Yet another link redirect infection

December 13, 2009 at 21:44:09
Specs: Windows Vista
Hello. I know there have been a few other recent (and yet unsolved) search result redirect infections and I am having the same issue.

I have run Malwarebytes Anti-Malware as well as SpybotSD and SUPERAntiSpyware which found minor cookie issues but now show clean reports. Following a similar thread, I follewed the process suggested by jabuck involving RSIT and GMER and will post logs below.

The malware does not block me from anti-spyware sites and I did not have to rename any of the executables to be able to install the scanners. It redirects in (at least) yahoo and google. Many thanks in advance for your assistance...it has been a long day of trying.


See More: Yet another link redirect infection

Report •


#1
December 13, 2009 at 21:52:17

info.txt logfile of random's system information tool 1.06 2009-12-13 18:13:22

======Uninstall list======

Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Shockwave Player-->C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
AnswerWorks 5.0 English Runtime-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}\setup.exe" -l0x9 -uninst -removeonly
Apple Mobile Device Support-->MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
BlackBerry Desktop Software 4.7-->MsiExec.exe /i{9833D727-8FF5-40AE-A193-525747555FF1}
BlackBerry Desktop Software 4.7-->MsiExec.exe /I{9833D727-8FF5-40AE-A193-525747555FF1}
BlackBerry® Media Sync-->MsiExec.exe /X{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}
Broadcom Management Programs-->MsiExec.exe /I{C99C0593-3B48-41D9-B42F-6E035B320449}
Canon MP Navigator EX 1.0-->"C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
Conexant HDA D330 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000fz.inf
Dell Touchpad-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
iTunes-->MsiExec.exe /I{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
LiveUpdate 3.2 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes Anti-Malware\unins000.exe"
MediaDirect-->C:\Program Files\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\setup.exe -runfromtemp -l0x0009 -cluninstall
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
OPSWAT AntiVirus and Firewall Integration Libraries-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\Progra~1\F5\OPSWAT_\AVSDK\AVDLLs\f5opswati.inf,DefaultUninstall
OutlookAddinSetup-->MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}
Picaboo 2.0.325-->MsiExec.exe /I{FAE5A9E4-CFD5-4ABE-B0D7-AA09AC3747BB}
Product Documentation Launcher-->MsiExec.exe /I{89CEAE14-DD0F-448E-9554-15781EC9DB24}
QuickSet-->MsiExec.exe /I{0F95AA42-0FF6-4D48-9CA1-64C8D0777500}
QuickTime-->MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave-->C:\Windows\System32\Macromed\SHOCKW~2\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~2\Install.log
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec AntiVirus-->MsiExec.exe /I{7C9E6E52-EB11-44DB-A761-82D5D873A8D9}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
User's Guides-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: Symantec AntiVirus
AS: Symantec AntiVirus
AS: Windows Defender (outdated)
AS: SUPERAntiSpyware (disabled)

======System event log======

Computer Name: TUNDRA
Event Code: 10005
Message: DCOM got error "1068" attempting to start the service Symantec AntiVirus with arguments "" in order to run the server:
{98694799-6891-4FD7-A91D-FB43B78AEC8C}
Record Number: 133538
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20091214015554.000000-000
Event Type: Error
User:

Computer Name: TUNDRA
Event Code: 10005
Message: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}
Record Number: 133539
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20091214015609.000000-000
Event Type: Error
User:

Computer Name: TUNDRA
Event Code: 10005
Message: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{9E175B68-F52A-11D8-B9A5-505054503030}
Record Number: 133540
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20091214020000.000000-000
Event Type: Error
User:

Computer Name: TUNDRA
Event Code: 1003
Message:
Record Number: 133652
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20091214020927.000000-000
Event Type: Warning
User:

Computer Name: TUNDRA
Event Code: 1002
Message: The IP address lease 192.168.1.3 for the Network Card with network address 001DD90CB105 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
Record Number: 133653
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20091214020927.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: TUNDRA
Event Code: 1000
Message: Faulting application bcmwltry.exe, version 4.102.15.61, time stamp 0x45f8a9d0, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0001143a, process id 0x17e4, application start time 0x01ca7c632d9776a9.
Record Number: 27526
Source Name: Application Error
Time Written: 20091214021434.000000-000
Event Type: Error
User:

Computer Name: TUNDRA
Event Code: 1000
Message: Faulting application bcmwltry.exe, version 4.102.15.61, time stamp 0x45f8a9d0, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0001143a, process id 0x578, application start time 0x01ca7c63327deb49.
Record Number: 27527
Source Name: Application Error
Time Written: 20091214021443.000000-000
Event Type: Error
User:

Computer Name: TUNDRA
Event Code: 1000
Message: Faulting application bcmwltry.exe, version 4.102.15.61, time stamp 0x45f8a9d0, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0001143a, process id 0x141c, application start time 0x01ca7c63379fe249.
Record Number: 27528
Source Name: Application Error
Time Written: 20091214021451.000000-000
Event Type: Error
User:

Computer Name: TUNDRA
Event Code: 1000
Message: Faulting application bcmwltry.exe, version 4.102.15.61, time stamp 0x45f8a9d0, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0001143a, process id 0x130c, application start time 0x01ca7c633ce7ef49.
Record Number: 27529
Source Name: Application Error
Time Written: 20091214021500.000000-000
Event Type: Error
User:

Computer Name: TUNDRA
Event Code: 1000
Message: Faulting application bcmwltry.exe, version 4.102.15.61, time stamp 0x45f8a9d0, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0001143a, process id 0xf9c, application start time 0x01ca7c634293f609.
Record Number: 27530
Source Name: Application Error
Time Written: 20091214021509.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: TUNDRA
Event Code: 5032
Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2
Record Number: 75227
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091214020937.814400-000
Event Type: Audit Failure
User:

Computer Name: TUNDRA
Event Code: 5032
Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2
Record Number: 75228
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091214020937.814400-000
Event Type: Audit Failure
User:

Computer Name: TUNDRA
Event Code: 5032
Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2
Record Number: 75229
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091214020943.960800-000
Event Type: Audit Failure
User:

Computer Name: TUNDRA
Event Code: 5032
Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2
Record Number: 75230
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091214020943.960800-000
Event Type: Audit Failure
User:

Computer Name: TUNDRA
Event Code: 5032
Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2
Record Number: 75231
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091214020943.960800-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip

-----------------EOF-----------------


Report •

#2
December 13, 2009 at 21:54:51
Logfile of random's system information tool 1.06 (written by random/random)
Run by Sevrina at 2009-12-13 18:13:03
Microsoft® Windows Vista™ Home Premium
System drive C: has 57 GB (41%) free of 140 GB
Total RAM: 2038 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:20 PM, on 12/13/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Sevrina\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Sevrina.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [CTFMON] C:\Windows\Temp\_ex-08.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://skunk.nextit.com/vdesk/terminal/urxvpn.cab#version=6030,2008,904,1951
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/Walgree...
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://skunk.nextit.com/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://skunk.nextit.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofi...
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://skunk.nextit.com/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://skunk.nextit.com/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Windows Audio AudiosrvKtmRm (AudiosrvKtmRm) - Unknown owner - C:\Windows\system32\appinfok.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7577 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{4EADFFB0-32FC-4DB0-B81C-7329D94084EC}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - c:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-10-31 501384]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2007-10-31 1006264]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-04-27 857648]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [2007-06-24 405504]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2007-07-01 138008]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2007-07-01 154392]
"Persistence"=C:\Windows\system32\igfxpers.exe [2007-07-01 133912]
"Broadcom Wireless Manager UI"=C:\Windows\system32\WLTRAY.exe [2007-03-21 1548288]
"PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2007-04-16 184320]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-22 107112]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-11-28 134808]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2007-10-19 286720]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-11-02 267048]
"BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2008-09-19 615696]
"CTFMON"=C:\Windows\Temp\_ex-08.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-09 1232896]
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [2007-03-01 2321600]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2006-11-02 125440]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-11-02 201728]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-11-23 2001648]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-07-01 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d1ab045-95b0-11dd-80e9-001c23a67e1a}]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d12652c-2a71-11dd-bee8-001c23a67e1a}]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be37254b-acf7-11dc-8ca7-806e6f6e6963}]
shell\AutoRun\command - F:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-12-13 18:13:03 ----D---- C:\rsit
2009-12-13 14:29:48 ----D---- C:\Program Files\Trend Micro
2009-12-13 09:45:32 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-12-13 09:45:15 ----D---- C:\Users\Sevrina\AppData\Roaming\SUPERAntiSpyware.com
2009-12-13 09:45:15 ----D---- C:\Program Files\SUPERAntiSpyware
2009-12-13 09:40:55 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-12-13 03:00:21 ----A---- C:\Windows\system32\nshhttp.dll
2009-12-13 03:00:19 ----A---- C:\Windows\system32\httpapi.dll
2009-12-12 13:37:06 ----D---- C:\Users\Sevrina\AppData\Roaming\Malwarebytes
2009-12-12 13:36:57 ----D---- C:\ProgramData\Malwarebytes
2009-12-12 13:36:56 ----D---- C:\Program Files\Malwarebytes Anti-Malware
2009-12-12 12:54:40 ----A---- C:\Windows\ntbtlog.txt
2009-12-09 21:06:20 ----A---- C:\Windows\system32\winhttp.dll
2009-12-09 21:06:10 ----A---- C:\Windows\system32\mshtml.dll
2009-12-09 21:06:09 ----A---- C:\Windows\system32\wininet.dll
2009-12-09 21:06:07 ----A---- C:\Windows\system32\urlmon.dll
2009-12-09 21:06:07 ----A---- C:\Windows\system32\ieframe.dll
2009-12-09 21:06:05 ----A---- C:\Windows\system32\mstime.dll
2009-12-09 21:06:05 ----A---- C:\Windows\system32\ieapfltr.dll
2009-12-09 21:06:04 ----A---- C:\Windows\system32\occache.dll
2009-12-09 21:06:04 ----A---- C:\Windows\system32\msfeeds.dll
2009-12-09 21:06:04 ----A---- C:\Windows\system32\iertutil.dll
2009-12-09 21:06:04 ----A---- C:\Windows\system32\iedkcs32.dll
2009-12-09 21:06:04 ----A---- C:\Windows\system32\dxtmsft.dll
2009-12-09 21:06:03 ----A---- C:\Windows\system32\mshtmled.dll
2009-12-09 21:06:03 ----A---- C:\Windows\system32\ieencode.dll
2009-12-09 21:06:03 ----A---- C:\Windows\system32\ieaksie.dll
2009-12-09 21:06:03 ----A---- C:\Windows\system32\icardie.dll
2009-12-09 21:06:03 ----A---- C:\Windows\system32\dxtrans.dll
2009-12-09 21:06:02 ----A---- C:\Windows\system32\jsproxy.dll
2009-12-09 21:06:02 ----A---- C:\Windows\system32\admparse.dll
2009-12-09 21:06:01 ----A---- C:\Windows\system32\pngfilt.dll
2009-12-09 21:06:01 ----A---- C:\Windows\system32\ieUnatt.exe
2009-12-09 21:06:01 ----A---- C:\Windows\system32\ieui.dll
2009-12-09 21:06:01 ----A---- C:\Windows\system32\iesetup.dll
2009-12-09 21:06:01 ----A---- C:\Windows\system32\iernonce.dll
2009-12-09 21:06:01 ----A---- C:\Windows\system32\ie4uinit.exe
2009-12-09 21:06:01 ----A---- C:\Windows\system32\advpack.dll
2009-12-09 21:06:00 ----A---- C:\Windows\system32\mshtmler.dll
2009-12-09 21:06:00 ----A---- C:\Windows\system32\ieakui.dll
2009-12-09 21:04:00 ----A---- C:\Windows\system32\rastls.dll
2009-12-09 21:04:00 ----A---- C:\Windows\system32\raschap.dll
2009-11-25 03:01:21 ----A---- C:\Windows\system32\tzres.dll
2009-11-24 17:18:22 ----A---- C:\Windows\system32\msxml6.dll
2009-11-24 17:18:22 ----A---- C:\Windows\system32\msxml3.dll
2009-11-24 17:18:21 ----A---- C:\Windows\system32\msxml6r.dll
2009-11-24 17:18:21 ----A---- C:\Windows\system32\msxml3r.dll

======List of files/folders modified in the last 1 months======

2009-12-13 18:13:18 ----D---- C:\Windows\Temp
2009-12-13 18:13:15 ----D---- C:\Windows\Prefetch
2009-12-13 18:10:39 ----D---- C:\Windows\System32
2009-12-13 18:10:39 ----D---- C:\Windows\inf
2009-12-13 18:10:39 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-12-13 14:35:06 ----HD---- C:\ProgramData
2009-12-13 14:35:06 ----D---- C:\Program Files\Google
2009-12-13 14:29:48 ----RD---- C:\Program Files
2009-12-13 09:48:36 ----SHD---- C:\System Volume Information
2009-12-13 09:45:24 ----SHD---- C:\Windows\Installer
2009-12-13 09:40:55 ----D---- C:\Program Files\Common Files
2009-12-13 03:16:40 ----D---- C:\Windows\system32\drivers
2009-12-13 03:01:19 ----D---- C:\Windows\winsxs
2009-12-13 03:00:57 ----D---- C:\Windows\system32\catroot
2009-12-13 03:00:54 ----D---- C:\Windows\system32\catroot2
2009-12-12 15:14:52 ----RSD---- C:\Windows\assembly
2009-12-12 12:54:40 ----D---- C:\Windows
2009-12-10 03:21:12 ----D---- C:\Program Files\Internet Explorer
2009-12-10 03:21:10 ----D---- C:\Windows\system32\migration
2009-12-10 03:21:02 ----D---- C:\Windows\system32\en-US
2009-12-10 03:21:02 ----D---- C:\Windows\AppPatch
2009-11-22 19:14:46 ----SD---- C:\Windows\Downloaded Program Files
2009-11-15 11:51:52 ----A---- C:\Windows\win.ini
2009-11-15 11:42:40 ----D---- C:\Windows\Minidump

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2009-08-27 371248]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [2006-10-06 406672]
R1 SRTSP;SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [2006-11-22 247144]
R1 SRTSPX;SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [2006-11-22 25448]
R1 SYMTDI;SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [2006-10-26 185744]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2006-11-26 32256]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2006-11-26 43520]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2006-11-26 37376]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-03-21 534016]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-21 45568]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]
R3 GEARAspiWDM;GEARAspiWDM; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-11-02 986624]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-11-02 206848]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-07-01 1675776]
R3 NAVENG;NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20091213.008\NAVENG.SYS [2009-08-27 84912]
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20091213.008\NAVEX15.SYS [2009-08-27 1323568]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\Windows\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\Windows\System32\Drivers\RootMdm.sys [2006-11-02 8192]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2007-10-31 82432]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-06-24 326656]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2007-11-14 109744]
R3 SYMREDRV;SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [2006-10-26 26384]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-04-27 182456]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-11-02 659968]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2006-11-02 11264]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]
S3 61883;61883 Unit Device; C:\Windows\system32\DRIVERS\61883.sys [2006-11-02 45696]
S3 Avc;AVC Device; C:\Windows\system32\DRIVERS\avc.sys [2006-11-02 40448]
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\Windows\system32\drivers\BVRPMPR5.SYS [2007-05-23 49904]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-01 200704]
S3 f5ipfw;F5 Networks StoneWall Filter; \??\C:\Windows\system32\drivers\urfltwlh.sys [2008-09-04 13944]
S3 MSDV;Microsoft DV Camera and VCR; C:\Windows\system32\DRIVERS\msdv.sys [2006-11-02 52608]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-01 2028032]
S3 RimUsb;BlackBerry Smartphone; C:\Windows\System32\Drivers\RimUsb.sys [2008-05-20 22784]
S3 SRTSPL;SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [2006-11-22 274328]
S3 urvpndrv;F5 Networks VPN Adapter; C:\Windows\system32\DRIVERS\covpnwlh.sys []
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2006-11-02 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-11-28 30872]
R2 STacSV;SigmaTel Audio Service; C:\Windows\system32\STacSV.exe [2007-06-24 94208]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-11-28 1962136]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\Windows\System32\WLTRYSVC.EXE [2007-03-21 24064]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-11-02 504104]
S2 AudiosrvKtmRm;Windows Audio AudiosrvKtmRm; C:\Windows\system32\appinfok.exe [2006-11-02 66560]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe []
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-10-31 2541248]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]

-----------------EOF-----------------


Report •

#3
December 13, 2009 at 21:58:15
Finally, the GMER log (the scan never found anything that it said was a rootkit).

ALSO, one other note... since the infection, I always have a windows message saying "Dell Wireless WLAN Wireless Network Controller has stopped working..." I suspect some phantom drivers as part of the malware?

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-13 20:25:16
Windows 6.0.6000
Running: mjmnpqvd.exe; Driver: C:\Users\myusername\AppData\Local\Temp\pwrdypow.sys


---- System - GMER 1.0.15 ----

SSDT 86A43D20 ZwAlertResumeThread
SSDT 86A43E00 ZwAlertThread
SSDT 86A46CA0 ZwAllocateVirtualMemory
SSDT 868F8648 ZwConnectPort
SSDT 86A43A80 ZwCreateMutant
SSDT 86A46A28 ZwCreateThread
SSDT 86A46F60 ZwFreeVirtualMemory
SSDT 86A43B60 ZwImpersonateAnonymousToken
SSDT 86A43C40 ZwImpersonateThread
SSDT 86A38008 ZwMapViewOfSection
SSDT 86A439A0 ZwOpenEvent
SSDT 869D8F00 ZwOpenProcessToken
SSDT 869E7050 ZwOpenThreadToken
SSDT 869C0A98 ZwResumeThread
SSDT 86A46230 ZwSetContextThread
SSDT 869E7130 ZwSetInformationProcess
SSDT 86A46150 ZwSetInformationThread
SSDT 86A438C0 ZwSuspendProcess
SSDT 86A43F48 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8F9310B0]
SSDT 86A43008 ZwTerminateThread
SSDT 86A380C0 ZwUnmapViewOfSection
SSDT 86A3A4D8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F0 81C807FC 4 Bytes CALL 2634A882
.text ntkrnlpa.exe!ZwCallbackReturn + 73C 81C80C48 4 Bytes CALL 262A3CCE

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[844] ole32.dll!CoCreateInstance 76B6DD8F 5 Bytes JMP 0097000A

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report09da93f5

---- Files - GMER 1.0.15 ----

File C:\Windows\Temp\WER953.tmp.version.txt 0 bytes
File C:\Windows\Temp\WER954.tmp.appcompat.txt 0 bytes
File C:\Windows\Temp\WERA20.tmp.hdmp 0 bytes

---- EOF - GMER 1.0.15 ----


Report •

Related Solutions


Ask Question