Solved Computer taken over by virus

RickyD2 · 2010/09/07

[Resolved] Computer taken over by virus

My PC was suddenly overcome by a program called Security Suite. It blocks access to the Internet except thru Safe Mode and will not allow System Restore to be accessed. None of my security programs caught this.
I need help but do not know if I can receive a response from you good people, so all I can do is try.

I'm going to leave it for now and get some sleep and check in the morning for any response. Any suggesgtions will be appreciated.

I do not know if my e-mail will work and have not tried it.

RickyD2 · 2010/09/07

I have now tried my e-mail and it will not work. I have a Yahoo e-mail account and it will not work either.

broni · 2010/09/08

Programs listed below can be run in Safe Mode, if needed.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==============================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

RickyD2 · 2010/09/08

From rkill.exe

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 09/08/2010 at 7:37:02.

Services Stopped:

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Administrator\Desktop\rkill.exe

Rkill completed on 09/08/2010 at 7:37:04.

From exehelper

exeHelper by Raktor
Build 20100414
Run at 14:19:33 on 07/16/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 07:38:26 on 09/08/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

RickyD2 · 2010/09/08

ComboComboFix 10-09-07.01 - Administrator 09/08/2010 10:32:41.17.1 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.302 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.

2010-09-08 04:33 . 2010-09-08 04:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-08 03:48 . 2010-09-08 03:48 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\btlxcmtih
2010-09-07 21:02 . 2010-09-07 21:02 -------- d-----w- c:\program files\MSXML 4.0
2010-09-06 20:52 . 2010-09-06 20:52 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\HP
2010-09-06 19:04 . 2010-09-06 19:05 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\HPAppData
2010-09-06 18:56 . 2010-09-06 18:56 1148400 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations\RocketEngine.dll
2010-09-06 18:56 . 2010-09-06 18:56 341488 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations\PhotoProductCore.exe
2010-09-06 18:56 . 2010-09-06 18:56 255472 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations\ContentMan.dll
2010-09-06 18:56 . 2010-09-06 18:56 158240 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations\PhotoProductReg.exe
2010-09-06 18:56 . 2010-09-06 18:56 140784 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations\RLPNUpload.dll
2010-09-06 18:56 . 2010-09-06 18:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WEBREG
2010-09-06 18:55 . 2010-09-06 18:55 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\HP
2010-09-06 18:53 . 2010-09-06 18:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2010-09-06 18:52 . 2010-09-06 18:52 -------- d-----w- c:\program files\Coupons
2010-09-06 18:51 . 2010-09-06 18:51 -------- d-----w- c:\program files\HP Photo Creations
2010-09-06 18:51 . 2010-09-06 18:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations
2010-09-06 18:51 . 2010-09-06 18:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Product Assistant
2010-09-06 18:49 . 2010-09-06 18:49 -------- d-----w- c:\program files\Common Files\HP
2010-09-06 18:49 . 2010-09-06 18:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2010-09-06 18:45 . 2010-09-06 18:55 172174 ----a-w- c:\windows\hpoins37.dat
2010-09-06 18:45 . 2010-02-02 20:05 558 ------w- c:\windows\hpomdl37.dat
2010-09-06 18:39 . 2008-10-06 20:37 315392 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp083.dll
2010-09-06 18:39 . 2008-10-06 20:38 121344 ----a-w- c:\windows\system32\hpf3l083.dll
2010-09-06 18:39 . 2008-10-29 17:35 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-09-06 18:38 . 2008-10-28 09:31 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-09-06 18:38 . 2008-10-28 09:31 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-09-06 18:38 . 2008-10-29 17:37 307200 ----a-r- c:\windows\system32\hposc_d02a.dll
2010-09-06 18:38 . 2008-10-29 17:37 737280 ----a-r- c:\windows\system32\hposwia_d02a.dll
2010-09-06 18:38 . 2008-10-29 17:37 598016 ----a-r- c:\windows\system32\hpost_d02a.dll
2010-09-06 18:17 . 2010-09-06 18:17 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\HpUpdate
2010-09-03 21:35 . 2010-09-03 21:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-02 20:25 . 2010-09-02 20:25 10134 ----a-r- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2010-08-09 21:09 . 2010-08-09 21:09 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13bb0c4e-n\msvcp71.dll
2010-08-09 21:09 . 2010-08-09 21:09 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1401b338-n\decora-sse.dll
2010-08-09 21:09 . 2010-08-09 21:09 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13bb0c4e-n\jmc.dll
2010-08-09 21:09 . 2010-08-09 21:09 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13bb0c4e-n\msvcr71.dll
2010-08-09 21:09 . 2010-08-09 21:09 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1401b338-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 15:12 . 2010-07-10 21:24 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-07-10 21:24 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-07-10 21:29 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-07-10 21:29 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-07-10 21:29 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-07-10 21:28 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-07-10 21:28 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-07-10 21:29 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-07-10 21:28 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-06 19:05 . 2006-01-15 21:37 20144 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-16 21:40 . 2010-07-16 21:40 -------- d-----w- c:\program files\Common Files\Java
2010-07-15 19:10 . 2010-07-15 19:10 170 ---ha-w- c:\documents and settings\Richard Doenges\hpothb07.dat
2010-07-15 19:10 . 2006-08-21 19:26 367 ---ha-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\hpothb07.dat
2010-07-11 20:20 . 2010-07-11 20:20 -------- d-----w- c:\program files\Uniblue
2010-07-11 00:18 . 2010-07-11 00:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-11 00:17 . 2010-07-11 00:17 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-11 00:16 . 2010-07-11 00:15 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-11 00:15 . 2010-07-11 00:14 -------- d-----w- c:\program files\Microsoft
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-11 00:14 . 2010-07-11 00:14 -------- d-----w- c:\program files\Windows Live
2010-07-11 00:05 . 2010-07-11 00:04 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-10 21:22 . 2010-07-10 21:22 -------- d-----w- c:\program files\Alwil Software
2010-07-10 21:22 . 2010-07-10 21:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-06-30 12:31 . 2003-03-31 17:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2003-03-31 17:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2003-03-31 17:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2003-03-31 17:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2007-11-24 19:58 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\HelpSvc.exe
2010-06-14 07:41 . 2006-09-13 04:09 1172480 ----a-w- c:\windows\system32\msxml3.dll
2006-07-20 20:07 . 2006-07-20 20:07 18801 ------w- c:\program files\IE70BlockerHelp.htm
2006-05-08 22:07 . 2006-05-08 22:07 28142 ------w- c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 21:13 . 2006-05-08 21:13 3730 ------w- c:\program files\IE70Blocker.adm
2006-05-08 21:13 . 2006-05-08 21:13 1809 ------w- c:\program files\IE70Blocker.cmd
2005-05-26 19:35 . 2007-11-23 21:24 1422 ------w- c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FixCleaner "= "c:\program files\FixCleaner\FixCleaner.exe" [2010-03-22 45725016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"HP Software Update "= "c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"ncdxwish "= "c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\btlxcmtih\cwaloimuqiw.exe" [2010-09-08 243712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2006-1-6 18480224]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache "= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe "=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe "=

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/23/2010 7:14 PM 95024]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/10/2010 4:29 PM 165584]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/10/2010 4:29 PM 17744]
S2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/28/2009 11:29 AM 90352]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [3/31/2003 12:00 PM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - STLTRK2K

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-09-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-09-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-06 21:27]

2010-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-07 c:\windows\Tasks\User_Feed_Synchronization-{9913872E-C5A8-4D8F-83A3-237CEECEEC63}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2010-09-08 c:\windows\Tasks\User_Feed_Synchronization-{7712294E-F94B-4110-8CC7-2F0C256BC9C4}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2007-01-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8137559368.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe "
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-08 10:38
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-527237240-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,c8,30,34,50,25,11,4a,96,a7,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,c8,30,34,50,25,11,4a,96,a7,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
Completion time: 2010-09-08 10:40:37
ComboFix-quarantined-files.txt 2010-09-08 15:40

Pre-Run: 12,138,381,312 bytes free
Post-Run: 14,139,162,624 bytes free

Current=5 Default=5 Failed=2 LastKnownGood=3 Sets=1,2,3,5
- - End Of File - - CF6BC57FDCE5B0A198A4996EC4661037
Fix log

broni · 2010/09/08

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\btlxcmtih\cwaloimuqiw.exe


Folder::
c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\btlxcmtih


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "ncdxwish "=-
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

RickyD2 · 2010/09/08

ComboFix 10-09-08.01 - Administrator 09/08/2010 21:20:19.18.1 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.271 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\btlxcmtih\cwaloimuqiw.exe "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\btlxcmtih
c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\btlxcmtih\cwaloimuqiw.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
.

2010-09-08 22:35 . 2010-09-08 22:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-09-08 17:45 . 2010-09-08 17:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-09-08 16:10 . 2010-09-08 16:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-08 04:33 . 2010-09-09 02:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-07 21:02 . 2010-09-07 21:02 -------- d-----w- c:\program files\MSXML 4.0
2010-09-06 20:52 . 2010-09-06 20:52 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\HP
2010-09-06 19:04 . 2010-09-06 19:05 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\HPAppData
2010-09-06 18:56 . 2010-09-06 18:56 1148400 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations\RocketEngine.dll
2010-09-06 18:56 . 2010-09-06 18:56 341488 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations\PhotoProductCore.exe
2010-09-06 18:56 . 2010-09-06 18:56 255472 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations\ContentMan.dll
2010-09-06 18:56 . 2010-09-06 18:56 158240 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations\PhotoProductReg.exe
2010-09-06 18:56 . 2010-09-06 18:56 140784 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations\RLPNUpload.dll
2010-09-06 18:56 . 2010-09-06 18:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WEBREG
2010-09-06 18:55 . 2010-09-06 18:55 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\HP
2010-09-06 18:53 . 2010-09-06 18:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2010-09-06 18:52 . 2010-09-06 18:52 -------- d-----w- c:\program files\Coupons
2010-09-06 18:51 . 2010-09-06 18:51 -------- d-----w- c:\program files\HP Photo Creations
2010-09-06 18:51 . 2010-09-06 18:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Photo Creations
2010-09-06 18:51 . 2010-09-06 18:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Product Assistant
2010-09-06 18:49 . 2010-09-06 18:49 -------- d-----w- c:\program files\Common Files\HP
2010-09-06 18:49 . 2010-09-06 18:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2010-09-06 18:45 . 2010-09-06 18:55 172174 ----a-w- c:\windows\hpoins37.dat
2010-09-06 18:45 . 2010-02-02 20:05 558 ------w- c:\windows\hpomdl37.dat
2010-09-06 18:39 . 2008-10-06 20:37 315392 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp083.dll
2010-09-06 18:39 . 2008-10-06 20:38 121344 ----a-w- c:\windows\system32\hpf3l083.dll
2010-09-06 18:39 . 2008-10-29 17:35 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-09-06 18:38 . 2008-10-28 09:31 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-09-06 18:38 . 2008-10-28 09:31 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-09-06 18:38 . 2008-10-29 17:37 307200 ----a-r- c:\windows\system32\hposc_d02a.dll
2010-09-06 18:38 . 2008-10-29 17:37 737280 ----a-r- c:\windows\system32\hposwia_d02a.dll
2010-09-06 18:38 . 2008-10-29 17:37 598016 ----a-r- c:\windows\system32\hpost_d02a.dll
2010-09-06 18:17 . 2010-09-06 18:17 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\HpUpdate
2010-09-03 21:35 . 2010-09-03 21:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-02 20:25 . 2010-09-02 20:25 10134 ----a-r- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 15:12 . 2010-07-10 21:24 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-07-10 21:24 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-07-10 21:29 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-07-10 21:29 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-07-10 21:29 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-07-10 21:28 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-07-10 21:28 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-07-10 21:29 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-07-10 21:28 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-06 19:05 . 2006-01-15 21:37 20144 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-09 21:09 . 2010-08-09 21:09 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13bb0c4e-n\msvcp71.dll
2010-08-09 21:09 . 2010-08-09 21:09 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1401b338-n\decora-sse.dll
2010-08-09 21:09 . 2010-08-09 21:09 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13bb0c4e-n\jmc.dll
2010-08-09 21:09 . 2010-08-09 21:09 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13bb0c4e-n\msvcr71.dll
2010-08-09 21:09 . 2010-08-09 21:09 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1401b338-n\decora-d3d.dll
2010-07-16 21:40 . 2010-07-16 21:40 -------- d-----w- c:\program files\Common Files\Java
2010-07-15 19:10 . 2010-07-15 19:10 170 ---ha-w- c:\documents and settings\Richard Doenges\hpothb07.dat
2010-07-15 19:10 . 2006-08-21 19:26 367 ---ha-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\hpothb07.dat
2010-07-11 20:20 . 2010-07-11 20:20 -------- d-----w- c:\program files\Uniblue
2010-06-30 12:31 . 2003-03-31 17:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2003-03-31 17:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2003-03-31 17:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2003-03-31 17:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2007-11-24 19:58 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\HelpSvc.exe
2010-06-14 07:41 . 2006-09-13 04:09 1172480 ----a-w- c:\windows\system32\msxml3.dll
2006-07-20 20:07 . 2006-07-20 20:07 18801 ------w- c:\program files\IE70BlockerHelp.htm
2006-05-08 22:07 . 2006-05-08 22:07 28142 ------w- c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 21:13 . 2006-05-08 21:13 3730 ------w- c:\program files\IE70Blocker.adm
2006-05-08 21:13 . 2006-05-08 21:13 1809 ------w- c:\program files\IE70Blocker.cmd
2005-05-26 19:35 . 2007-11-23 21:24 1422 ------w- c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"HP Software Update "= "c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2006-1-6 18480224]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache "= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe "=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe "=

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/23/2010 7:14 PM 95024]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/10/2010 4:29 PM 165584]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/10/2010 4:29 PM 17744]
S2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/28/2009 11:29 AM 90352]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [3/31/2003 12:00 PM 14336]
S3 OBWUXECJY;OBWUXECJY;c:\docume~1\ADMINI~1\LOCALS~1\Temp\OBWUXECJY.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OBWUXECJY.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - OBWUXECJY
*NewlyCreated* - STLTRK2K

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-09-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-09-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-06 21:27]

2010-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-07 c:\windows\Tasks\User_Feed_Synchronization-{9913872E-C5A8-4D8F-83A3-237CEECEEC63}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2010-09-08 c:\windows\Tasks\User_Feed_Synchronization-{7712294E-F94B-4110-8CC7-2F0C256BC9C4}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2007-01-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8137559368.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe "
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-08 21:25
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-527237240-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,c8,30,34,50,25,11,4a,96,a7,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,c8,30,34,50,25,11,4a,96,a7,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
Completion time: 2010-09-08 21:27:35
ComboFix-quarantined-files.txt 2010-09-09 02:27
ComboFix2.txt 2010-09-08 15:40

Pre-Run: 13,918,240,768 bytes free
Post-Run: 13,963,591,680 bytes free

Current=5 Default=5 Failed=2 LastKnownGood=3 Sets=1,2,3,5
- - End Of File - - B930041B9FF0100DF48A2BC444EE8D88

broni · 2010/09/08

STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

RickyD2 · 2010/09/08

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4578

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

9/8/2010 11:05:35 PM
mbam-log-2010-09-08 (23-05-35).txt

Scan type: Quick scan
Objects scanned: 181433
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

broni · 2010/09/08

Go on....

RickyD2 · 2010/09/08

---- Devices - GMER 1.0.9 ----

Device \Driver\Volvice \Device\aswtMgr IRP_MJ_CREATE 81BBB8C3
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E1950828
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E100D390

---- Processes - GMER 1.0.9 ----

Process msvcji32.exe (*** hidden *** ) 1480 <-- ROOTKIT !!!
Process lsacap32.exe (*** hidden *** ) 1488 <-- ROOTKIT !!!

---- Files - GMER 1.0.9 ----

File C:\WINDOWS\system32\drivers\imaslip.sys
File C:\WINDOWS\system32\lsacap32.exe

---- EOF - GMER 1.0.9 ----

alco8drv.sys GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600 Dodatek Service Pack 2

---- System - GMER 1.0.9 ----

---- Devices - GMER 1.0.9 ----

Device \Driver\WmiDisk \Device\G69uQQGr IRP_MJ_CREATE 83E50A11

---- Processes - GMER 1.0.9 ----

Process synbdusx.exe (*** hidden *** ) 1848 <-- ROOTKIT !!!

---- Files - GMER 1.0.9 ----

File C:\WINDOWS\system32\drivers\alco8drv.sys
File C:\WINDOWS\system32\synbdusx.exe

---- EOF - GMER 1.0.9 ----

xdudmm.sys
xdudtt.dll GMER 1.0.10.10108 - http://www.gmer.net
Rootkit 2006-05-24 00:29:02
Windows 5.1.2600

---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwCreateProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwCreateProcessEx <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwOpenProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwOpenThread <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwQuerySystemInformation <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F88DF300] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F88DF520] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F88DF610] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F88DF640] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F88DF300] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F88DF520] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F88DF610] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F88DF640] wpsdrvnt.sys
---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Apache Group\Apache2\bin\Apache.exe [244] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [300] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\nvsvc32.exe [308] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe [332] 0x00E50000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe [492] 0x00950000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [572] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\RECYCLER\lsass.exe [600] 0x10000000 <-- ROOTKIT !!!

Process C:\WINDOWS\SYSTEM32\winlogon.exe (*** hidden *** ) 796 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\SYSTEM32\winlogon.exe [796] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [1636] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [1696] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1820] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Apache Group\Apache2\bin\Apache.exe [1956] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\GEARSec.exe [1996] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Norton Ghost\Agent\VProSvc.exe [2024] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE [2388] 0x00C00000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe [2412] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Winamp\winamp.exe [2556] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\QuickTime\qttask.exe [2616] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2656] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\wccx.exe [2796] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\d13a4e75.exe [2804] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\SpeedFan\speedfan.exe [3080] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [3084] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\rundll32.exe [3212] 0x00950000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Canon\CAL\CALMAIN.exe [3564] 0x10000000 <-- ROOTKIT !!!

Process C:\WINDOWS\explorer.exe (*** hidden *** ) 3808 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3808] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [4196] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\PowerArchiver\POWERARC.EXE [4836] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Gadu-Gadu\gg.exe [5140] 0x00D00000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\system32\notepad.exe [5400] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\_PA459\gmer.exe [6008] 0x10000000 <-- ROOTKIT !!!

---- Services - GMER 1.0.10 ----

Service C:\WINDOWS\System32\xdudmm.sys (*** hidden *** ) [SYSTEM] xdudmm <-- ROOTKIT !!!
Service C:\WINDOWS\System32\xdudmm.sys (*** hidden *** ) [AUTO] xdudtt <-- ROOTKIT !!!

---- EOF - GMER 1.0.10 ----

pe386 GMER 1.0.10.10108 - http://www.gmer.net
Rootkit 2006-05-25 14:32:07
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.10 ----

SYSENTER ? 00810005

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 81732520
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 817310C0

---- Services - GMER 1.0.10 ----

Service D:\WINDOWS\System32:18467 (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- EOF - GMER 1.0.10 ----

Gromozon Rootkit GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-31 14:25:26
Windows 5.1.2600 Service Pack 2

---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [2500] 0x01F20000 <-- ROOTKIT !!!
Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [4036] 0x01F20000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\WINDOWS\mdoom1.dll
File C:\WINDOWS\system32\lpt4.hzq

---- EOF - GMER 1.0.10 ----

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-31 14:27:47
Windows 5.1.2600 Service Pack 2

...

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = \\?\C:\WINDOWS\system32\lpt4.hzq

...

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
SrvXdx /*SrvXdx*/@ = "C:\Programmi\File comuni\System\mfxS.exe"

...

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{D4ED03F3-6672-F05B-77C2-859151625148}C:\WINDOWS\mdoom1.dll = C:\WINDOWS\mdoom1.dll

...

---- EOF - GMER 1.0.10 ----

lzx32 GMER 1.0.11.11310 - http://www.gmer.net
Rootkit 2006-09-14 09:31:21
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.11 ----

SYSENTER ? F60FDFAF

---- Modules - GMER 1.0.11 ----

Module (noname) (*** hidden *** ) F60F9000

---- Threads - GMER 1.0.11 ----

Thread 4:1224 F60FC08A

---- Services - GMER 1.0.11 ----

Service D:\WINDOWS\system32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Files - GMER 1.0.11 ----

ADS D:\WINDOWS\system32:lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.11 ----

wincom32.sys GMER 1.0.12.12012 - http://www.gmer.net
Rootkit scan 2007-02-04 13:46:33
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\wincom32.sys ZwEnumerateKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\wincom32.sys ZwEnumerateValueKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\wincom32.sys ZwQueryDirectoryFile <-- ROOTKIT !!!

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 009B083C
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 009B07B6
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 009B05E4
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 009B045D
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 009B0505
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 011E083C
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 011E07B6
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 011E05E4
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 011E045D
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 011E0505
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00E1083C
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00E107B6
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00E105E4
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E1045D
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00E10505
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A1083C
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00A107B6
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00A105E4
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A1045D
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00A10505
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00D0083C
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00D007B6
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00D005E4
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00D0045D
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00D00505
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 008E083C
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008E07B6
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008E05E4
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008E045D
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008E0505
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0196083C
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 019607B6
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 019605E4
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0196045D
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01960505
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0077083C
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 007707B6
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 007705E4
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0077045D
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00770505
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A4083C
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00A407B6
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00A405E4
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A4045D
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00A40505
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00DB083C
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00DB07B6
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00DB05E4
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00DB045D
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00DB0505
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00E3083C
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00E307B6
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00E305E4
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E3045D
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00E30505
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys

---- Processes - GMER 1.0.12 ----

Process C:\WINDOWS\system32\taskdir.exe (*** hidden *** ) 1248

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\system32\wincom32.sys (*** hidden *** ) [AUTO] wincom32 <-- ROOTKIT !!!

---- Files - GMER 1.0.12 ----

File C:\WINDOWS\Prefetch\TASKDIR.EXE-02B5617A.pf
File C:\WINDOWS\system32\adir.dll
File C:\WINDOWS\system32\adirss.exe
File C:\WINDOWS\system32\taskdir.exe
File C:\WINDOWS\system32\wincom32.ini
File C:\WINDOWS\system32\wincom32.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\WindowsLogon.manifest

---- EOF - GMER 1.0.12 ----

VideoAti0.sys GMER 1.0.12.12070 - http://www.gmer.net
Rootkit scan 2007-02-26 15:38:06
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.12 ----

PAGE ntoskrnl.exe!ZwQueryKey + 201 8056F674 6 Bytes PUSH FC8152D4; RET
? C:\WINDOWS\system32\drivers\Ntfs.sys Access denied.

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE FC814E94
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL FC815084
Device \Driver\VideoAti0 \Device\VideoAti0 IRP_MJ_CREATE FC8144AC
Device \Driver\VideoAti0 \Device\VideoAti0 IRP_MJ_CLOSE FC8144AC

---- Modules - GMER 1.0.12 ----

Module \SystemRoot\System32\drivers\VideoAti0.sys (*** hidden *** ) FC814000

---- Files - GMER 1.0.12 ----

File C:\WINDOWS\system32\drivers\VideoAti0.sys
File C:\WINDOWS\system32\VideoAti0.dll
File C:\WINDOWS\system32\VideoAti0.exe

---- EOF - GMER 1.0.12 ----

RioDrvs.sys GMER 1.0.13.12482 - http://www.gmer.net
Rootkit scan 2007-06-15 08:55:07
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT \WINDOWS\system32\ntkrnlpa.exe [805460D8] PUSH F7912914; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwClose
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460D8] ZwClose
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460EA] PUSH F79133AA; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwDeleteKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460EA] ZwDeleteKey
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460F0] PUSH F7913432; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwDeleteValueKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460F0] ZwDeleteValueKey
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460D2] PUSH F7912888; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwEnumerateKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460D2] ZwEnumerateKey
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460CC] PUSH F7913140; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwLoadDriver
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460CC] ZwLoadDriver
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460DE] PUSH F7912A40; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwQueryDirectoryFile
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460DE] ZwQueryDirectoryFile
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460E4] PUSH F7913320; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwSaveKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460E4] ZwSaveKey

---- Processes - GMER 1.0.13 ----

Library C:\WINDOWS\LINKINFO.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [1932] 0x10000000
Library C:\WINDOWS\system32\linkinfo.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [1932] 0x76960000

---- Files - GMER 1.0.13 ----

File C:\WINDOWS\linkinfo.dll
File C:\WINDOWS\ServicePackFiles\i386\linkinfo.dll
File C:\WINDOWS\system32\drivers\RioDrvs.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\linkinfo.dll

---- Services - GMER 1.0.13 ----

Service C:\WINDOWS\system32\DRIVERS\RioDrvs.sys [AUTO] RioDrvs <-- ROOTKIT !!!

---- EOF - GMER 1.0.13 ----

MBR rootkit/Mebroot/Sinowal GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-24 07:50:49
Windows 5.1.2600 Service Pack 3

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x25429800 size 0x2c4
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- Kernel code sections - GMER 1.0.14 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F9A934B2 4 Bytes [ 7E, C8, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F9A934BD 4 Bytes [ 28, 74, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F9A934C8 4 Bytes [ 90, C8, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F9A934CF 4 Bytes [ 84, C8, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F9A934D6 4 Bytes [ 8A, C8, 84, 81 ]
PAGE ...

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\explorer.exe[1136] ADVAPI32.dll!CryptDestroyKey 77DDA544 7 Bytes JMP 00D52B9A
.text C:\WINDOWS\explorer.exe[1136] ADVAPI32.dll!CryptDecrypt 77DDA7B1 7 Bytes JMP 00D52B57
.text C:\WINDOWS\explorer.exe[1136] ADVAPI32.dll!CryptEncrypt 77DE1558 7 Bytes JMP 00D52B1B
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!send 71A5428A 5 Bytes JMP 00D5298C
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 00D52A7E
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!recv 71A5615A 5 Bytes JMP 00D529C4
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 00D529FC
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!closesocket 71A59639 5 Bytes JMP 00D52B00

---- Devices - GMER 1.0.14 ----

Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 855A1410
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 855A1410

---- Threads - GMER 1.0.14 ----

Thread 4:796 855BBC80
Thread 4:800 855A8D80
Thread 4:804 85663DC0
Thread 4:808 85594E00
Thread 4:2856 855BBC80
Thread 4:2860 855A8D80
Thread 4:2864 85663DC0
Thread 4:2868 85594E00

---- EOF - GMER 1.0.14 ----

C:\>mbr.exe -t
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85938E90]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x85938e90
\Device\Harddisk0\DR0 -> ParseProcedure -> 0x8593fc20
NDIS: Intel(R) 82566DM-2 Gigabit Network Connection -> SendCompleteHandler -> 0x8596e700
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0100A757
malicious code @ sector 0x0100A75A !
PE file found in sector at 0x0100A770 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Tigger/Syzor GMER 1.0.15.14918 - http://www.gmer.net
Rootkit scan 2009-01-12 15:18:21
Windows 5.1.2600 Dodatek Service Pack 2

---- Kernel code sections - GMER 1.0.15 ----

PAGEKD KDCOM.DLL!KdSendPacket F9F4D1B2 8 Bytes [FF, 35, 00, F0, 8F, 81, 9B, ...] {PUSH DWORD [0x818ff000]; WAIT ; RET }

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestA 771B76B8 1 Byte [55]
.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestA 771B76B8 7 Bytes [55, FF, 25, 00, 00, F6, 00] {PUSH EBP; JMP [0xf60000]}
.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestW 77201808 1 Byte [55]
.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestW 77201808 7 Bytes [55, FF, 25, 00, 00, 1F, 01] {PUSH EBP; JMP [0x11f0000]}

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE F8B98880
Device \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ F8B99E54
Device \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ F8B99E54
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ F8B992DC
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE F8B9932E
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN F8B99FA0

---- Threads - GMER 1.0.15 ----

Thread System [4:300] F8B99EB4
Thread System [4:1164] F8B99490
Thread System [4:1740] F8B98988
Thread System [4:1388] F8B9A022

---- EOF - GMER 1.0.15 ----

TDSS GMER 1.0.15.15121 - http://www.gmer.net
Rootkit scan 2009-10-03 13:54:24
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74CB380]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort1 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort2 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort3 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort4 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort5 [F74BE9F2] atapi.sys[unknown section]

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\Ide\IdePort5\kbwwiibi\kbwwiibi\tdlwsp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1736] 0x10000000

---- EOF - GMER 1.0.15 ----

Copyright (c) GMER 2004 - 2009

broni · 2010/09/08

Wrong MBRCheck log.
Please, redo step 3.

RickyD2 · 2010/09/08

m_hook.sys GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600 Dodatek Service Pack. 1

---- System - GMER 1.0.9 ----

SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwCreateFile <-- ROOTKIT !!!
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwEnumerateKey <-- ROOTKIT !!!
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwEnumerateValueKey <-- ROOTKIT !!!
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwQueryKey <-- ROOTKIT !!!
SSDT \\??\\C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys ZwQuerySystemInformation <-- ROOTKIT !!!

---- Processes - GMER 1.0.9 ----

Process wintems.exe (*** hidden *** ) 1656 <-- ROOTKIT !!!

---- Registry - GMER 1.0.9 ----

Reg \\Registry\\USER\\S-1-5-21-839522115-1303643608-725345543-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Run@german.exe
C:\\WINDOWS\\System32\\wintems.exe
Reg \\Registry\\USER\\S-1-5-21-839522115-1303643608-725345543-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Run@drvsyskit
C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\hidr.exe

---- Files - GMER 1.0.9 ----

File C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires
File C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\hidr.exe
File C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys <-- ROOTKIT !!!
File C:\\WINDOWS\\system32\\wintems.exe

---- Services - GMER 1.0.9 ----

Service C:\\Documents and Settings\\Administrator\\Dane aplikacji\\hidires\\m_hook.sys [MANUAL] m_hook <-- ROOTKIT !!!

---- EOF - GMER 1.0.9 ----

drmpdate.sys GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600 Dodatek Service Pack. 1

---- System - GMER 1.0.9 ----

SSDT \SystemRoot\System32\drivers\klif.sys ZwClose
SSDT d347bus.sys ZwCreateKey
SSDT d347bus.sys ZwCreatePagingFile
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateSection
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateThread
SSDT d347bus.sys ZwEnumerateKey
SSDT d347bus.sys ZwEnumerateValueKey
SSDT kl1.sys ZwOpenFile
SSDT d347bus.sys ZwOpenKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwOpenProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwQueryInformationFile
SSDT d347bus.sys ZwQueryKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwQuerySystemInformation
SSDT d347bus.sys ZwQueryValueKey
SSDT \SystemRoot\System32\drivers\klif.sys ZwResumeThread
SSDT \SystemRoot\System32\drivers\klif.sys ZwSetInformationProcess
SSDT d347bus.sys ZwSetSystemPowerState
SSDT \SystemRoot\System32\drivers\klif.sys ZwSuspendThread
SSDT \SystemRoot\System32\drivers\klif.sys ZwTerminateProcess
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[284]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[285]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[286]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[287]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[288]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[289]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[290]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[291]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[292]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[293]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[294]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[295]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[296]

---- Devices - GMER 1.0.9 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F82FABF6] klmc.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F82FABF6] klmc.sys
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_CREATE [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_CLOSEIRP_MJ_READ [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_WRITE [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_QUERY_INFORMATION [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_INTERNAL_DEVICE_CONTROL [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_SHUTDOWN [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_SYSTEM_CONTROL [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_DEVICE_CHANGE [F865776A] HIDCLASS.SYS
Device \Driver\hidusb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_PNP_POWER [F865776A] HIDCLASS.SYS
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSEIRP_MJ_READ 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81EDBB50
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP_POWER 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSEIRP_MJ_READ 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 81EDBB50
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP_POWER 81EDBB50
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_PNP_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE_NAMED_PIPE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLOSEIRP_MJ_READ 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_WRITE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_EA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_FLUSH_BUFFERS 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_VOLUME_INFORMATION 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DIRECTORY_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_FILE_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_INTERNAL_DEVICE_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SHUTDOWN 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_LOCK_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLEANUP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE_MAILSLOT 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_SECURITY 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_POWER 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SYSTEM_CONTROL 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CHANGE 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_QUOTA 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_PNP 82113F00
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_PNP_POWER 82113F00
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSEIRP_MJ_READ 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 81EDBB50
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP_POWER 81EDBB50
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F82FABF6] klmc.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F82FABF6] klmc.sys

Device \Driver\adpsSvc \Device\perRAME IRP_MJ_CREATE 81C721E7

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F82FABF6] klmc.sys
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLOSEIRP_MJ_READ 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_WRITE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_EA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_POWER 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_PNP 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_PNP_POWER 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_NAMED_PIPE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLOSEIRP_MJ_READ 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_WRITE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_EA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_EA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FLUSH_BUFFERS 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_VOLUME_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_VOLUME_INFORMATION 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DIRECTORY_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FILE_SYSTEM_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SHUTDOWN 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_LOCK_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLEANUP 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_MAILSLOT 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_SECURITY 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_SECURITY 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_POWER 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SYSTEM_CONTROL 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CHANGE 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_QUOTA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_QUOTA 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP 82147AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP_POWER 82147AD8

---- Processes - GMER 1.0.9 ----

Process UXTAKSIE.EXE (*** hidden *** ) 1208 <-- ROOTKIT !!!
Process ADSPTSVC.EXE (*** hidden *** ) 1216 <-- ROOTKIT !!!

---- Modules - GMER 1.0.9 ----

Module _________ F846A000

---- Services - GMER 1.0.9 ----

Service C:\WINDOWS\System32\drivers\drmpdate.sys (*** hidden *** ) [SYSTEM] adpsSvc <-- ROOTKIT !!!

---- Registry - GMER 1.0.9 ----

Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ y\9CqF KLLKLLML9.BpYkcKLLKaNLuglbmuqLqICD.6RQL\B2F.BCL\B69\yD.MCIC
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@Device \\.\perRAME
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverPath C:\WINDOWS\System32\drivers\drmpdate.sys
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverName adpsSvc
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@HideUninstallerName C:\Program Files\Inturacy\lzedw400.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerPath C:\WINDOWS\System32\qosccr32.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerRegKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\?965B0857-18E7-45F1-BC59-D59CE7AFA7D4?
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerParams /CTUN
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@HDll C:\WINDOWS\System32\dxdstyle.dll
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ServerAddress adchannel.contextplus.net
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@LegalNote http://adchannel.contextplus.net/legal-note/nonbranded.html
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@PartnerId CP.IST2
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@InstallationId ?X613cfc5-155c-47f2-44fb-b8bd7a7e0703?
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@PageFiltering 1
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ClientName C:\Program Files\Inturacy\uxtaksie.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@AutoUpdater C:\WINDOWS\System32\adsptsvc.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@Version 2.0.131
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@CrMnTmt 3600000
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@NxRestTm 2006:03:25-14:32:01:192
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@LastAURestoreMsgTS 2006:03:25-13:32:01:442
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ y\9CqF KLLKLLML9.BpYkcKLLKaNLuglbmuqLqICD.6RQL\B2F.BCL\B69\yD.MCIC
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@Device \\.\perRAME
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverPath C:\WINDOWS\System32\drivers\drmpdate.sys
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverName adpsSvc
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@HideUninstallerName C:\Program Files\Inturacy\lzedw400.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerPath C:\WINDOWS\System32\qosccr32.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerRegKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\?965B0857-18E7-45F1-BC59-D59CE7AFA7D4?
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@UninstallerParams /CTUN
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@HDll C:\WINDOWS\System32\dxdstyle.dll
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ServerAddress adchannel.contextplus.net
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@LegalNote http://adchannel.contextplus.net/legal-note/nonbranded.html
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@PartnerId CP.IST2
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@InstallationId ?X613cfc5-155c-47f2-44fb-b8bd7a7e0703?
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@PageFiltering 1
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ClientName C:\Program Files\Inturacy\uxtaksie.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@AutoUpdater C:\WINDOWS\System32\adsptsvc.exe
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@Version 2.0.131
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@CrMnTmt 3600000
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@NxRestTm 2006:03:25-14:32:01:192
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@LastAURestoreMsgTS 2006:03:25-13:32:01:442
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm\AU2
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@ y\9CqF KLLKLLML9.BpYkcKLLKaNLuglbmuqLqICD.6RQL\B2F.BCL\B69\yD.MCIC
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@Device \\.\perRAME
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverPath C:\WINDOWS\System32\drivers\drmpdate.sys
Reg \Registry\MACHINE\SOFTWARE\C2ie8AGofgqm@DriverName

ivdmt16.sys winlow.sys GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600

---- System - GMER 1.0.9 ----

SSDT a347bus.sys ZwClose
SSDT a347bus.sys ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT \??\C:\WINDOWS\System32\vdmt16.sys ZwCreateProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\vdmt16.sys ZwCreateProcessEx <-- ROOTKIT !!!
SSDT FF7B1820 ZwEnumerateKey <-- ROOTKIT !!!
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenKey
SSDT \??\C:\WINDOWS\System32\vdmt16.sys ZwOpenProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\vdmt16.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT a347bus.sys ZwQueryKey
SSDT \??\C:\WINDOWS\System32\vdmt16.sys ZwQuerySystemInformation <-- ROOTKIT !!!
SSDT a347bus.sys ZwQueryValueKey
SSDT a347bus.sys ZwSetSystemPowerState

---- Services - GMER 1.0.9 ----

Service C:\WINDOWS\System32\Drivers\sysbus32.sys (*** hidden *** ) [AUTO] sysbus32 <-- ROOTKIT !!!

---- Files - GMER 1.0.9 ----

File C:\!KillBox\drct16.dll
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\WINDOWS\system32\cz.dll
File C:\WINDOWS\system32\drct16.dll
File C:\WINDOWS\system32\fltr.a3d
File C:\WINDOWS\system32\hz.sys
File C:\WINDOWS\system32\i.a3d
File C:\WINDOWS\system32\klogini.dll
File C:\WINDOWS\system32\mszx23.exe
File C:\WINDOWS\system32\p2.ini
File C:\WINDOWS\system32\redir.a3d
File C:\WINDOWS\system32\tnfl.a3d
File C:\WINDOWS\system32\vdmt16.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\winlow.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\wz.sys
File D:\System Volume Information\tracking.log

---- Services - GMER 1.0.9 ----

Service C:\WINDOWS\System32\vdmt16.sys [SYSTEM] vdmt16 <-- ROOTKIT !!!
Service C:\WINDOWS\System32\winlow.sys [AUTO] winlow <-- ROOTKIT !!!

---- EOF - GMER 1.0.9 ----

imaslip.sys GMER 1.0.9.8110 - {http://www.gmer.net}
Windows 5.1.2600 Dodatek Service Pack 2

---- Devices - GMER 1.0.9 ----

Device \Driver\Volvice \Device\aswtMgr IRP_MJ_CREATE 81BBB8C3
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E1950828
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 IRP_MJ_SHUTDOWN [F8A3E6C1] prosync1.sys
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E100D390

---- Processes - GMER 1.0.9 ----

Process msvcji32.exe (*** hidden *** ) 1480 <-- ROOTKIT !!!
Process lsacap32.exe (*** hidden *** ) 1488 <-- ROOTKIT !!!

---- Files - GMER 1.0.9 ----

File C:\WINDOWS\system32\drivers\imaslip.sys
File C:\WINDOWS\system32\lsacap32.exe

---- EOF - GMER 1.0.9 ----

alco8drv.sys GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600 Dodatek Service Pack 2

---- System - GMER 1.0.9 ----

---- Devices - GMER 1.0.9 ----

Device \Driver\WmiDisk \Device\G69uQQGr IRP_MJ_CREATE 83E50A11

---- Processes - GMER 1.0.9 ----

Process synbdusx.exe (*** hidden *** ) 1848 <-- ROOTKIT !!!

---- Files - GMER 1.0.9 ----

File C:\WINDOWS\system32\drivers\alco8drv.sys
File C:\WINDOWS\system32\synbdusx.exe

---- EOF - GMER 1.0.9 ----

xdudmm.sys
xdudtt.dll GMER 1.0.10.10108 - http://www.gmer.net
Rootkit 2006-05-24 00:29:02
Windows 5.1.2600

---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwCreateProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwCreateProcessEx <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwOpenProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwOpenThread <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwQuerySystemInformation <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F88DF300] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F88DF520] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F88DF610] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F88DF640] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F88DF300] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F88DF520] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F88DF610] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F88DF640] wpsdrvnt.sys
---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Apache Group\Apache2\bin\Apache.exe [244] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [300] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\nvsvc32.exe [308] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe [332] 0x00E50000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe [492] 0x00950000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [572] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\RECYCLER\lsass.exe [600] 0x10000000 <-- ROOTKIT !!!

Process C:\WINDOWS\SYSTEM32\winlogon.exe (*** hidden *** ) 796 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\SYSTEM32\winlogon.exe [796] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [1636] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [1696] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1820] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Apache Group\Apache2\bin\Apache.exe [1956] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\GEARSec.exe [1996] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Norton Ghost\Agent\VProSvc.exe [2024] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE [2388] 0x00C00000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe [2412] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Winamp\winamp.exe [2556] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\QuickTime\qttask.exe [2616] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2656] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\wccx.exe [2796] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\d13a4e75.exe [2804] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\SpeedFan\speedfan.exe [3080] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [3084] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\rundll32.exe [3212] 0x00950000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Canon\CAL\CALMAIN.exe [3564] 0x10000000 <-- ROOTKIT !!!

Process C:\WINDOWS\explorer.exe (*** hidden *** ) 3808 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3808] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [4196] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\PowerArchiver\POWERARC.EXE [4836] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Gadu-Gadu\gg.exe [5140] 0x00D00000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\system32\notepad.exe [5400] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\_PA459\gmer.exe [6008] 0x10000000 <-- ROOTKIT !!!

---- Services - GMER 1.0.10 ----

Service C:\WINDOWS\System32\xdudmm.sys (*** hidden *** ) [SYSTEM] xdudmm <-- ROOTKIT !!!
Service C:\WINDOWS\System32\xdudmm.sys (*** hidden *** ) [AUTO] xdudtt <-- ROOTKIT !!!

---- EOF - GMER 1.0.10 ----

pe386 GMER 1.0.10.10108 - http://www.gmer.net
Rootkit 2006-05-25 14:32:07
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.10 ----

SYSENTER ? 00810005

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 81732520
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 817310C0

---- Services - GMER 1.0.10 ----

Service D:\WINDOWS\System32:18467 (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- EOF - GMER 1.0.10 ----

Gromozon Rootkit GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-31 14:25:26
Windows 5.1.2600 Service Pack 2

---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [2500] 0x01F20000 <-- ROOTKIT !!!
Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [4036] 0x01F20000 <-- ROOTKIT !!!

009

broni · 2010/09/08

You posted it already.
Please, post MBRCheck log.

RickyD2 · 2010/09/08

xdudmm.sys
xdudtt.dll GMER 1.0.10.10108 - http://www.gmer.net
Rootkit 2006-05-24 00:29:02
Windows 5.1.2600

---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwCreateProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwCreateProcessEx <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwOpenProcess <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwOpenThread <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\xdudmm.sys ZwQuerySystemInformation <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F88DF300] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F88DF520] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F88DF610] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F88DF640] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F88DF300] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F88DF520] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F88DF610] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F88DF640] wpsdrvnt.sys
---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Apache Group\Apache2\bin\Apache.exe [244] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [300] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\nvsvc32.exe [308] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe [332] 0x00E50000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe [492] 0x00950000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [572] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\RECYCLER\lsass.exe [600] 0x10000000 <-- ROOTKIT !!!

Process C:\WINDOWS\SYSTEM32\winlogon.exe (*** hidden *** ) 796 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\SYSTEM32\winlogon.exe [796] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [1636] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [1696] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1820] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Apache Group\Apache2\bin\Apache.exe [1956] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\GEARSec.exe [1996] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Norton Ghost\Agent\VProSvc.exe [2024] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE [2388] 0x00C00000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe [2412] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Winamp\winamp.exe [2556] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\QuickTime\qttask.exe [2616] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2656] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\wccx.exe [2796] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\d13a4e75.exe [2804] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\SpeedFan\speedfan.exe [3080] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [3084] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\System32\rundll32.exe [3212] 0x00950000 <-- ROOTKIT !!!
Library C:\WINDOWS\SYSTEM32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Canon\CAL\CALMAIN.exe [3564] 0x10000000 <-- ROOTKIT !!!

Process C:\WINDOWS\explorer.exe (*** hidden *** ) 3808 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3808] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [4196] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\PowerArchiver\POWERARC.EXE [4836] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\Program Files\Gadu-Gadu\gg.exe [5140] 0x00D00000 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\xdudtt.dll (*** hidden *** ) @ C:\WINDOWS\system32\notepad.exe [5400] 0x10000000 <-- ROOTKIT !!!
Library C:\WINDOWS\System32\xdudtt.dll (*** hidden *** ) @ C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\_PA459\gmer.exe [6008] 0x10000000 <-- ROOTKIT !!!

---- Services - GMER 1.0.10 ----

Service C:\WINDOWS\System32\xdudmm.sys (*** hidden *** ) [SYSTEM] xdudmm <-- ROOTKIT !!!
Service C:\WINDOWS\System32\xdudmm.sys (*** hidden *** ) [AUTO] xdudtt <-- ROOTKIT !!!

---- EOF - GMER 1.0.10 ----

pe386 GMER 1.0.10.10108 - http://www.gmer.net
Rootkit 2006-05-25 14:32:07
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.10 ----

SYSENTER ? 00810005

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 81732520
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 817310C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 817310C0

---- Services - GMER 1.0.10 ----

Service D:\WINDOWS\System32:18467 (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- EOF - GMER 1.0.10 ----

Gromozon Rootkit GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-31 14:25:26
Windows 5.1.2600 Service Pack 2

---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [2500] 0x01F20000 <-- ROOTKIT !!!
Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [4036] 0x01F20000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\WINDOWS\mdoom1.dll
File C:\WINDOWS\system32\lpt4.hzq

---- EOF - GMER 1.0.10 ----

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-31 14:27:47
Windows 5.1.2600 Service Pack 2

...

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = \\?\C:\WINDOWS\system32\lpt4.hzq

...

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
SrvXdx /*SrvXdx*/@ = "C:\Programmi\File comuni\System\mfxS.exe"

...

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{D4ED03F3-6672-F05B-77C2-859151625148}C:\WINDOWS\mdoom1.dll = C:\WINDOWS\mdoom1.dll

...

---- EOF - GMER 1.0.10 ----

lzx32 GMER 1.0.11.11310 - http://www.gmer.net
Rootkit 2006-09-14 09:31:21
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.11 ----

SYSENTER ? F60FDFAF

---- Modules - GMER 1.0.11 ----

Module (noname) (*** hidden *** ) F60F9000

---- Threads - GMER 1.0.11 ----

Thread 4:1224 F60FC08A

---- Services - GMER 1.0.11 ----

Service D:\WINDOWS\system32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Files - GMER 1.0.11 ----

ADS D:\WINDOWS\system32:lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.11 ----

wincom32.sys GMER 1.0.12.12012 - http://www.gmer.net
Rootkit scan 2007-02-04 13:46:33
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\wincom32.sys ZwEnumerateKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\wincom32.sys ZwEnumerateValueKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\wincom32.sys ZwQueryDirectoryFile <-- ROOTKIT !!!

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 009B083C
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 009B07B6
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 009B05E4
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 009B045D
.text C:\WINDOWS\system32\cmd.exe[164] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 009B0505
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 011E083C
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 011E07B6
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 011E05E4
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 011E045D
.text C:\WINDOWS\system32\csrss.exe[476] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 011E0505
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00E1083C
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00E107B6
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00E105E4
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E1045D
.text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00E10505
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A1083C
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00A107B6
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00A105E4
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A1045D
.text C:\WINDOWS\system32\services.exe[556] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00A10505
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00D0083C
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00D007B6
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00D005E4
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00D0045D
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00D00505
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 008E083C
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008E07B6
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008E05E4
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008E045D
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008E0505
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0196083C
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 019607B6
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 019605E4
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0196045D
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01960505
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0077083C
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 007707B6
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 007705E4
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0077045D
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00770505
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A4083C
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00A407B6
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00A405E4
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A4045D
.text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00A40505
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00DB083C
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00DB07B6
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00DB05E4
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00DB045D
.text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00DB0505
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D
.text C:\WINDOWS\system32\taskdir.exe[1248] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D
.text C:\WINDOWS\system32\ad.exe[1896] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00E3083C
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00E307B6
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00E305E4
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E3045D
.text C:\WINDOWS\explorer.exe[1976] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00E30505
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D
.text C:\WINDOWS\gmer.exe[10692] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [FBFD36F8] wincom32.sys

---- Processes - GMER 1.0.12 ----

Process C:\WINDOWS\system32\taskdir.exe (*** hidden *** ) 1248

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\system32\wincom32.sys (*** hidden *** ) [AUTO] wincom32 <-- ROOTKIT !!!

---- Files - GMER 1.0.12 ----

File C:\WINDOWS\Prefetch\TASKDIR.EXE-02B5617A.pf
File C:\WINDOWS\system32\adir.dll
File C:\WINDOWS\system32\adirss.exe
File C:\WINDOWS\system32\taskdir.exe
File C:\WINDOWS\system32\wincom32.ini
File C:\WINDOWS\system32\wincom32.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\WindowsLogon.manifest

---- EOF - GMER 1.0.12 ----

VideoAti0.sys GMER 1.0.12.12070 - http://www.gmer.net
Rootkit scan 2007-02-26 15:38:06
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.12 ----

PAGE ntoskrnl.exe!ZwQueryKey + 201 8056F674 6 Bytes PUSH FC8152D4; RET
? C:\WINDOWS\system32\drivers\Ntfs.sys Access denied.

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE FC814E94
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL FC815084
Device \Driver\VideoAti0 \Device\VideoAti0 IRP_MJ_CREATE FC8144AC
Device \Driver\VideoAti0 \Device\VideoAti0 IRP_MJ_CLOSE FC8144AC

---- Modules - GMER 1.0.12 ----

Module \SystemRoot\System32\drivers\VideoAti0.sys (*** hidden *** ) FC814000

---- Files - GMER 1.0.12 ----

File C:\WINDOWS\system32\drivers\VideoAti0.sys
File C:\WINDOWS\system32\VideoAti0.dll
File C:\WINDOWS\system32\VideoAti0.exe

---- EOF - GMER 1.0.12 ----

RioDrvs.sys GMER 1.0.13.12482 - http://www.gmer.net
Rootkit scan 2007-06-15 08:55:07
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT \WINDOWS\system32\ntkrnlpa.exe [805460D8] PUSH F7912914; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwClose
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460D8] ZwClose
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460EA] PUSH F79133AA; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwDeleteKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460EA] ZwDeleteKey
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460F0] PUSH F7913432; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwDeleteValueKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460F0] ZwDeleteValueKey
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460D2] PUSH F7912888; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwEnumerateKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460D2] ZwEnumerateKey
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460CC] PUSH F7913140; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwLoadDriver
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460CC] ZwLoadDriver
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460DE] PUSH F7912A40; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwQueryDirectoryFile
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460DE] ZwQueryDirectoryFile
SSDT \WINDOWS\system32\ntkrnlpa.exe [805460E4] PUSH F7913320; RET \SystemRoot\System32\DRIVERS\riodrvs.sys ZwSaveKey
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [805460E4] ZwSaveKey

---- Processes - GMER 1.0.13 ----

Library C:\WINDOWS\LINKINFO.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [1932] 0x10000000
Library C:\WINDOWS\system32\linkinfo.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [1932] 0x76960000

---- Files - GMER 1.0.13 ----

File C:\WINDOWS\linkinfo.dll
File C:\WINDOWS\ServicePackFiles\i386\linkinfo.dll
File C:\WINDOWS\system32\drivers\RioDrvs.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\linkinfo.dll

---- Services - GMER 1.0.13 ----

Service C:\WINDOWS\system32\DRIVERS\RioDrvs.sys [AUTO] RioDrvs <-- ROOTKIT !!!

---- EOF - GMER 1.0.13 ----

MBR rootkit/Mebroot/Sinowal GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-24 07:50:49
Windows 5.1.2600 Service Pack 3

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x25429800 size 0x2c4
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- Kernel code sections - GMER 1.0.14 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F9A934B2 4 Bytes [ 7E, C8, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F9A934BD 4 Bytes [ 28, 74, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F9A934C8 4 Bytes [ 90, C8, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F9A934CF 4 Bytes [ 84, C8, 84, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F9A934D6 4 Bytes [ 8A, C8, 84, 81 ]
PAGE ...

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\explorer.exe[1136] ADVAPI32.dll!CryptDestroyKey 77DDA544 7 Bytes JMP 00D52B9A
.text C:\WINDOWS\explorer.exe[1136] ADVAPI32.dll!CryptDecrypt 77DDA7B1 7 Bytes JMP 00D52B57
.text C:\WINDOWS\explorer.exe[1136] ADVAPI32.dll!CryptEncrypt 77DE1558 7 Bytes JMP 00D52B1B
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!send 71A5428A 5 Bytes JMP 00D5298C
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 00D52A7E
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!recv 71A5615A 5 Bytes JMP 00D529C4
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 00D529FC
.text C:\WINDOWS\explorer.exe[1136] WS2_32.dll!closesocket 71A59639 5 Bytes JMP 00D52B00

---- Devices - GMER 1.0.14 ----

Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 855A1410
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 855A1410

---- Threads - GMER 1.0.14 ----

Thread 4:796 855BBC80
Thread 4:800 855A8D80
Thread 4:804 85663DC0
Thread 4:808 85594E00
Thread 4:2856 855BBC80
Thread 4:2860 855A8D80
Thread 4:2864 85663DC0
Thread 4:2868 85594E00

---- EOF - GMER 1.0.14 ----

C:\>mbr.exe -t
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85938E90]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x85938e90
\Device\Harddisk0\DR0 -> ParseProcedure -> 0x8593fc20
NDIS: Intel(R) 82566DM-2 Gigabit Network Connection -> SendCompleteHandler -> 0x8596e700
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0100A757
malicious code @ sector 0x0100A75A !
PE file found in sector at 0x0100A770 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Tigger/Syzor GMER 1.0.15.14918 - http://www.gmer.net
Rootkit scan 2009-01-12 15:18:21
Windows 5.1.2600 Dodatek Service Pack 2

---- Kernel code sections - GMER 1.0.15 ----

PAGEKD KDCOM.DLL!KdSendPacket F9F4D1B2 8 Bytes [FF, 35, 00, F0, 8F, 81, 9B, ...] {PUSH DWORD [0x818ff000]; WAIT ; RET }

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestA 771B76B8 1 Byte [55]
.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestA 771B76B8 7 Bytes [55, FF, 25, 00, 00, F6, 00] {PUSH EBP; JMP [0xf60000]}
.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestW 77201808 1 Byte [55]
.text C:\WINDOWS\Explorer.EXE[1340] WININET.dll!HttpSendRequestW 77201808 7 Bytes [55, FF, 25, 00, 00, 1F, 01] {PUSH EBP; JMP [0x11f0000]}

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE F8B98880
Device \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ F8B99E54
Device \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ F8B99E54
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ F8B992DC
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE F8B9932E
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN F8B99FA0

---- Threads - GMER 1.0.15 ----

Thread System [4:300] F8B99EB4
Thread System [4:1164] F8B99490
Thread System [4:1740] F8B98988
Thread System [4:1388] F8B9A022

---- EOF - GMER 1.0.15 ----

TDSS GMER 1.0.15.15121 - http://www.gmer.net
Rootkit scan 2009-10-03 13:54:24
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74CB380]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort1 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort2 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort3 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort4 [F74BE9F2] atapi.sys[unknown section]
Device \Driver\atapi \Device\Ide\IdePort5 [F74BE9F2] atapi.sys[unknown section]

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\Ide\IdePort5\kbwwiibi\kbwwiibi\tdlwsp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1736] 0x10000000

---- EOF - GMER 1.0.15 ----

Copyright (c) GMER 2004 - 2009

broni · 2010/09/08

Please, stop posting very same GMER log over and over.
I need MBRCheck log.

RickyD2 · 2010/09/08

That was three sections of GMER
log due to its excessive length.
-------------------------------------------------
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000035

Kernel Drivers (total 105):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF89B7000 \WINDOWS\system32\KDCOM.DLL
0xF88C7000 \WINDOWS\system32\BOOTVID.dll
0xF8468000 ACPI.sys
0xF89B9000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8457000 pci.sys
0xF84B7000 isapnp.sys
0xF8A7F000 pciide.sys
0xF8737000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF89BB000 intelide.sys
0xF84C7000 MountMgr.sys
0xF8438000 ftdisk.sys
0xF89BD000 dmload.sys
0xF8412000 dmio.sys
0xF873F000 PartMgr.sys
0xF84D7000 VolSnap.sys
0xF83FA000 atapi.sys
0xF84E7000 disk.sys
0xF84F7000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF83DA000 fltmgr.sys
0xF83C8000 sr.sys
0xF83A4000 Fastfat.sys
0xF838D000 KSecDD.sys
0xF8360000 NDIS.sys
0xF82F5000 timntr.sys
0xF8507000 vvoice.sys
0xF8293000 vpctcom.sys
0xF81FF000 vmodem.sys
0xF81E5000 Mup.sys
0xF8517000 agp440.sys
0xF875F000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF8179000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF8767000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF8156000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF876F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF8547000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF8777000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF8557000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xF877F000 \SystemRoot\system32\drivers\Afc.sys
0xF8567000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF8577000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF8133000 \SystemRoot\System32\DRIVERS\ks.sys
0xF8587000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF8597000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF894B000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF811C000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF85A7000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF85B7000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF8787000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF810B000 \SystemRoot\System32\DRIVERS\psched.sys
0xF85C7000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF878F000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF8797000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF80DB000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF85D7000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF879F000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF89BF000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF807D000 \SystemRoot\System32\DRIVERS\update.sys
0xF8963000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF85E7000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF89C1000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF85F7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF87A7000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF89C3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8B0E000 \SystemRoot\System32\Drivers\Null.SYS
0xF89C5000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7F9F000 \??\C:\WINDOWS\system32\drivers\SBREdrv.sys
0xF87B7000 \SystemRoot\System32\drivers\vga.sys
0xF7F8B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF89C7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF87BF000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF87C7000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8993000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF7F58000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF7EFF000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF7EB1000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF7E89000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF7E67000 \SystemRoot\System32\drivers\afd.sys
0xF8627000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF7E3C000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF7DCC000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF87CF000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF87D7000 \SystemRoot\System32\DRIVERS\usbprint.sys
0xF87DF000 \SystemRoot\System32\DRIVERS\HPZius12.sys
0xF81BD000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF8647000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF87E7000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF81B9000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF8657000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7D8C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF89CB000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF81A1000 \SystemRoot\System32\drivers\Dxapi.sys
0xF87EF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8B79000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF7A80000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF774D000 \SystemRoot\System32\DRIVERS\srv.sys
0xF8877000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
0xF887F000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys
0xF6D56000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugtdifod.sys
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 23):
0 System Idle Process
4 System
528 C:\WINDOWS\System32\smss.exe
580 csrss.exe
604 C:\WINDOWS\System32\winlogon.exe
648 C:\WINDOWS\System32\services.exe
660 C:\WINDOWS\System32\lsass.exe
816 C:\WINDOWS\System32\svchost.exe
884 svchost.exe
996 C:\Program Files\Windows Defender\MsMpEng.exe
1076 C:\WINDOWS\System32\svchost.exe
1128 svchost.exe
1272 svchost.exe
340 C:\WINDOWS\System32\ctfmon.exe
844 C:\Program Files\FixCleaner\FixCleaner.exe
284 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
3160 C:\WINDOWS\Explorer.EXE
256 C:\Program Files\Internet Explorer\iexplore.exe
2708 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
2828 C:\Program Files\Internet Explorer\iexplore.exe
1588 C:\Program Files\Internet Explorer\iexplore.exe
2820 C:\Program Files\Internet Explorer\iexplore.exe
2392 C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4YQLPSLX\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: Maxtor6E040L0, Rev: NAR61HA0

Size Device Name MBR Status
--------------------------------------------
38 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

broni · 2010/09/08

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

RickyD2 · 2010/09/09

2010/09/09 00:02:15.0234 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/09 00:02:15.0234 ================================================================================
2010/09/09 00:02:15.0234 SystemInfo:
2010/09/09 00:02:15.0234
2010/09/09 00:02:15.0234 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/09 00:02:15.0234 Product type: Workstation
2010/09/09 00:02:15.0234 ComputerName: HOME-KVJPCI4PIU
2010/09/09 00:02:15.0234 UserName: Administrator
2010/09/09 00:02:15.0234 Windows directory: C:\WINDOWS
2010/09/09 00:02:15.0234 System windows directory: C:\WINDOWS
2010/09/09 00:02:15.0234 Processor architecture: Intel x86
2010/09/09 00:02:15.0234 Number of processors: 1
2010/09/09 00:02:15.0234 Page size: 0x1000
2010/09/09 00:02:15.0234 Boot type: Safe boot with network
2010/09/09 00:02:15.0234 ================================================================================
2010/09/09 00:02:15.0343 Initialize success

broni · 2010/09/09

I need that log from normal mode, not safe mode.

Also, delete your GMER file, download fresh one, run it and post ONE, current log.

Log in or Sign up

Solved Computer taken over by virus

RickyD2 Inactive Thread Starter

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Computer taken over by virus

RickyD2 Inactive Thread Starter

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

RickyD2 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches