Blade81, on Oct 20 2009, 10:40 AM, said:
Hi Donna,
Download DDS and save it to your desktop from
here or
here or
here.
Disable any script blocker, and then double click
dds.scr to run the tool.
- When done, DDS will open two (2) logs:
- Save both reports to your desktop. Post them back to your topic.
Download
GMER here by clicking download exe -button and then saving it your desktop:
- Double-click .exe that you downloaded
- Click rootkit-tab and then scan.
- Don't check
Show All
box while scanning in progress!
- When scanning is ready, click Copy.
- This copies log to clipboard
- Post log in your reply.
Hi Blade,
I just found your reply to me...had to search a bit before I found it. I never received an email notification for it and thought it had been long enough to get one! Anyways, here are the logs from the scans you requested, hopefully I did it right!
:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-10-13.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/14/2008 7:10:21 PM
System Uptime: 10/21/2009 9:18:05 AM (0 hours ago)
Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 62.938 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP448: 7/24/2009 7:19:45 AM - System Checkpoint
RP449: 7/24/2009 10:24:49 AM - Removed LiveUpdate Notice (Symantec Corporation)
RP450: 7/25/2009 3:00:27 AM - Software Distribution Service 3.0
RP451: 7/26/2009 3:12:40 AM - System Checkpoint
RP452: 7/27/2009 3:54:00 AM - System Checkpoint
RP453: 7/28/2009 10:36:42 AM - System Checkpoint
RP454: 7/29/2009 11:43:19 AM - Software Distribution Service 3.0
RP455: 7/30/2009 12:36:01 PM - System Checkpoint
RP456: 7/31/2009 1:12:00 PM - System Checkpoint
RP457: 8/1/2009 1:26:31 PM - System Checkpoint
RP458: 8/2/2009 1:47:01 PM - System Checkpoint
RP459: 8/2/2009 8:29:04 PM - Installed Windows Media Player 11
RP460: 8/2/2009 8:34:30 PM - Software Distribution Service 3.0
RP461: 8/3/2009 1:16:24 AM - Software Distribution Service 3.0
RP462: 8/4/2009 11:00:09 AM - Software Distribution Service 3.0
RP463: 8/5/2009 11:02:20 AM - System Checkpoint
RP464: 8/6/2009 11:58:54 AM - System Checkpoint
RP465: 8/7/2009 12:26:25 PM - System Checkpoint
RP466: 8/8/2009 1:26:24 PM - System Checkpoint
RP467: 8/9/2009 5:02:46 PM - System Checkpoint
RP468: 8/10/2009 6:20:05 PM - System Checkpoint
RP469: 8/12/2009 2:22:12 AM - System Checkpoint
RP470: 8/13/2009 3:11:06 AM - System Checkpoint
RP471: 8/14/2009 3:00:29 AM - Software Distribution Service 3.0
RP472: 8/15/2009 3:21:17 AM - System Checkpoint
RP473: 8/16/2009 4:21:13 AM - System Checkpoint
RP474: 8/17/2009 12:50:46 PM - System Checkpoint
RP475: 8/18/2009 1:48:20 PM - System Checkpoint
RP476: 8/19/2009 2:45:34 PM - System Checkpoint
RP477: 8/20/2009 4:43:49 PM - System Checkpoint
RP478: 8/21/2009 5:15:35 PM - System Checkpoint
RP479: 8/22/2009 5:25:43 PM - System Checkpoint
RP480: 8/23/2009 8:36:42 PM - System Checkpoint
RP481: 8/25/2009 2:11:21 AM - System Checkpoint
RP482: 8/26/2009 3:00:42 AM - Software Distribution Service 3.0
RP483: 8/27/2009 4:33:01 AM - System Checkpoint
RP484: 8/28/2009 5:14:32 AM - System Checkpoint
RP485: 8/29/2009 6:14:36 AM - System Checkpoint
RP486: 8/30/2009 7:03:35 AM - System Checkpoint
RP487: 8/31/2009 11:19:32 AM - System Checkpoint
RP488: 9/1/2009 12:03:40 PM - System Checkpoint
RP489: 9/2/2009 1:03:35 PM - System Checkpoint
RP490: 9/3/2009 4:10:10 PM - System Checkpoint
RP491: 9/4/2009 5:03:35 PM - System Checkpoint
RP492: 9/5/2009 5:13:13 PM - System Checkpoint
RP493: 9/6/2009 6:12:02 PM - System Checkpoint
RP494: 9/7/2009 7:06:19 PM - System Checkpoint
RP495: 9/8/2009 8:16:20 PM - System Checkpoint
RP496: 9/10/2009 3:00:48 AM - Software Distribution Service 3.0
RP497: 9/11/2009 3:29:56 AM - System Checkpoint
RP498: 9/12/2009 4:29:49 AM - System Checkpoint
RP499: 9/13/2009 5:29:51 AM - System Checkpoint
RP500: 9/14/2009 6:29:52 AM - System Checkpoint
RP501: 9/15/2009 7:29:50 AM - System Checkpoint
RP502: 9/16/2009 8:29:48 AM - System Checkpoint
RP503: 9/17/2009 9:29:53 AM - System Checkpoint
RP504: 9/18/2009 12:39:51 PM - System Checkpoint
RP505: 9/19/2009 1:35:27 PM - System Checkpoint
RP506: 9/20/2009 1:47:35 PM - System Checkpoint
RP507: 9/21/2009 4:20:55 PM - System Checkpoint
RP508: 9/22/2009 4:36:36 PM - System Checkpoint
RP509: 9/23/2009 6:55:45 PM - System Checkpoint
RP510: 9/24/2009 7:26:47 PM - System Checkpoint
RP511: 9/25/2009 9:45:38 PM - System Checkpoint
RP512: 9/27/2009 2:44:43 AM - System Checkpoint
RP513: 9/28/2009 3:48:58 AM - System Checkpoint
RP514: 9/29/2009 4:39:18 AM - System Checkpoint
RP515: 9/30/2009 5:39:16 AM - System Checkpoint
RP516: 10/1/2009 6:39:13 AM - System Checkpoint
RP517: 10/2/2009 7:39:15 AM - System Checkpoint
RP518: 10/3/2009 8:26:40 AM - System Checkpoint
RP519: 10/4/2009 11:33:15 AM - System Checkpoint
RP520: 10/5/2009 2:07:41 PM - System Checkpoint
RP521: 10/6/2009 2:26:43 PM - System Checkpoint
RP522: 10/7/2009 3:42:38 PM - System Checkpoint
RP523: 10/8/2009 4:00:29 PM - System Checkpoint
RP524: 10/9/2009 9:16:53 PM - System Checkpoint
RP525: 10/11/2009 1:37:01 AM - System Checkpoint
RP526: 10/12/2009 10:21:28 AM - System Checkpoint
RP527: 10/13/2009 11:13:58 AM - System Checkpoint
RP528: 10/13/2009 5:17:35 PM - Software Distribution Service 3.0
RP529: 10/14/2009 5:44:39 PM - System Checkpoint
RP530: 10/15/2009 11:39:10 PM - System Checkpoint
RP531: 10/17/2009 1:37:05 AM - System Checkpoint
RP532: 10/18/2009 2:34:10 AM - System Checkpoint
RP533: 10/19/2009 11:33:28 AM - System Checkpoint
RP534: 10/20/2009 12:47:10 PM - System Checkpoint
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player 11
Anti-Spyware (Sunbelt)
Anti-Spyware (Sunbelt) Definitions
Anti-Virus (Command Software)
AOL Instant Messenger
Apple Software Update
Armstrong (SYUS)
Authentium AntiVirus SDK - 2
Authentium Web Install Helper
Critical Update for Windows Media Player 11 (KB959772)
Dell AIO Printer A940
Dell Driver Reset Tool
Dell ResourceCD
ESP
Firewall (Core 2)
Firewall (User)
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Java™ 6 Update 12
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Modem Helper
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB954430)
PokerStars
Popup Blocker
PowerDVD
QuickTime
RealPlayer
Safe and Secure
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SoundMAX
Starcraft
Third Party Prerequisites
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Viewpoint Media Player
Web Filtering (Base 2)
Web Filtering (Base)
Web Filtering (Kids Page)
Web Filtering (RuleSpace CFI Anti-Phishing)
Web Filtering (Rulespace CFI)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Messenger
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
10/16/2009 8:03:40 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/16/2009 8:03:39 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
10/15/2009 10:10:14 AM, error: Service Control Manager [7023] - The dvpapi service terminated with the following error: The class is configured to run as a security id different from the caller
10/15/2009 1:42:48 PM, error: Service Control Manager [7022] - The Safe and Secure System Service service hung on starting.
10/15/2009 1:42:48 PM, error: Service Control Manager [7022] - The dvpapi service hung on starting.
==== End Of File ===========================
DDS (Ver_09-10-13.01) - NTFSx86
Run by Owner at 9:46:31.18 on Wed 10/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.53 [GMT -4:00]
AV: SS Anti-Virus *On-access scanning disabled* (Outdated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
c:\Program Files\Synacor 3.0\SS\App\syssvcnt.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Synacor 3.0\SS\app\Console.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://armstrongmywire.com/index.php
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AuthPopupBHO01.cBHO: {3c7195f6-d788-4d50-ba72-2ee212edac78} - c:\program files\synacor 3.0\ss\app\popupbho01.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Safe and Secure Popup Blocker: {2c0a5f28-48d8-408b-9172-9c6121025bce} - c:\program files\synacor 3.0\ss\app\popupbho01.dll
TB: {A057A204-BACC-4D26-908B-27FCD4A32E85} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103472 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11" -"http://mplayer22.slingo.com/shockscreen2.asp?shost=mplayer22.slingo.com&sport=15020&susername=Italianmom60&spassword=080860&roomname=Challenge%20Slingo&gameid=20"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ESP] "c:\program files\synacor 3.0\ss\app\start.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ep2aboyf.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R0 GRFILTER;Authentium NDIS Driver;c:\windows\system32\drivers\GRFilter.sys [2008-5-21 21000]
R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2009-7-24 15544]
R2 GRTdiMon;Authentium TDI Mon;c:\windows\system32\drivers\GRTdiMon.sys [2008-5-21 39688]
R3 SBAPIFS;SBAPIFS;\??\c:\windows\system32\drivers\sbapifs.sys --> c:\windows\system32\drivers\sbapifs.sys [?]
============== File Associations ===============
regfile=regedit.exe "%1" %*
=============== Created Last 30 ================
2009-10-15 13:24 <DIR> --d----- c:\program files\Trend Micro
==================== Find3M ====================
2009-09-14 01:23 44,944 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-09-14 01:23 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-09-14 01:23 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-14 01:23 158,192 -------- c:\windows\system32\pxwma.dll
2009-09-11 10:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 17:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 03:36 832,512 a------- c:\windows\system32\wininet.dll
2009-08-29 03:36 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-29 03:36 17,408 -------- c:\windows\system32\corpol.dll
2009-08-26 04:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 10:20 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2008-10-27 15:16 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-10-27 15:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081028\index.dat
============= FINISH: 9:48:29.51 ===============
GMER 1.0.15.15163 -
http://www.gmer.net
Rootkit scan 2009-10-21 11:24:23
Windows 5.1.2600 Service Pack 3
Running: 1p4zoef6.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uxtdapog.sys
---- System - GMER 1.0.15 ----
SSDT sbhr.sys ZwClose [0xF96DA514]
SSDT sbhr.sys ZwCreateKey [0xF96DA552]
SSDT sbhr.sys ZwOpenKey [0xF96DA4D0]
SSDT sbhr.sys ZwSetValueKey [0xF96DA5A2]
Code FF84FCD0 ZwDuplicateObject
Code FF87A840 ZwSetInformationFile
Code FF780BB0 ZwSetSystemInformation
Code FF855EE8 ZwWriteFile
Code FF84FCCF NtDuplicateObject
Code FF87A83F NtSetInformationFile
Code FF855EE7 NtWriteFile
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 28D 8056F4A6 7 Bytes JMP FF780D3C
PAGE ntoskrnl.exe!ZwSetSystemInformation 805A7BED 5 Bytes JMP FF780BB4
? C:\WINDOWS\system32\drivers\sbapifs.sys The system cannot find the file specified. !
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F96DF390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F96DF3EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F96DF63A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F96DF616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F96DF616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F96DF3EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F96DF390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F96DF63A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F96DF63A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F96DF616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F96DF3EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F96DF390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F96DF616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F96DF63A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F96DF390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F96DF3EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F96DF390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F96DF3EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F96DF616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F96DF63A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F96DF616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F96DF3EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F96DF390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F96DF616] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F96DF63A] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F96DF390] GRFILTER.sys (NDIS Filter/Authentium Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F96DF3EC] GRFILTER.sys (NDIS Filter/Authentium Inc.)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61138F3A] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61138F3A] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A1CE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138E7D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138E01] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138E3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61138F3A] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A1CE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61138F78] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138E3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138E7D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61138F40] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[376] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138E01] C:\Program Files\Yahoo!\Messenger\yui.dll
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Fastfat \FatCdrom Code FF84EBB0
Device \Driver\Tcpip \Device\Ip GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium Inc)
Device \Driver\Tcpip \Device\Tcp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium Inc)
Device \Driver\Tcpip \Device\Udp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium Inc)
Device \Driver\Tcpip \Device\RawIp GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium Inc)
Device \Driver\Tcpip \Device\IPMULTICAST GRTdiMon.sys (GRTdiMon TDI Filter Driver/Authentium Inc)
Device \FileSystem\Fastfat \Fat Code FF84EBB0
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
I will look for your reply to these logs. I did tum MAMB this am before I found your instructions and it did find 4 infections, which I did check remove. Thank you so much for your help!
Donna
Sign In
Create Account
2
This topic is locked
Here are the logs as requested:
Back to top
Let me know...I will check back often so I can get this done. Holy Moses, there is a lot to do!!! Didn't expect all that...but I am grateful you are here and know what you are doing! 
