rootkit.agent infection

View previous topic View next topic Go down

rootkit.agent infection

Post by leafy_seadragon on Wed Jan 20, 2010 8:15 am

Hello:

First, thank you in advance for your help. Smile

I got infected with the Security Tool malware, which Malwarebytes was able to remove, but it hasn't been able to touch rootkit.agent. The file itself is called kkaeuuth.sys, in the windows/system32/drivers directory.

My OS is Windows Vista, I've followed the prereqs from DrInferno, with the following exception: before I found this site and started those steps, I had run defogger and disabled CD emulation, it still remains disabled.

Here is the log from hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:34 AM, on 1/20/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Users\Sleepy_Dragon\Desktop\winlogon.scr

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 3378 bytes

Again, thank you for your assistance.

Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Wed Jan 20, 2010 6:11 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Thu Jan 21, 2010 2:13 am

Malwarebytes' Anti-Malware 1.44
Database version: 3606
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

1/20/2010 6:06:30 PM
mbam-log-2010-01-20 (18-06-30).txt

Scan type: Quick Scan
Objects scanned: 102767
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\kkaeuuth.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Users\Sleepy_Dragon\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Thank you,
Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Thu Jan 21, 2010 11:45 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Fri Jan 22, 2010 12:27 am

OTL logfile created on: 1/21/2010 4:14:46 PM - Run 1
OTL by OldTimer - Version 3.1.25.3 Folder = C:\Users\Sleepy_Dragon\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18865)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

990.00 Mb Total Physical Memory | 189.00 Mb Available Physical Memory | 19.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 54.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 67.82 Gb Total Space | 12.13 Gb Free Space | 17.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 7.74 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PATS-PC
Current User Name: Sleepy_Dragon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/21 16:13:09 | 00,547,840 | ---- | M] (OldTimer Tools) -- C:\Users\Sleepy_Dragon\Desktop\OTL.exe
PRC - [2010/01/11 15:21:52 | 00,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2009/12/26 13:48:54 | 02,335,952 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2009/11/29 16:34:49 | 00,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/11/20 19:01:18 | 00,832,296 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/04/10 22:28:08 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
PRC - [2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/24 16:04:32 | 00,028,672 | ---- | M] (Lenovo Group Limited) -- c:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/06/09 14:23:00 | 00,196,608 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2008/03/04 09:34:20 | 00,487,424 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
PRC - [2008/03/04 09:34:12 | 01,122,304 | ---- | M] (Lenovo Group Limited) -- c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
PRC - [2008/01/18 23:38:38 | 01,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/11/22 02:08:56 | 00,820,520 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/11/22 01:55:28 | 00,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2007/09/28 16:29:00 | 00,037,424 | ---- | M] (Lenovo.) -- C:\Windows\System32\TPHDEXLG.exe
PRC - [2007/09/28 13:28:40 | 00,181,544 | ---- | M] (Lenovo.) -- C:\Windows\System32\TpShocks.exe
PRC - [2007/08/09 11:03:38 | 02,630,968 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
PRC - [2007/08/09 10:45:36 | 00,722,232 | ---- | M] (IBM) -- C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
PRC - [2007/08/09 10:36:36 | 00,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2007/07/09 12:40:30 | 01,282,048 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2007/07/05 15:49:18 | 00,128,296 | ---- | M] (Lenovo) -- C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
PRC - [2007/07/05 15:49:06 | 00,124,200 | ---- | M] (Lenovo) -- C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
PRC - [2007/07/05 15:48:58 | 00,419,112 | ---- | M] (Lenovo) -- C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
PRC - [2007/07/05 15:48:54 | 00,206,120 | ---- | M] (Lenovo) -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
PRC - [2007/07/05 15:48:50 | 00,091,432 | ---- | M] (Lenovo) -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
PRC - [2007/05/31 02:02:06 | 00,036,400 | ---- | M] (Lenovo) -- C:\Windows\System32\ibmpmsvc.exe
PRC - [2007/04/26 09:10:00 | 00,120,368 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
PRC - [2007/04/09 10:03:00 | 00,058,416 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
PRC - [2007/03/28 09:32:00 | 00,243,248 | ---- | M] (Lenovo Group Ltd.) -- C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
PRC - [2007/03/08 21:49:42 | 00,066,176 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2007/03/07 20:16:48 | 00,073,776 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2007/03/01 21:07:28 | 00,055,936 | ---- | M] () -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PRC - [2007/02/05 14:44:24 | 00,069,632 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE
PRC - [2007/02/01 10:00:01 | 00,419,376 | ---- | M] (LENOVO) -- C:\Program Files\ThinkVantage\AMSG\Amsg.exe
PRC - [2007/01/29 19:05:02 | 00,108,080 | ---- | M] (Lenovo Group Limited) -- C:\Windows\System32\IPSSVC.EXE
PRC - [2007/01/08 20:03:26 | 00,569,344 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
PRC - [2007/01/08 20:01:46 | 00,950,272 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
PRC - [2007/01/08 19:49:46 | 00,022,016 | ---- | M] () -- C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
PRC - [2007/01/08 18:42:20 | 00,045,056 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
PRC - [2007/01/04 19:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/11/27 23:44:00 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe
PRC - [2006/11/15 16:21:56 | 00,217,176 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
PRC - [2006/11/15 16:20:46 | 00,634,988 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2006/11/07 02:51:40 | 00,091,688 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
PRC - [2006/11/03 18:02:14 | 00,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2006/09/05 23:39:10 | 00,091,688 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2003/11/18 17:20:46 | 00,045,056 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe


========== Modules (SafeList) ==========

MOD - [2010/01/21 16:13:09 | 00,547,840 | ---- | M] (OldTimer Tools) -- C:\Users\Sleepy_Dragon\Desktop\OTL.exe
MOD - [2009/04/10 22:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/03/24 16:04:32 | 00,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- c:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/06/09 14:23:00 | 00,196,608 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Windows\System32\nvvsvc.exe -- (nvsvc)
SRV - [2008/03/04 09:34:12 | 01,122,304 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2008/01/18 23:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/28 16:29:00 | 00,037,424 | ---- | M] (Lenovo.) [Auto | Running] -- C:\Windows\System32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2007/08/09 10:45:36 | 00,722,232 | ---- | M] (IBM) [Auto | Running] -- C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe -- (TSSCoreService)
SRV - [2007/08/09 10:36:36 | 00,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2007/07/05 15:48:54 | 00,206,120 | ---- | M] (Lenovo) [Auto | Running] -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe -- (AcSvc)
SRV - [2007/07/05 15:48:50 | 00,091,432 | ---- | M] (Lenovo) [Auto | Running] -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -- (AcPrfMgrSvc)
SRV - [2007/05/31 02:02:06 | 00,036,400 | ---- | M] (Lenovo) [Auto | Running] -- C:\Windows\System32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2007/05/30 08:26:26 | 00,073,728 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2007/04/22 13:01:18 | 00,880,640 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2007/03/01 21:07:28 | 00,055,936 | ---- | M] () [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2007/02/05 14:44:24 | 00,069,632 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)
SRV - [2007/01/29 19:05:02 | 00,108,080 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Windows\System32\IPSSVC.EXE -- (IPSSVC)
SRV - [2007/01/12 02:33:14 | 00,057,344 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)
SRV - [2007/01/12 02:32:48 | 00,294,912 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)
SRV - [2007/01/08 20:03:26 | 00,569,344 | ---- | M] () [Auto | Running] -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service)
SRV - [2007/01/08 20:01:46 | 00,950,272 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)
SRV - [2007/01/08 18:42:20 | 00,045,056 | ---- | M] () [Auto | Running] -- C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe -- (tvtnetwk)
SRV - [2007/01/04 19:48:52 | 00,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2007/01/03 17:40:21 | 00,136,120 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2006/11/27 23:44:00 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)
SRV - [2006/11/15 16:20:46 | 00,634,988 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/11/02 04:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/04/14 10:07:20 | 28,933,976 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2006/04/14 10:05:58 | 00,240,416 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2006/04/14 10:04:54 | 00,087,840 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2005/10/14 03:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2009/08/28 18:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/04/10 20:46:08 | 00,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2008/06/09 14:23:00 | 07,522,624 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/03/05 17:43:32 | 00,223,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2008/01/18 23:42:12 | 00,045,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2007/12/25 12:18:14 | 00,033,536 | ---- | M] (Lenovo) [File_System | Auto | Running] -- C:\Windows\System32\drivers\tvtfilter.sys -- (tvtfilter)
DRV - [2007/11/22 02:08:58 | 00,181,168 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/11/15 12:30:48 | 00,034,064 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (npf)
DRV - [2007/10/15 20:29:28 | 00,737,280 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/10/04 16:14:44 | 00,348,160 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007/09/28 16:29:00 | 00,103,472 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2007/09/28 16:28:00 | 00,019,504 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2007/09/05 09:07:00 | 00,012,080 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\TPPWR32V.SYS -- (TPPWRIF)
DRV - [2007/08/08 03:42:00 | 00,045,568 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/07/29 18:54:00 | 00,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/29 17:42:00 | 00,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/05/31 02:01:30 | 00,021,424 | ---- | M] (Lenovo.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2007/05/22 15:59:38 | 00,030,336 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tvti2c.sys -- (TVTI2C)
DRV - [2007/05/21 23:59:34 | 00,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\psadd.sys -- (psadd)
DRV - [2007/03/13 16:13:54 | 00,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2007/03/13 16:13:32 | 00,035,064 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/03/13 16:13:30 | 00,098,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/03/13 16:13:30 | 00,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/03/13 16:13:28 | 00,026,744 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/03/13 16:13:26 | 00,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/03/13 16:13:26 | 00,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/03/13 16:13:24 | 00,104,824 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/03/12 01:25:28 | 00,099,848 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2007/02/11 20:36:54 | 00,277,784 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007/02/09 12:34:16 | 00,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2007/02/08 20:05:30 | 00,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\Windows\System32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/02/08 20:05:30 | 00,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\Windows\System32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/02/01 23:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/12/21 18:50:00 | 00,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/12/21 18:49:00 | 00,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/12/21 18:48:00 | 00,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/11/27 23:44:00 | 00,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/06 00:24:56 | 00,012,080 | ---- | M] (Lenovo Group Limited) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PROCDD.SYS -- (PROCDD)
DRV - [2006/11/02 01:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 01:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 01:51:34 | 00,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 01:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 01:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 01:51:25 | 00,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 01:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 01:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 01:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 01:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 01:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 01:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 01:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 01:50:19 | 00,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 01:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 01:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 01:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 01:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 01:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 01:50:10 | 00,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 01:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 01:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 01:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 01:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 01:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 01:50:05 | 00,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 01:50:05 | 00,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 01:50:04 | 00,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 01:50:03 | 00,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 01:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 01:49:56 | 00,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 01:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 01:49:30 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 01:49:28 | 00,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 01:49:20 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 00:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 00:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 00:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 00:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 00:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 00:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/01 23:41:49 | 00,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2006/11/01 23:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/01 23:30:54 | 00,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2006/11/01 23:30:53 | 00,167,936 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2006/11/01 22:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2006/10/18 18:10:57 | 01,380,864 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdkmd32.sys -- (ialm)
DRV - [2006/08/30 02:04:04 | 00,013,744 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\Windows\System32\drivers\smiif32.sys -- (lenovo.smi)
DRV - [2006/06/18 21:26:00 | 00,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mdmxsdk.sys -- (mdmxsdk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [You must be registered and logged in to see this link.] [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{15DB8CF7-42B9-450A-8153-E672319F135B}: C:\Users\Sleepy_Dragon\AppData\Local\{15DB8CF7-42B9-450A-8153-E672319F135B}\ [2010/01/04 08:32:31 | 00,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 13:41:30 | 00,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (CPwmIEBrowserHelper Object) - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (Lenovo)
O4 - HKLM..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (Lenovo)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe (LENOVO)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BTVLOGEX.DLL ()
O4 - HKLM..\Run: [cssauth] C:\Program Files\Lenovo\Client Security Solution\cssauth.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [EZEJMNAP] C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE (Lenovo Group Ltd.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe (lenovo)
O4 - HKLM..\Run: [LPManager] C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TpShocks] C:\Windows\System32\TpShocks.exe (Lenovo.)
O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe (Ulead Systems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - c:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: live.com ([onecare] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 216.162.205.9
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Sleepy_Dragon\Pictures\funny-pictures-deck-the-halls-with-barfed-up-holly.bmp
O24 - Desktop BackupWallPaper: C:\Users\Sleepy_Dragon\Pictures\funny-pictures-deck-the-halls-with-barfed-up-holly.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/21 16:13:09 | 00,547,840 | ---- | C] (OldTimer Tools) -- C:\Users\Sleepy_Dragon\Desktop\OTL.exe
[2010/01/20 16:48:51 | 00,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010/01/19 23:57:59 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/01/19 23:51:52 | 00,157,696 | ---- | C] (The RaProducts Team: Paul McLain and Fred de Vries) -- C:\Users\Sleepy_Dragon\Desktop\JavaRa.exe
[2010/01/19 23:50:59 | 00,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/01/19 23:50:16 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deploytk.dll
[2010/01/19 23:50:15 | 00,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/01/19 23:50:15 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/01/19 23:50:15 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/01/19 19:06:42 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2010/01/19 18:23:16 | 00,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010/01/19 18:23:16 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/01/19 18:05:10 | 00,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/01/19 17:16:06 | 00,074,328 | ---- | C] (COMODO) -- C:\Windows\System32\drivers\inspect.sys
[2010/01/19 16:57:19 | 00,000,000 | ---D | C] -- C:\Program Files\COMODO
[2010/01/19 12:54:24 | 00,466,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\capicom.dll
[2010/01/19 12:01:50 | 00,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2010/01/19 11:39:19 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/01/19 11:39:18 | 00,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/01/19 11:39:18 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/01/19 11:39:18 | 00,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/01/19 11:39:18 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/01/19 11:39:18 | 00,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/01/19 11:39:17 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010/01/19 11:39:13 | 00,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010/01/19 11:39:13 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010/01/19 11:39:13 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/01/19 11:39:12 | 00,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/01/19 11:39:12 | 00,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/01/19 11:39:12 | 00,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010/01/19 11:39:11 | 01,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010/01/19 11:37:47 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2010/01/19 11:37:47 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2010/01/19 11:37:45 | 00,156,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2010/01/19 11:37:45 | 00,125,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2010/01/19 11:37:45 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\corpol.dll
[2010/01/19 11:37:44 | 00,348,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2010/01/19 11:37:44 | 00,216,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2010/01/19 11:37:44 | 00,094,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2010/01/19 11:37:44 | 00,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2010/01/19 11:37:44 | 00,034,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2010/01/19 11:37:43 | 00,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/01/19 11:37:43 | 00,229,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2010/01/19 11:37:43 | 00,208,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WinFXDocObj.exe
[2010/01/19 11:37:43 | 00,193,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2010/01/19 11:37:43 | 00,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2010/01/19 11:37:43 | 00,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2010/01/19 11:37:42 | 00,445,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2010/01/19 11:37:42 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\advpack.dll
[2010/01/19 11:37:42 | 00,046,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2010/01/19 11:37:41 | 00,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/01/19 11:37:40 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2010/01/19 11:37:38 | 00,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010/01/19 11:37:38 | 00,169,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2010/01/19 11:37:37 | 03,698,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2010/01/19 11:37:37 | 00,107,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2010/01/19 11:37:37 | 00,103,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetDepNx.exe
[2010/01/19 11:37:36 | 00,109,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PDMSetup.exe
[2010/01/19 11:37:36 | 00,107,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2010/01/19 11:13:12 | 00,310,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\unregmp2.exe
[2010/01/19 11:13:09 | 08,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2010/01/19 11:11:47 | 00,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010/01/19 11:11:45 | 04,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2010/01/18 23:33:57 | 00,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010/01/18 23:33:57 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/01/18 17:53:41 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/01/18 17:52:13 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/13 16:56:44 | 00,156,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2010/01/13 16:56:44 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2010/01/12 16:37:52 | 00,000,000 | ---D | C] -- C:\Users\Sleepy_Dragon\AppData\Roaming\IObit
[2010/01/12 16:37:52 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/01/04 08:32:31 | 00,000,000 | ---D | C] -- C:\Users\Sleepy_Dragon\AppData\Local\{15DB8CF7-42B9-450A-8153-E672319F135B}
[2010/01/04 08:30:47 | 00,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2009/12/22 22:49:36 | 00,000,000 | ---D | C] -- C:\Users\Sleepy_Dragon\Desktop\Arch Enemy
[2009/12/22 22:45:56 | 00,000,000 | ---D | C] -- C:\Program Files\DVD Decrypter
[2009/12/22 22:44:19 | 00,000,000 | ---D | C] -- C:\Users\Sleepy_Dragon\AppData\Local\Geckofx
[2009/12/22 22:44:11 | 00,000,000 | ---D | C] -- C:\Users\Sleepy_Dragon\AppData\Roaming\Mozilla
[2009/08/07 17:59:33 | 00,174,080 | ---- | C] (VMware, Inc.) -- C:\Users\Sleepy_Dragon\AppData\Local\ejezosow.dll
[2007/12/25 11:40:14 | 00,167,936 | ---- | C] ( ) -- C:\Windows\System32\rsnp2uvc.dll
[2007/12/25 11:40:13 | 00,053,248 | ---- | C] ( ) -- C:\Windows\System32\csnp2uvc.dll

========== Files - Modified Within 30 Days ==========

[2010/01/21 16:20:08 | 00,000,434 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D9B30BB4-63C0-47D4-A444-A174F9308500}.job
[2010/01/21 16:18:54 | 00,763,904 | ---- | M] () -- C:\Windows\System32\drivers\kkaeuuth.sys
[2010/01/21 16:14:34 | 03,407,872 | -HS- | M] () -- C:\Users\Sleepy_Dragon\ntuser.dat
[2010/01/21 16:13:09 | 00,547,840 | ---- | M] (OldTimer Tools) -- C:\Users\Sleepy_Dragon\Desktop\OTL.exe
[2010/01/21 16:11:06 | 00,650,720 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/01/21 16:11:05 | 00,769,132 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/01/21 16:11:05 | 00,122,562 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/01/21 16:06:03 | 00,057,879 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/01/21 16:04:59 | 00,057,879 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/01/21 16:04:49 | 00,000,386 | ---- | M] () -- C:\Windows\tasks\AWC Startup.job
[2010/01/21 16:03:54 | 00,025,269 | ---- | M] () -- C:\Windows\System32\PROCDB.INI
[2010/01/21 16:03:44 | 00,000,380 | ---- | M] () -- C:\Windows\System32\IPSCtrl.INI
[2010/01/21 16:03:40 | 00,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/01/21 16:03:40 | 00,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/01/21 16:03:39 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/01/21 16:03:25 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/01/20 23:53:30 | 00,524,288 | -HS- | M] () -- C:\Users\Sleepy_Dragon\ntuser.dat{e67ae08a-04ee-11df-98df-001e3786e153}.TMContainer00000000000000000001.regtrans-ms
[2010/01/20 23:53:30 | 00,065,536 | -HS- | M] () -- C:\Users\Sleepy_Dragon\ntuser.dat{e67ae08a-04ee-11df-98df-001e3786e153}.TM.blf
[2010/01/20 23:52:06 | 03,554,912 | -H-- | M] () -- C:\Users\Sleepy_Dragon\AppData\Local\IconCache.db
[2010/01/20 23:33:00 | 00,000,270 | ---- | M] () -- C:\Windows\tasks\Check Updates for Windows Live Toolbar.job
[2010/01/19 23:58:54 | 00,001,897 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/01/19 23:49:28 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deploytk.dll
[2010/01/19 23:49:28 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/01/19 23:49:28 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/01/19 23:49:28 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/01/19 21:52:19 | 00,524,288 | ---- | M] () -- C:\Users\Sleepy_Dragon\Desktop\dds.scr
[2010/01/19 21:50:12 | 00,000,000 | ---- | M] () -- C:\Users\Sleepy_Dragon\defogger_reenable
[2010/01/19 19:12:31 | 00,020,992 | ---- | M] () -- C:\Users\Sleepy_Dragon\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/19 18:47:20 | 00,001,356 | ---- | M] () -- C:\Users\Sleepy_Dragon\AppData\Local\d3d9caps.dat
[2010/01/19 18:27:10 | 00,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/01/19 18:20:39 | 00,206,336 | ---- | M] () -- C:\Windows\System32\drivers\sfi.dat
[2010/01/19 17:16:02 | 00,074,328 | ---- | M] (COMODO) -- C:\Windows\System32\drivers\inspect.sys
[2010/01/19 17:05:35 | 00,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010/01/19 10:45:38 | 00,056,863 | ---- | M] () -- C:\Users\Sleepy_Dragon\AppData\Roaming\nvModes.001
[2010/01/19 03:38:58 | 00,524,288 | -HS- | M] () -- C:\Users\Sleepy_Dragon\ntuser.dat{e67ae08a-04ee-11df-98df-001e3786e153}.TMContainer00000000000000000002.regtrans-ms
[2010/01/19 01:56:07 | 00,524,288 | -HS- | M] () -- C:\Users\Sleepy_Dragon\ntuser.dat{c8a4be70-04dc-11df-ab6d-0015055d02ca}.TMContainer00000000000000000002.regtrans-ms
[2010/01/19 01:56:07 | 00,524,288 | -HS- | M] () -- C:\Users\Sleepy_Dragon\ntuser.dat{c8a4be70-04dc-11df-ab6d-0015055d02ca}.TMContainer00000000000000000001.regtrans-ms
[2010/01/19 01:56:07 | 00,065,536 | -HS- | M] () -- C:\Users\Sleepy_Dragon\ntuser.dat{c8a4be70-04dc-11df-ab6d-0015055d02ca}.TM.blf
[2010/01/18 21:09:44 | 00,000,828 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/18 19:29:30 | 00,422,256 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/01/18 19:27:12 | 00,524,288 | -HS- | M] () -- C:\Users\Sleepy_Dragon\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/01/18 19:27:12 | 00,065,536 | -HS- | M] () -- C:\Users\Sleepy_Dragon\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/01/18 17:19:07 | 00,002,231 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/01/15 16:20:08 | 00,056,863 | ---- | M] () -- C:\Users\Sleepy_Dragon\AppData\Roaming\nvModes.dat
[2010/01/14 11:12:06 | 00,181,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/01/12 16:37:59 | 00,001,024 | ---- | M] () -- C:\Users\Public\Desktop\Advanced SystemCare.lnk
[2010/01/12 16:37:59 | 00,000,143 | ---- | M] () -- C:\Users\Sleepy_Dragon\Desktop\IObit Freeware.url
[2010/01/07 21:51:48 | 00,000,872 | ---- | M] () -- C:\Users\Sleepy_Dragon\Desktop\ph.rtf
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/01/04 21:19:42 | 00,000,000 | -HS- | M] () -- C:\Windows\nvDrv.sy
[2010/01/04 08:32:34 | 00,000,000 | ---- | M] () -- C:\Users\Sleepy_Dragon\AppData\Local\Gximi.bin
[2010/01/04 08:32:33 | 00,000,120 | ---- | M] () -- C:\Users\Sleepy_Dragon\AppData\Local\Xsagimijigo.dat
[2010/01/01 22:52:36 | 00,000,347 | ---- | M] () -- C:\Windows\ulead32.ini
[2009/12/22 22:45:57 | 00,001,767 | ---- | M] () -- C:\Users\Sleepy_Dragon\Desktop\DVD Decrypter.lnk
[2009/12/22 22:43:46 | 00,002,013 | ---- | M] () -- C:\Users\Public\Desktop\Videora iPod nano Converter.lnk

========== Files Created - No Company Name ==========

[2010/01/19 23:58:54 | 00,001,897 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/01/19 23:51:52 | 00,245,103 | ---- | C] () -- C:\Users\Sleepy_Dragon\Desktop\JavaRa.def
[2010/01/19 21:52:19 | 00,524,288 | ---- | C] () -- C:\Users\Sleepy_Dragon\Desktop\dds.scr
[2010/01/19 21:50:12 | 00,000,000 | ---- | C] () -- C:\Users\Sleepy_Dragon\defogger_reenable
[2010/01/19 17:03:22 | 00,206,336 | ---- | C] () -- C:\Windows\System32\drivers\sfi.dat
[2010/01/19 12:29:14 | 00,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/01/19 11:39:13 | 00,057,667 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2010/01/19 11:37:17 | 00,057,879 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2010/01/19 11:37:17 | 00,057,879 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010/01/19 03:37:13 | 00,524,288 | -HS- | C] () -- C:\Users\Sleepy_Dragon\ntuser.dat{e67ae08a-04ee-11df-98df-001e3786e153}.TMContainer00000000000000000002.regtrans-ms
[2010/01/19 03:37:13 | 00,524,288 | -HS- | C] () -- C:\Users\Sleepy_Dragon\ntuser.dat{e67ae08a-04ee-11df-98df-001e3786e153}.TMContainer00000000000000000001.regtrans-ms
[2010/01/19 03:37:12 | 00,065,536 | -HS- | C] () -- C:\Users\Sleepy_Dragon\ntuser.dat{e67ae08a-04ee-11df-98df-001e3786e153}.TM.blf
[2010/01/19 01:56:07 | 00,524,288 | -HS- | C] () -- C:\Users\Sleepy_Dragon\ntuser.dat{c8a4be70-04dc-11df-ab6d-0015055d02ca}.TMContainer00000000000000000002.regtrans-ms
[2010/01/19 01:56:07 | 00,524,288 | -HS- | C] () -- C:\Users\Sleepy_Dragon\ntuser.dat{c8a4be70-04dc-11df-ab6d-0015055d02ca}.TMContainer00000000000000000001.regtrans-ms
[2010/01/19 01:56:07 | 00,065,536 | -HS- | C] () -- C:\Users\Sleepy_Dragon\ntuser.dat{c8a4be70-04dc-11df-ab6d-0015055d02ca}.TM.blf
[2010/01/12 16:38:07 | 00,000,386 | ---- | C] () -- C:\Windows\tasks\AWC Startup.job
[2010/01/12 16:37:59 | 00,001,024 | ---- | C] () -- C:\Users\Public\Desktop\Advanced SystemCare.lnk
[2010/01/12 16:37:59 | 00,000,143 | ---- | C] () -- C:\Users\Sleepy_Dragon\Desktop\IObit Freeware.url
[2010/01/04 08:32:34 | 00,000,000 | ---- | C] () -- C:\Users\Sleepy_Dragon\AppData\Local\Gximi.bin
[2010/01/04 08:32:33 | 00,000,120 | ---- | C] () -- C:\Users\Sleepy_Dragon\AppData\Local\Xsagimijigo.dat
[2010/01/04 08:30:42 | 00,000,000 | -HS- | C] () -- C:\Windows\nvDrv.sy
[2010/01/04 08:30:34 | 00,763,904 | ---- | C] () -- C:\Windows\System32\drivers\kkaeuuth.sys
[2009/12/22 22:45:57 | 00,001,767 | ---- | C] () -- C:\Users\Sleepy_Dragon\Desktop\DVD Decrypter.lnk
[2009/12/22 02:54:48 | 00,000,510 | ---- | C] () -- C:\Windows\wordpad.INI
[2009/11/29 16:37:31 | 00,000,048 | ---- | C] () -- C:\Windows\cdplayer.ini
[2009/10/08 01:01:47 | 00,000,152 | ---- | C] () -- C:\Windows\System32\sysplog2.dll
[2009/10/08 01:01:35 | 00,000,152 | ---- | C] () -- C:\Windows\System32\sysplog.dll
[2009/08/07 17:59:34 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/01/29 04:30:45 | 00,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini
[2008/02/18 09:22:06 | 00,000,071 | ---- | C] () -- C:\Windows\pex.INI
[2008/02/18 09:06:39 | 00,000,347 | ---- | C] () -- C:\Windows\ulead32.ini
[2008/01/15 20:37:38 | 00,056,863 | ---- | C] () -- C:\Users\Sleepy_Dragon\AppData\Roaming\nvModes.001
[2008/01/15 07:22:11 | 00,056,863 | ---- | C] () -- C:\Users\Sleepy_Dragon\AppData\Roaming\nvModes.dat
[2008/01/03 02:47:12 | 00,765,952 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2008/01/03 02:47:12 | 00,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2008/01/02 22:47:48 | 00,020,992 | ---- | C] () -- C:\Users\Sleepy_Dragon\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/02 09:52:24 | 00,001,356 | ---- | C] () -- C:\Users\Sleepy_Dragon\AppData\Local\d3d9caps.dat
[2007/12/25 12:04:31 | 00,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2007/12/25 12:04:31 | 00,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2007/12/25 12:04:31 | 00,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2007/12/25 12:04:31 | 00,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2007/12/25 12:04:31 | 00,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2007/12/25 12:04:31 | 00,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2007/12/25 12:02:13 | 00,056,056 | ---- | C] () -- C:\Windows\System32\DLAAPI_W.DLL
[2007/12/25 12:02:11 | 00,000,120 | ---- | C] () -- C:\Windows\wininit.ini
[2007/12/25 11:56:31 | 02,115,816 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2007/12/25 11:40:14 | 09,598,080 | ---- | C] () -- C:\Windows\System32\drivers\snp2uvc.sys
[2007/12/25 11:40:14 | 00,015,497 | ---- | C] () -- C:\Windows\snp2uvc.ini
[2007/12/25 11:34:22 | 00,012,080 | ---- | C] () -- C:\Windows\System32\drivers\TPPWR32V.SYS
[2007/08/14 23:51:29 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/08/03 05:14:30 | 00,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2007/07/26 22:37:40 | 00,025,269 | ---- | C] () -- C:\Windows\System32\PROCDB.INI
[2007/07/26 22:37:29 | 00,000,380 | ---- | C] () -- C:\Windows\System32\IPSCtrl.INI
[2006/12/13 23:01:36 | 00,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/12/13 23:01:36 | 00,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/11/02 04:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:25:21 | 00,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/01 23:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/05 14:20:36 | 00,079,400 | ---- | C] () -- C:\Windows\System32\DEVMAN.DLL
[2006/04/22 15:00:10 | 00,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 489 bytes -> C:\ProgramData\TEMP:05EE1EEF
< End of report >

(end otl.txt log)

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Fri Jan 22, 2010 12:29 am

OTL Extras logfile created on: 1/21/2010 4:14:46 PM - Run 1
OTL by OldTimer - Version 3.1.25.3 Folder = C:\Users\Sleepy_Dragon\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18865)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

990.00 Mb Total Physical Memory | 189.00 Mb Available Physical Memory | 19.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 54.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 67.82 Gb Total Space | 12.13 Gb Free Space | 17.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 7.74 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PATS-PC
Current User Name: Sleepy_Dragon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
https [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{A3C19746-D191-488A-9AD6-0A20C4F4CFEB}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{157CB249-4E0D-415B-8C8C-6CDD02DA7E42}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{1F1F1F14-E192-4E65-B6AB-EC26584BA747}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{C965047D-3BC2-4DDB-B889-3F5B2007E6D8}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{FCB49894-4DCC-493B-A0E8-EDCF9ED5EB2F}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"TCP Query User{12B8E86E-4D73-4B08-967F-E3FDB4E39DAA}C:\windows\sr882388.exe" = protocol=6 | dir=in | app=c:\windows\sr882388.exe |
"TCP Query User{390C35AC-AA71-4FE9-8D51-E45B46C7CBD9}C:\users\sleepy_dragon\appdata\roaming\macromedia\flash player\[You must be registered and logged in to see this link.] = protocol=6 | dir=in | app=c:\users\sleepy_dragon\appdata\roaming\macromedia\flash player\[You must be registered and logged in to see this link.] |
"TCP Query User{4DE3A48C-43B9-442D-B0A8-8B5FCF04B97C}C:\program files\opera\opera.exe" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe |
"TCP Query User{C0499CE8-468B-4315-88F9-BA9BE16A1DE2}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{33A214C3-D50C-49DA-8327-10F2A8A538AB}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{3D0C7EDA-C5CA-4D7A-A808-19FD548591A8}C:\windows\sr882388.exe" = protocol=17 | dir=in | app=c:\windows\sr882388.exe |
"UDP Query User{459B104D-5477-4B7F-A652-DC32B194A06D}C:\program files\opera\opera.exe" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe |
"UDP Query User{C9D27ACE-9002-4334-A912-15A25624F49D}C:\users\sleepy_dragon\appdata\roaming\macromedia\flash player\[You must be registered and logged in to see this link.] = protocol=17 | dir=in | app=c:\users\sleepy_dragon\appdata\roaming\macromedia\flash player\[You must be registered and logged in to see this link.] |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0F4EFCE8-E358-4430-A504-F55F32BA1816}" = Client Security Solution
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav Utility
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Drag-to-Disc
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = Integrated Camera
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AB5764A-3894-49A2-BAA8-C4665F74CD4C}" = Registry patch to improve USB device detection on resume from sleep for Windows Vista
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}" = Microsoft SQL Server Native Client
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
"{65706020-7B6F-41F2-8047-FC69579E386A}" = Presentation Director
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{690BE098-6D0D-493D-B079-BD7E8F81A141}" = Opera 10.10
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{786547F9-59BB-4FA3-B2D8-327FF1F14870}" = Adobe Flash Player 9 ActiveX
"{796E076A-82F7-4D49-98C8-DEC0C3BC733A}" = Diskeeper Home
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E4C16B8-8F76-4940-8505-98E93C00BF19}" = Rescue and Recovery
"{7EB114D8-207F-45AE-BABD-1669715F2630}" = ThinkVantage Access Connections
"{8485F313-4B62-42F3-ADD8-0DE34A4DDAEF}" = Thinkpad Wireless LAN Adapters Software (11a/b/g/n)
"{8675339C-128C-44DD-83BF-0A5D6ABD8297}" = System Update
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{92AD5564-AFE0-4CED-B7D1-370896752872}" = ThinkPad Mobility Center Customization
"{938B1CD7-7C60-491E-AA90-1F1888168240}" = Multimedia Center For Think Offerings
"{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007
"{B334D9AE-1393-423E-97C0-3BDC3360E692}" = Sonic Icons for Lenovo
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}" = Microsoft SQL Server VSS Writer
"{C6876FE6-A314-4628-B0D7-F3EE5E35C4B4}" = Windows Live Toolbar
"{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}" = ThinkVantage Productivity Center
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D271DAE0-8D68-4C97-8356-A126D48A1D8C}" = Ulead Photo Explorer 8.0 SE Basic
"{D728E945-256D-4477-B377-6BBA693714AC}" = Productivity Center Supplement for ThinkPad
"{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}" = ThinkPad Power Manager
"{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}" = Wallpapers
"{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}" = Message Center
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F705E3E1-A471-426B-9A09-73429F3418EE}" = System Migration Assistant
"1A96FF9D9E5F19776E6749D8F6557FCC437EB294" = Windows Driver Package - Ricoh Company MS Host Controller (07/30/2007 6.00.01.11)
"1B609D7E6D10BAF8F2B5CB6A0A89867EF7F61A3E" = Windows Driver Package - Intel (e1express) Net (04/26/2007 9.7.240.0)
"2B6D818F3939804B01D509A4234EFE979CAAADCA" = Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011)
"33B90F7893A16FA92E149B05C5B46C501B4202CD" = Windows Driver Package - Lenovo (IBMPMDRV) System (05/31/2007 1.43)
"38884E3EBEF76FE8FCF8DF8349FE73E84B85632C" = Windows Driver Package - Ricoh Company MMC Host Controller (08/08/2007 6.00.03.02)
"38C8E8384B1D0355BE6B7A0EE5ACD9EA7122E268" = Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011)
"4CF15B23EAB3D8AAA1E32F8ED986D8811D81835D" = Windows Driver Package - Intel System (09/15/2006 8.0.0.1008)
"530B366ABB8F4E0087E6FB2DE3609611DF9D8D27" = Windows Driver Package - Intel USB (09/15/2006 8.0.0.1008)
"5B35493BBF3623E997EADC90AFF8AA66DF7A114F" = Windows Driver Package - Intel System (09/15/2006 8.2.0.1000)
"67CCAA793684CADDDCD55BAD807632E611CA05D2" = Windows Driver Package - Intel (iaStor) hdc (02/12/2007 7.0.0.1020)
"778DAA8FB0D52FC214BC306BBDC33E26ACAB6F44" = Windows Driver Package - Ricoh Company xD Host Controller (07/30/2007 6.00.01.13)
"787E3A824531CE2DB2180F5CFAD00B052D0E389E" = Windows Driver Package - Intel System (09/15/2006 8.0.0.1010)
"7-Zip" = 7-Zip 4.57
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"AviSynth" = AviSynth 2.5
"AwayTask" = Maintenance Manager
"Business Contact Manager for Outlook 2007" = Business Contact Manager for Outlook 2007
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem
"Dipmon" = Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVD Decrypter" = DVD Decrypter (Remove Only)
"E40782D0B0D2A7F661A275F639A54DDA57386FB8" = Windows Driver Package - Intel hdc (12/06/2006 6.8.0.3002)
"E6CEFD9A59425A2A27E92572AB367B28C371D3D8" = Windows Driver Package - Intel System (09/15/2006 7.0.0.1011)
"FPIRPOn" = Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
"Fraps" = Fraps
"Free DVD MP3 Ripper_is1" = Free DVD MP3 Ripper 1.12
"Lenovo Registration" = Lenovo Registration
"LENOVO.SMIIF" = Lenovo System Interface Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"NVIDIA Drivers" = NVIDIA Drivers
"OnScreenDisplay" = On Screen Display
"PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows
"Picasa2" = Picasa 2
"Power Management Driver" = ThinkPad Power Management Driver
"PROHYBRIDR" = 2007 Microsoft Office system
"PROSet" = Intel(R) PRO Network Connections Drivers
"RealPlayer 12.0" = RealPlayer
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"Unofficial Oblivion Patch_is1" = Unofficial Oblivion Patch v3.2.0
"USBPMon" = Registry patch for Windows Vista USB S3 PM Enablement
"Windows Live Toolbar" = Windows Live Toolbar
"Xvid_is1" = Xvid 1.1.3 final uninstall

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/31/2009 7:09:44 PM | Computer Name = Pats-PC | Source = MSSQL$MSSMLBIZ | ID = 9003
Description = The log scan number (208:392:1) passed to log scan in database 'master'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

Error - 11/1/2009 8:55:35 PM | Computer Name = Pats-PC | Source = MSSQL$MSSMLBIZ | ID = 9003
Description = The log scan number (208:392:1) passed to log scan in database 'master'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

Error - 11/2/2009 2:41:43 PM | Computer Name = Pats-PC | Source = MSSQL$MSSMLBIZ | ID = 9003
Description = The log scan number (208:392:1) passed to log scan in database 'master'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

Error - 11/3/2009 3:48:13 PM | Computer Name = Pats-PC | Source = MSSQL$MSSMLBIZ | ID = 9003
Description = The log scan number (208:392:1) passed to log scan in database 'master'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

Error - 11/4/2009 1:59:09 AM | Computer Name = Pats-PC | Source = MSSQL$MSSMLBIZ | ID = 9003
Description = The log scan number (208:392:1) passed to log scan in database 'master'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

Error - 11/4/2009 3:56:46 AM | Computer Name = Pats-PC | Source = MSSQL$MSSMLBIZ | ID = 9003
Description = The log scan number (208:392:1) passed to log scan in database 'master'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

Error - 11/4/2009 7:54:54 PM | Computer Name = Pats-PC | Source = MSSQL$MSSMLBIZ | ID = 9003
Description = The log scan number (208:392:1) passed to log scan in database 'master'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

Error - 11/4/2009 8:09:40 PM | Computer Name = Pats-PC | Source = MSSQL$MSSMLBIZ | ID = 9003
Description = The log scan number (208:392:1) passed to log scan in database 'master'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

Error - 11/5/2009 2:47:46 AM | Computer Name = Pats-PC | Source = MSSQL$MSSMLBIZ | ID = 9003
Description = The log scan number (208:392:1) passed to log scan in database 'master'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

Error - 11/5/2009 12:32:47 PM | Computer Name = Pats-PC | Source = MSSQL$MSSMLBIZ | ID = 9003
Description = The log scan number (208:392:1) passed to log scan in database 'master'
is not valid. This error may indicate data corruption or that the log file (.ldf)
does not match the data file (.mdf). If this error occurred during replication,
re-create the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

[ System Events ]
Error - 1/20/2010 10:12:48 PM | Computer Name = Pats-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 1/20/2010 10:13:24 PM | Computer Name = Pats-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 1/21/2010 3:52:40 AM | Computer Name = Pats-PC | Source = DCOM | ID = 10010
Description =

Error - 1/21/2010 8:02:53 PM | Computer Name = Pats-PC | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 1/21/2010 8:03:05 PM | Computer Name = Pats-PC | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 1/21/2010 8:03:48 PM | Computer Name = Pats-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 1/21/2010 8:03:48 PM | Computer Name = Pats-PC | Source = Service Control Manager | ID = 7024
Description =

Error - 1/21/2010 8:06:31 PM | Computer Name = Pats-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 1/21/2010 8:07:01 PM | Computer Name = Pats-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 1/21/2010 8:16:54 PM | Computer Name = Pats-PC | Source = Schannel | ID = 36874
Description = An SSL connection request was received from a remote client application,
but nȯne of the cipher suites supported by the client application are supported
by the server. The SSL connection request has failed.


< End of report >

Thank-you,
Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Sat Jan 23, 2010 1:51 am

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\drivers\kkaeuuth.sys
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Sat Jan 23, 2010 1:59 am

When trying to browse to the file, I get "a device attached to the system is not functioning".

When just pasting in the location, I get ""C:\WINDOWS\system32\drivers\kkaeuuth.sys" specified one or more files which could not be found".

Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Sat Jan 23, 2010 2:03 am

Hello.
Were gonna need to go deeper.

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Sat Jan 23, 2010 4:46 am

Ok, below is the combofix log. If it's important to know, I had to reboot after it finished, because nȯne of my browsers would work, something about trying to access a registry marked for deletion. Obviously, I can browse again now. ;-p

ComboFix 10-01-21.08 - Sleepy_Dragon 01/22/2010 20:22:36.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.990.320 [GMT -8:00]
Running from: c:\users\Sleepy_Dragon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\WinPCap\rpcapd.exe
c:\users\Sleepy_Dragon\AppData\Local\{15DB8CF7-42B9-450A-8153-E672319F135B}\chrome.manifest
c:\users\Sleepy_Dragon\AppData\Local\{15DB8CF7-42B9-450A-8153-E672319F135B}\chrome\content\_cfg.js
c:\users\Sleepy_Dragon\AppData\Local\{15DB8CF7-42B9-450A-8153-E672319F135B}\chrome\content\overlay.xul
c:\users\Sleepy_Dragon\AppData\Local\{15DB8CF7-42B9-450A-8153-E672319F135B}\install.rdf
c:\windows\nvDrv.sy
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.

2010-01-23 04:33 . 2010-01-23 04:33 -------- d-----w- c:\users\Sleepy_Dragon\AppData\Local\temp
2010-01-23 04:33 . 2010-01-23 04:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-20 07:50 . 2010-01-20 07:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-20 02:23 . 2010-01-20 02:48 -------- d-----w- c:\programdata\Alwil Software
2010-01-20 02:23 . 2010-01-20 02:23 -------- d-----w- c:\program files\Alwil Software
2010-01-20 02:05 . 2010-01-20 02:49 -------- d-----w- c:\program files\Sophos
2010-01-20 01:16 . 2010-01-20 01:16 74328 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-01-20 01:03 . 2010-01-20 02:20 206336 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-01-20 00:57 . 2010-01-20 02:29 -------- d-----w- c:\program files\COMODO
2010-01-19 20:01 . 2010-01-19 20:01 -------- d-----w- c:\programdata\NVIDIA
2010-01-19 19:13 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-01-19 19:13 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-19 19:11 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-19 19:11 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-19 07:33 . 2010-01-19 07:33 -------- d-----w- c:\programdata\Avira
2010-01-19 07:33 . 2010-01-19 07:33 -------- d-----w- c:\program files\Avira
2010-01-19 01:53 . 2010-01-19 01:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-19 01:52 . 2010-01-20 03:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-14 00:56 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-14 00:56 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 00:37 . 2010-01-13 00:58 -------- d-----w- c:\users\Sleepy_Dragon\AppData\Roaming\IObit
2010-01-13 00:37 . 2010-01-13 00:37 -------- d-----w- c:\program files\IObit
2010-01-13 00:37 . 2009-11-05 00:49 635664 ----a-w- c:\users\Sleepy_Dragon\AppData\Roaming\IObit\Common\TB_Helper.exe
2010-01-05 05:14 . 2010-01-12 08:17 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-04 16:32 . 2010-01-04 16:32 0 ----a-w- c:\users\Sleepy_Dragon\AppData\Local\Gximi.bin
2010-01-04 16:32 . 2010-01-04 16:32 120 ----a-w- c:\users\Sleepy_Dragon\AppData\Local\Xsagimijigo.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 04:13 . 2010-01-19 19:37 57879 ----a-w- c:\programdata\nvModes.dat
2010-01-20 07:58 . 2008-02-29 03:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-20 07:50 . 2007-12-25 20:05 -------- d-----w- c:\program files\Common Files\Java
2010-01-20 07:49 . 2007-12-25 20:05 -------- d-----w- c:\program files\Java
2010-01-20 05:41 . 2008-01-16 10:51 -------- d-----w- c:\programdata\Symantec
2010-01-20 03:19 . 2008-01-16 10:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-20 02:47 . 2008-01-02 17:52 1356 ----a-w- c:\users\Sleepy_Dragon\AppData\Local\d3d9caps.dat
2010-01-20 02:21 . 2008-01-11 13:12 -------- d-----w- c:\program files\DivX
2010-01-19 11:35 . 2007-12-25 19:57 -------- d-----w- c:\programdata\Lenovo
2010-01-19 05:09 . 2009-11-17 06:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 00:20 . 2008-01-15 15:22 56863 ----a-w- c:\users\Sleepy_Dragon\AppData\Roaming\nvModes.dat
2010-01-15 04:43 . 2008-01-04 10:40 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-14 19:12 . 2009-10-02 22:45 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 00:07 . 2009-11-17 06:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-11-17 06:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 11:02 . 2009-10-06 04:47 -------- d-----w- c:\program files\Chessimo
2010-01-02 06:38 . 2010-01-22 00:26 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 00:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 00:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 00:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-23 06:46 . 2009-12-23 06:45 -------- d-----w- c:\program files\DVD Decrypter
2009-12-23 06:43 . 2008-01-04 10:40 -------- d-----w- c:\program files\Red Kawa
2009-11-30 00:36 . 2008-05-05 00:33 -------- d-----w- c:\program files\Common Files\Real
2009-11-30 00:35 . 2009-11-30 00:35 -------- d-----w- c:\program files\Common Files\xing shared
2009-11-30 00:34 . 2009-11-30 00:34 -------- d-----w- c:\program files\real
2009-11-09 12:31 . 2009-12-09 17:21 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-09 17:21 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-09 17:21 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-03 06:02 . 2009-11-03 06:02 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-31 05:18 . 2009-10-31 05:18 195980 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 09:17 . 2009-11-26 01:04 2048 ----a-w- c:\windows\system32\tzres.dll
2007-12-25 19:01 . 2007-12-25 18:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-09-05 319488]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-09-05 214576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-22 820520]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TpShocks"="TpShocks.exe" [2007-09-28 181544]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2007-09-25 28672]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-16 217176]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-09 2630968]
"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-19 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-30 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-08 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-25 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):03,6e,02,45,29,25,ca,01

R0 TPDIGIMN;TPDIGIMN;c:\windows\System32\drivers\ApsHM86.sys [9/28/2007 4:28 PM 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\System32\drivers\smiif32.sys [2/18/2007 8:12 PM 13744]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [7/8/2007 10:23 PM 55936]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [1/8/2007 8:03 PM 569344]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\System32\drivers\tvti2c.sys [5/22/2007 3:59 PM 30336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [11/2/2006 2:25 AM 167936]

--- Other Services/Drivers In Memory ---

*Deregistered* - kkaeuuth
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-01-13 21:48]

2010-01-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]

2010-01-23 c:\windows\Tasks\User_Feed_Synchronization-{D9B30BB4-63C0-47D4-A444-A174F9308500}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: live.com\onecare
TCP: {92C2EDA2-855B-455E-8175-D4C77FCCD1D0} = 216.162.192.12,216.162.192.4
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\Sleepy_Dragon\AppData\Roaming\Macromedia\Flash Player\[You must be registered and logged in to see this link.]



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-22 20:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2D28.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\kkaeuuth]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2849236651-842032116-1033965791-1005\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:21,89,96,a3,5d,02,ca,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-22 20:37:10
ComboFix-quarantined-files.txt 2010-01-23 04:37

Pre-Run: 13,524,221,952 bytes free
Post-Run: 13,242,740,736 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,10,11
- - End Of File - - 7693ED812ED6628AC7C81D579BCDF860

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Sat Jan 23, 2010 11:09 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KILLALL::

    Driver::
    kkaeuuth

    File::
    c:\users\Sleepy_Dragon\AppData\Local\Gximi.bin
    c:\users\Sleepy_Dragon\AppData\Local\Xsagimijigo.dat

    Registry::
    [-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\kkaeuuth]

    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Sun Jan 24, 2010 1:29 am

ComboFix 10-01-23.02 - Sleepy_Dragon 01/23/2010 16:59:15.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.990.296 [GMT -8:00]
Running from: c:\users\Sleepy_Dragon\Desktop\ComboFix.exe
Command switches used :: c:\users\Sleepy_Dragon\Desktop\CFScript.txt

FILE ::
"c:\users\Sleepy_Dragon\AppData\Local\Gximi.bin"
"c:\users\Sleepy_Dragon\AppData\Local\Xsagimijigo.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Sleepy_Dragon\AppData\Local\Gximi.bin
c:\users\Sleepy_Dragon\AppData\Local\Xsagimijigo.dat
c:\windows\Help\help
c:\windows\Help\help\en-US\Help.h1c
c:\windows\Help\help\en-US\Help.H1T
c:\windows\Help\help\en-US\Help_AssetId.H1K
c:\windows\Help\help\en-US\Help_BestBet.H1K
c:\windows\Help\help\en-US\Help_LinkTerm.H1K
c:\windows\Help\help\en-US\Help_SubjectTerm.H1K
c:\windows\Help\help\en-US\resources.H1S
c:\windows\Help\help\en-US\stopwrds.stp
c:\windows\Help\help\en-US\stylec.h1s

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KKAEUUTH
-------\Service_kkaeuuth


((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-24 01:11 . 2010-01-24 01:11 -------- d-----w- C:\A
2010-01-24 01:08 . 2010-01-24 01:12 -------- d-----w- c:\users\Sleepy_Dragon\AppData\Local\temp
2010-01-24 01:08 . 2010-01-24 01:08 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-20 07:50 . 2010-01-20 07:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-20 02:23 . 2010-01-20 02:48 -------- d-----w- c:\programdata\Alwil Software
2010-01-20 02:23 . 2010-01-20 02:23 -------- d-----w- c:\program files\Alwil Software
2010-01-20 02:05 . 2010-01-20 02:49 -------- d-----w- c:\program files\Sophos
2010-01-20 01:16 . 2010-01-20 01:16 74328 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-01-20 01:03 . 2010-01-20 02:20 206336 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-01-20 00:57 . 2010-01-20 02:29 -------- d-----w- c:\program files\COMODO
2010-01-19 20:01 . 2010-01-19 20:01 -------- d-----w- c:\programdata\NVIDIA
2010-01-19 19:13 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-01-19 19:13 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-19 19:11 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-19 19:11 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-19 07:33 . 2010-01-19 07:33 -------- d-----w- c:\programdata\Avira
2010-01-19 07:33 . 2010-01-19 07:33 -------- d-----w- c:\program files\Avira
2010-01-19 01:53 . 2010-01-19 01:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-19 01:52 . 2010-01-20 03:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-14 00:56 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-14 00:56 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 00:37 . 2010-01-13 00:58 -------- d-----w- c:\users\Sleepy_Dragon\AppData\Roaming\IObit
2010-01-13 00:37 . 2010-01-13 00:37 -------- d-----w- c:\program files\IObit
2010-01-04 16:30 . 2010-01-24 01:09 763904 ----a-w- c:\windows\system32\drivers\kkaeuuth.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 01:10 . 2010-01-19 19:37 57879 ----a-w- c:\programdata\nvModes.dat
2010-01-20 07:58 . 2008-02-29 03:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-20 07:50 . 2007-12-25 20:05 -------- d-----w- c:\program files\Common Files\Java
2010-01-20 07:49 . 2007-12-25 20:05 -------- d-----w- c:\program files\Java
2010-01-20 05:41 . 2008-01-16 10:51 -------- d-----w- c:\programdata\Symantec
2010-01-20 03:19 . 2008-01-16 10:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-20 02:47 . 2008-01-02 17:52 1356 ----a-w- c:\users\Sleepy_Dragon\AppData\Local\d3d9caps.dat
2010-01-20 02:21 . 2008-01-11 13:12 -------- d-----w- c:\program files\DivX
2010-01-19 11:35 . 2007-12-25 19:57 -------- d-----w- c:\programdata\Lenovo
2010-01-19 05:09 . 2009-11-17 06:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 00:20 . 2008-01-15 15:22 56863 ----a-w- c:\users\Sleepy_Dragon\AppData\Roaming\nvModes.dat
2010-01-15 04:43 . 2008-01-04 10:40 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-14 19:12 . 2009-10-02 22:45 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 08:17 . 2010-01-05 05:14 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 00:07 . 2009-11-17 06:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-11-17 06:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 11:02 . 2009-10-06 04:47 -------- d-----w- c:\program files\Chessimo
2010-01-02 06:38 . 2010-01-22 00:26 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 00:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 00:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 00:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-23 06:46 . 2009-12-23 06:45 -------- d-----w- c:\program files\DVD Decrypter
2009-12-23 06:43 . 2008-01-04 10:40 -------- d-----w- c:\program files\Red Kawa
2009-11-30 00:36 . 2008-05-05 00:33 -------- d-----w- c:\program files\Common Files\Real
2009-11-30 00:35 . 2009-11-30 00:35 -------- d-----w- c:\program files\Common Files\xing shared
2009-11-30 00:34 . 2009-11-30 00:34 -------- d-----w- c:\program files\real
2009-11-09 12:31 . 2009-12-09 17:21 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-09 17:21 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-09 17:21 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-05 00:49 . 2010-01-13 00:37 635664 ----a-w- c:\users\Sleepy_Dragon\AppData\Roaming\IObit\Common\TB_Helper.exe
2009-11-03 06:02 . 2009-11-03 06:02 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-31 05:18 . 2009-10-31 05:18 195980 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 09:17 . 2009-11-26 01:04 2048 ----a-w- c:\windows\system32\tzres.dll
2007-12-25 19:01 . 2007-12-25 18:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-09-05 319488]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-09-05 214576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-22 820520]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TpShocks"="TpShocks.exe" [2007-09-28 181544]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2007-09-25 28672]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-16 217176]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-09 2630968]
"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-19 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-30 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-08 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-25 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):03,6e,02,45,29,25,ca,01

R0 TPDIGIMN;TPDIGIMN;c:\windows\System32\drivers\ApsHM86.sys [9/28/2007 4:28 PM 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\System32\drivers\smiif32.sys [2/18/2007 8:12 PM 13744]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\System32\drivers\tvti2c.sys [5/22/2007 3:59 PM 30336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [11/2/2006 2:25 AM 167936]
.
Contents of the 'Scheduled Tasks' folder

2010-01-24 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-01-13 21:48]

2010-01-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]

2010-01-24 c:\windows\Tasks\User_Feed_Synchronization-{D9B30BB4-63C0-47D4-A444-A174F9308500}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: live.com\onecare
TCP: {92C2EDA2-855B-455E-8175-D4C77FCCD1D0} = 216.162.192.12,216.162.192.4
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-23 17:11
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2D28.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2849236651-842032116-1033965791-1005\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:21,89,96,a3,5d,02,ca,00
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1728)
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\LENOVO\HOTKEY\TPHKSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\TpShocks.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-01-23 17:22:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 01:22
ComboFix2.txt 2010-01-23 04:37

Pre-Run: 13,510,684,672 bytes free
Post-Run: 13,196,902,400 bytes free

- - End Of File - - 8E27EA715988B825245C980BA44A0C08

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Sun Jan 24, 2010 1:34 am


  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight the following:

    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7

  • Click on the Uninstall/Change button at the top.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Sun Jan 24, 2010 1:52 am

Ok, done.

I just ran a quick scan with MBAM and the rootkit.agent kkaeuuth.sys is still there.

Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Sun Jan 24, 2010 2:16 am

Looks like we got a dropper hiding somewhere.

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Sun Jan 24, 2010 2:28 am

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-23 18:28:15
Windows 6.0.6002 Service Pack 2
Running: 1wsqdvkk.exe; Driver: C:\Users\SLEEPY~1\AppData\Local\Temp\kwtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8A406340, 0x3E9407, 0xE8000020]
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\bmgrmode.dat 29 bytes
File C:\RRbackups\common\css.dat 8192 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\restore.log 110 bytes
File C:\RRbackups\common\rr.log 126511 bytes
File C:\RRbackups\common\rr_bcdenum.dat 3572 bytes
File C:\RRbackups\common\SAM 65536 bytes
File C:\RRbackups\common\secpolicy.dat 24576 bytes
File C:\RRbackups\common\settings.dat 32768 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtcmn.dat 8192 bytes
File C:\RRbackups\common\tvtns.bin 23 bytes
File C:\RRbackups\common\usersids.dat 16640 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-500\a18ca4003deb042bbee7a40f15e1970b_99fd3083-5d6e-4542-a832-403d0623cc62 54 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\95da33f4-6655-4faf-86fe-5159865c990d 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-500\b411b1f8-7db1-4688-875d-feea670a126f 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Default 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\95da33f4-6655-4faf-86fe-5159865c990d 388 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\95da33f4-6655-4faf-86fe-5159865c990d 388 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-1005 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-1005\62a45886e06c7d046ea8b819bec0598a_99fd3083-5d6e-4542-a832-403d0623cc62 45 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-1005\6b29ae44e85efac3c72ff4d1865d73f1_99fd3083-5d6e-4542-a832-403d0623cc62 53 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-1005\83aa4cc77f591dfc2374580bbd95f6ba_99fd3083-5d6e-4542-a832-403d0623cc62 45 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-1005\8f71098770f72c7a67cd8f1151619865_99fd3083-5d6e-4542-a832-403d0623cc62 54 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\95da33f4-6655-4faf-86fe-5159865c990d 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\1b47500c-81dc-4732-ad3b-7bbe03237bb2 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\3e3e099c-9ca4-4819-a8db-60c6298c3e29 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\4293a67e-25da-4d26-8cbf-ff2c9310c4fc 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\42d2eab5-c70d-4c8a-9c10-3b384d010470 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\68a1fc59-b1ba-47ce-aae2-e9a6e5f6da5e 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\9d816738-2e3c-4ad2-9819-05ab87aa4005 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\d2229779-93ee-4d12-9548-3c865184c37d 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\f3956a03-a6d3-4b11-ad2f-3b31c3935da4 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\ProgramData 0 bytes
File C:\RRbackups\ProgramData\Lenovo 0 bytes
File C:\RRbackups\ProgramData\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\ProgramData\Lenovo\Client Security Solution\cspContainer.dat 332 bytes
File C:\RRbackups\ProgramData\Microsoft 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_99fd3083-5d6e-4542-a832-403d0623cc62 52 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\62a45886e06c7d046ea8b819bec0598a_99fd3083-5d6e-4542-a832-403d0623cc62 45 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_99fd3083-5d6e-4542-a832-403d0623cc62 47 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_99fd3083-5d6e-4542-a832-403d0623cc62 54 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_99fd3083-5d6e-4542-a832-403d0623cc62 893 bytes

---- EOF - GMER 1.0.15 ----

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Sun Jan 24, 2010 2:34 am

Actually looking back, I saw that file but didn't list it for deletion. Ahahaha MBAM should have killed it, and it shouldn't come back this time.

Run another scan, see if it keeps showing up.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Sun Jan 24, 2010 3:24 am

All clean! Thank you!

So at the moment, I've still got CD emulation disabled via defogger, and I've deleted all of the anti-spyware, anti-virus and malware programs I'd dl
d, except for MBAM.

Which programs would be best to reacquire, and when can I have defogger enable CD emulation, if at all? Anything else I should do?

Thank you,
Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Sun Jan 24, 2010 5:51 pm

You can turn the emulation drivers back on now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Mon Jan 25, 2010 12:41 am

Ok, done. Thank you!

Last question: which antivirus/spyware/malware programs would be best to download to keep running in the background?

Thank you,
Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Mon Jan 25, 2010 1:32 am

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

MBAM is also a good program to keep.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Mon Jan 25, 2010 11:00 pm

Hello:

I am having trouble with Antivir. Seems to be installed correctly, but whenever I attempt to run a full scan, it hangs at the 29% mark while reading files. I've left it alone for two hours, but no go. Then I have to unplug my PC in order to reboot twice to get my PC to work again, because the first reboot hangs too.

What should I be looking for to fix this?

Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Tue Jan 26, 2010 1:18 am

What file does it get stuck off?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Tue Jan 26, 2010 1:35 am

I am not sure, it's just a series of numbers and letters in curly brackets.

Should I rerun it and note the name? (I may not be able to get the entire file name, when it sticks like that I can't stretch the windows wider to see the name)

Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Tue Jan 26, 2010 6:24 pm

Yes, please note me the name.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Tue Jan 26, 2010 10:11 pm

Hello:

I just did two scans, with slightly different results.

The first, I had Opera running in the background, and when it got to the following file, my PC crashed:
c:\System Volume Information\{21a0b47f-09fd-11df-9a27-0015055d02ca}{3808876b-c176-4e48-b7ae-04046e6cc752}

The second scan, I had nothing running in the background, and was able to stop the scan without crashing when it hung:
c:\System Volume Information\{0a2e605a-0ac3-11df-9638-0015055d02ca}{3808876b-c176-4e48-b7ae-04046e6cc752}

Thank you,
Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Wed Jan 27, 2010 1:30 am

Just two system restore points.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Wed Jan 27, 2010 7:04 am

Ok, done. That took care of the hanging and crashing. Now there's just this one bit which showed up at the end of AntiVir's log:

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.


End of the scan: Tuesday, January 26, 2010 22:13
Used time: 51:16 Minute(s)

The scan has been done completely.

24894 Scanned directories
381962 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
381961 Files not concerned
12878 Archives were scanned
1 Warnings
1 Notes
36529 Objects were scanned with rootkit scan
0 hȋdden objects were found

Is it something of concern?

Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by Belahzur on Wed Jan 27, 2010 9:27 pm

No, the locked files are Windows files and locked for a reason.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: rootkit.agent infection

Post by leafy_seadragon on Thu Jan 28, 2010 1:11 am

Alright then! My PC is clean and happy! Thank you very much for your assistance. My donation is on its way.

Best wishes,
Pat

leafy_seadragon
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25348
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum