CT200xN51.sys [2006-09-19 250240]

R3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [2008-04-28 815104]

S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder Audio Edition\SysInfo.sys [2007-09-25 15152]

S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-04-27 29744]

S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-12-18 29181272]

S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\drivers\rcblan.sys [2008-08-20 39704]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

SUnknown GVTDrv;GVTDrv; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-8-7-42-100008605-100012922-100010988-4158.com e:\

\Shell\Open\command - e:\recycler\S-8-7-42-100008605-100012922-100010988-4158.com e:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-8-7-42-100008605-100012922-100010988-4158.com f:\

\Shell\Open\command - f:\recycler\S-8-7-42-100008605-100012922-100010988-4158.com f:\

.

Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1085031214-839522115-1003.job

- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-20 06:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en

IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-15 15:37:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\EPSON\eEBAPI\eEBSvc.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\system32\java.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\rundll32.exe

c:\program files\Microsoft IntelliType Pro\dpupdchk.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

c:\program files\Orb Networks\Orb\bin\Orb.exe

c:\progra~1\WinTV\HCBE33~1.EXE

.

**************************************************************************

.

Completion time: 2009-02-15 15:41:37 - machine was rebooted [Home]

ComboFix-quarantined-files.txt 2009-02-15 21:41:34

Pre-Run: 407,525,371,904 bytes free

Post-Run: 407,443,714,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

253 --- E O F --- 2009-02-12 06:01:40

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:43:22, on 2/15/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe

C:\Program Files\Galleon\bin\Wrapper.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\java.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\SugarSync\SugarSyncManager.exe

c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

C:\Program Files\TiVo\Desktop\TiVoNotify.exe

C:\Program Files\RocketDock\RocketDock.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Rainlendar2\Rainlendar2.exe

C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Evernote\Evernote3\EvernoteTray.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Orb Networks\Orb\bin\Orb.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\WinTV\HCWTVS~1.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: CDelHotkeys Object - {78875F5C-A685-4405-8DC5-D48DC65452B0} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Delicious Toolbar - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [EasyTuneVPro] C:\Program Files\Gigabyte\ET5Pro\ETcall.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [sugarSync] "C:\Program Files\SugarSync\SugarSyncManager.exe" -startInTray

O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry

O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Startup: Evernote.lnk = C:\Program Files\Evernote\Evernote3\EvernoteTray.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: Delicious - {2C887991-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Bookmarks - {2C887992-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Tag - {2C887993-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll

O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://ushousecall02.trendmicro.com/housec...ivex/hcImpl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe

O23 - Service: Galleon - Unknown owner - C:\Program Files\Galleon\bin\Wrapper.exe

O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--

End of file - 13358 bytes

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\imsins.BAK

Folder::

C:\rsit

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

DirLook::

C:\Rooter$

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Seems to be much better, can actually open IE now.

Also, just had an error pop up, said that IE needs to close, the following add-on was running, swg.dll, from GoogleToolbarNotifier. Do I just need to reinstall the google toolbar when the problem is fixed?

ComboFix log:

ComboFix 09-02-14.01 - Home 2009-02-15 19:29:48.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2593 [GMT -6:00]

Running from: c:\documents and settings\Home\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\windows\imsins.BAK

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\rsit

c:\rsit\info.txt

c:\rsit\log.txt

c:\windows\imsins.BAK

.

((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))

.

2009-02-15 07:25 . 2009-02-15 07:25 <DIR> d-------- C:\Rooter$

2009-02-15 07:23 . 2009-02-15 07:23 <DIR> d-------- c:\program files\ERUNT

2009-02-15 06:32 . 2009-02-15 07:49 250 --a------ c:\windows\gmer.ini

2009-02-15 06:29 . 2009-02-15 06:29 <DIR> d-------- c:\program files\trend micro

2009-02-14 12:20 . 2009-02-14 12:20 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-14 12:20 . 2009-02-14 12:20 <DIR> d-------- c:\documents and settings\Home\Application Data\SUPERAntiSpyware.com

2009-02-14 12:20 . 2009-02-14 12:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-14 08:19 . 2009-02-14 08:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-14 08:10 . 2009-02-14 08:10 <DIR> d-------- c:\program files\AVG

2009-02-14 08:10 . 2009-02-14 15:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-02-14 07:57 . 2009-02-14 07:57 <DIR> d-------- c:\windows\system32\HouseCall 6.6

2009-02-14 07:57 . 2009-02-14 07:57 <DIR> d-------- c:\documents and settings\Home\Application Data\HouseCall 6.6

2009-02-13 22:45 . 2009-02-14 14:32 664 --a------ c:\windows\system32\d3d9caps.dat

2009-02-13 22:35 . 2009-02-14 09:28 7,680 --ahs---- c:\windows\Thumbs.db

2009-02-13 22:08 . 2009-02-14 08:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-12 00:00 . 2009-02-12 00:00 <DIR> d-------- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$

2009-02-11 23:58 . 2009-02-11 23:58 <DIR> d-------- c:\windows\SQL9_KB960089_ENU

2009-02-11 02:00 . 2009-02-11 02:00 <DIR> d-------- C:\3C2000 NIC

2009-01-22 17:13 . 2005-01-31 04:18 372,736 -ra------ c:\windows\system32\LVUI2RC.dll

2009-01-22 17:13 . 2005-01-31 04:20 211,712 -ra------ c:\windows\system32\drivers\LV561AV.SYS

2009-01-22 17:13 . 2005-01-31 04:10 204,800 -ra------ c:\windows\system32\LVUI2.dll

2009-01-22 17:13 . 2005-01-31 04:08 204,800 -ra------ c:\windows\system32\lvcodec2.dll

2009-01-22 17:13 . 2005-01-31 04:00 106,496 -ra------ c:\windows\system32\lvcoinst.dll

2009-01-22 17:13 . 2005-01-31 04:12 22,016 -ra------ c:\windows\system32\drivers\LVUSBSta.sys

2009-01-22 17:13 . 2005-01-31 02:37 9,255 -ra------ c:\windows\system32\lvcoinst.ini

2009-01-17 22:08 . 2009-01-17 22:08 <DIR> d-------- c:\program files\CCleaner

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-16 01:22 --------- d-----w c:\documents and settings\Home\Application Data\Delicious IE Extension

2009-02-15 21:51 --------- d-----w c:\program files\WinTV

2009-02-15 21:50 24,944 ----a-w c:\windows\system32\drivers\GVTDrv.sys

2009-02-14 18:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-14 04:35 --------- d-----w c:\program files\Windows Media Connect 2

2009-02-14 04:35 --------- d-----w c:\program files\QT Lite

2009-02-14 04:35 --------- d-----w c:\program files\gAttach

2009-02-14 04:35 --------- d-----w c:\program files\Delicious Add-on for Internet Explorer

2009-02-14 04:35 --------- d-----w c:\program files\CrossLoop

2009-02-14 01:29 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-13 09:11 --------- d-----w c:\documents and settings\Home\Application Data\uTorrent

2009-02-12 05:58 --------- d-----w c:\program files\Microsoft SQL Server

2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-08 04:36 --------- d-----w c:\program files\IEPro

2009-02-06 16:44 --------- d-----w c:\documents and settings\Home\Application Data\Mapi2Xml

2009-01-23 23:35 --------- d-----w c:\program files\SugarSync

2009-01-18 04:23 --------- d-----w c:\program files\Microsoft ActiveSync

2009-01-16 01:36 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-01-15 03:01 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-15 03:00 --------- d-----w c:\program files\TradeStation 8.4 (Build 1693)

2009-01-04 13:05 --------- d-----w c:\program files\OpenOffice.org 2.4

2009-01-04 13:02 --------- d-----w c:\program files\Azureus

2009-01-02 16:42 --------- d-----w c:\documents and settings\Home\Application Data\DVD Flick

2009-01-02 00:23 --------- d-----w c:\program files\DVD Flick

2008-12-29 04:32 --------- d-----w c:\program files\pyTivo

2008-12-28 23:38 --------- d-----w c:\program files\MediaCoder Audio Edition

2008-12-28 22:22 --------- d-----w c:\program files\eRightSoft

2008-12-21 16:44 --------- d-----w c:\program files\uTorrent

2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll

2008-12-18 02:49 --------- d-----w c:\program files\Digsby

2008-12-17 22:09 119,552 ----a-w c:\windows\system32\drivers\Rtenicxp.sys

2008-12-17 22:08 27,648 ----a-w c:\windows\system32\RtNicProp32.dll

2008-12-17 14:55 --------- d-----w c:\documents and settings\Home\Application Data\Epson

2008-12-04 22:52 2,131,968 ----a-w c:\windows\system32\python26.dll

2008-05-18 16:32 47,360 ----a-w c:\documents and settings\Home\Application Data\pcouffin.sys

2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll

2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll

2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of C:\Rooter$ ----

2009-02-15 07:25 54 --a------ c:\rooter$\RunTool.txt

2009-02-15 07:25 2956 --a------ c:\rooter$\Orph.egd

2009-02-15 07:25 195700 --a------ c:\rooter$\Rooter.txt

2009-02-15 07:25 195647 --a------ c:\rooter$\Rooter_1.txt

2009-02-15 07:25 195004 --a------ c:\rooter$\Crack.txt

2009-02-15 07:25 1706 --a------ c:\rooter$\paths.bat

2009-02-15 07:25 12 --a------ c:\rooter$\kill.reg

2009-02-15 07:25 102050 --a------ c:\rooter$\Rkeys.txt

2009-01-03 18:58 21270 --a------ c:\rooter$\RooterT.cmd

2009-01-03 18:35 411 --a------ c:\rooter$\List.lsd

2009-01-03 18:33 842 --a------ c:\rooter$\RKit.lsd

2008-12-26 00:27 1262 --a------ c:\rooter$\RoGUeS.lsd

2008-10-26 21:40 16738 --a------ c:\rooter$\iNv.exe

2008-10-25 00:33 24062 --a------ c:\rooter$\OsV.exe

2007-11-03 01:12 26624 --a------ c:\rooter$\setpath.exe

2003-12-16 10:57 45056 --a------ c:\rooter$\lsTasks.exe

2000-08-31 08:00 98816 --a------ c:\rooter$\sed.exe

((((((((((((((((((((((((((((( SnapShot@2009-02-15_15.40.55.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-02-15 21:50:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_190.dat

+ 2009-02-15 21:50:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b4.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-08 68856]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]

"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2009-01-23 364544]

"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 1193984]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 394240]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 1879552]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-07-19 160592]

"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]

"Google Update"="c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-20 133104]

"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2009-01-08 510416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"EasyTuneVPro"="c:\program files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 20480]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-27 29744]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]

"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.exe]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

c:\documents and settings\Home\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

Evernote.lnk - c:\program files\Evernote\Evernote3\EvernoteTray.exe [2008-07-14 350656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--a------ 2007-06-01 10:05 1057328 c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

--a------ 2007-06-01 10:06 1629744 c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\IEPro\\MiniDM.exe"=

"c:\\Program Files\\Galleon\\bin\\Wrapper.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=

"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=

"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:UDP"= 5353:UDP:HME

"7288:TCP"= 7288:TCP:HME

"2190:UDP"= 2190:UDP:HMO

"2190:TCP"= 2190:TCP:HMO

"8081:TCP"= 8081:TCP:HMO

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R2 Galleon;Galleon;c:\program files\Galleon\bin\Wrapper.exe [2007-11-20 204800]

R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2008-04-04 868864]

R3 CT200xN51;NDIS5.1 Miniport Driver for 3Com 3C2000 Ethernet Controller;c:\windows\system32\drivers\CT200xN51.sys [2006-09-19 250240]

R3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [2008-04-28 815104]

S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder Audio Edition\SysInfo.sys [2007-09-25 15152]

S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-04-27 29744]

S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-12-18 29181272]

S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\drivers\rcblan.sys [2008-08-20 39704]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

SUnknown GVTDrv;GVTDrv; [x]

.

Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1085031214-839522115-1003.job

- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-20 06:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en

IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-15 19:31:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-02-15 19:33:07

ComboFix-quarantined-files.txt 2009-02-16 01:33:05

ComboFix2.txt 2009-02-15 21:41:37

Pre-Run: 407,419,592,704 bytes free

Post-Run: 407,419,125,760 bytes free

230 --- E O F --- 2009-02-12 06:01:40

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:35:24, on 2/15/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe

C:\Program Files\Galleon\bin\Wrapper.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\java.exe

c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\SugarSync\SugarSyncManager.exe

C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\TiVo\Desktop\TiVoNotify.exe

C:\Program Files\RocketDock\RocketDock.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Rainlendar2\Rainlendar2.exe

C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Evernote\Evernote3\EvernoteTray.exe

C:\Program Files\Orb Networks\Orb\bin\Orb.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\WinTV\HCWTVS~1.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousManager.exe

C:\Program Files\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: CDelHotkeys Object - {78875F5C-A685-4405-8DC5-D48DC65452B0} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Delicious Toolbar - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [EasyTuneVPro] C:\Program Files\Gigabyte\ET5Pro\ETcall.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [sugarSync] "C:\Program Files\SugarSync\SugarSyncManager.exe" -startInTray

O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry

O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Startup: Evernote.lnk = C:\Program Files\Evernote\Evernote3\EvernoteTray.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: Delicious - {2C887991-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Bookmarks - {2C887992-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Tag - {2C887993-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll

O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://ushousecall02.trendmicro.com/housec...ivex/hcImpl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe

O23 - Service: Galleon - Unknown owner - C:\Program Files\Galleon\bin\Wrapper.exe

O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--

End of file - 13451 bytes

Link to post
Share on other sites

Excellent! I finished with the last of the instructions. All seems to be good now.

2 Questions:

1) Do I need to be concerned that my router was somehow compromised? Should I change the username or password?

2) Can I make a donation or somehow express thanks and help?

Thank you very much Tigger for your prompt and helpful work. It is sincerely appreciated!!

Link to post
Share on other sites

Excellent! I finished with the last of the instructions. All seems to be good now.

2 Questions:

1) Do I need to be concerned that my router was somehow compromised? Should I change the username or password?

2) Can I make a donation or somehow express thanks and help?

Thank you very much Tigger for your prompt and helpful work. It is sincerely appreciated!!

1) Just to be safe, I would reset the router and change the username and password.

2) The best way to show thanks is to purchase MalwareBytes Anti-Malware.

Glad to help. :D

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.