Hi,
Link to the topic = http://www.bleepingcomputer.com/forums/topic414323.html
OK i went through the posting guide so i have disabled the CD Emulation Software with DeFogger.
And here are the logs.
Malwarebytes' Anti-Malware log:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7503
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18828
8/19/2011 5:11:45 AM
mbam-log-2011-08-19 (05-11-45).txt
Scan type: Quick scan
Objects scanned: 180310
Time elapsed: 4 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun{634DE189-7520-2952-7B81-C2B7F4CD4A6E} (Backdoor.Bot) -> Value: {634DE189-7520-2952-7B81-C2B7F4CD4A6E} -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun{634DE189-7520-2952-7B81-C2B7F4CD4A6E} (Backdoor.Bot) -> Value: {634DE189-7520-2952-7B81-C2B7F4CD4A6E} -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunnet.runtime (Backdoor.Bot) -> Value: net.runtime -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
DDS.txt:
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_26
Run by Hell Raiser at 5:12:32 on 2011-08-19
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.1022.247 [GMT 3:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Internet Security *Enabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Enabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
.
Running Processes
.
C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32nvvsvc.exe
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Program FilesKaspersky LabKaspersky Internet Security 2012avp.exe
C:Program FilesBonjourmDNSResponder.exe
C:Windowssystem32svchost.exe -k bthsvcs
c:Program FilesMicrosoft SQL ServerMSSQL10.SQLEXPRESSMSSQLBinnsqlservr.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
c:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:Windowssystem32svchost.exe -k imgsvc
C:Program FilesTeamViewerVersion6TeamViewer_Service.exe
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Program FilesMalwarebytes' Anti-Malwarembamservice.exe
C:Program FilesNVIDIA CorporationNVIDIA Updatusdaemonu.exe
C:Program FilesNVIDIA CorporationDisplaynvxdsync.exe
C:Windowssystem32nvvsvc.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:WindowsRtHDVCpl.exe
C:Program FilesNVIDIA CorporationDisplaynvtray.exe
C:Program FilesAdobeAcrobat 8.0Acrobatacrotray.exe
C:Program FilesKaspersky LabKaspersky Internet Security 2012avp.exe
C:Program FilesCommon FilesJavaJava Updatejusched.exe
C:Program FilesMalwarebytes' Anti-Malwarembamgui.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesInternet Download ManagerIDMan.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
C:Program FilesInternet Download ManagerIEMonitor.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Windowsexplorer.exe
C:Windowssystem32wbemwmiprvse.exe
.
Pseudo HJT Report
.
uStart Page = hxxp://www.google.com.bh/
uInternet Settings,ProxyOverride = *.local
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:program filesinternet download managerIDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:program fileskaspersky labkaspersky internet security 2012ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:progra~1micros~2office14GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:progra~1micros~2office14URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - c:program filesmicrosoft visual studio 10.0common7ideprivateassembliesMicrosoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:program fileskaspersky labkaspersky internet security 2012klwtbbho.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [IDMan] c:program filesinternet download managerIDMan.exe /onboot
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
uRun: [{634DE189-7520-2952-7B81-C2B7F4CD4A6E}] c:usershell raiserappdataroamingruntime.exe
uRun: [net.runtime] c:usershell raiserappdataroamingruntime.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [BCSSync] 'c:program filesmicrosoft officeoffice14BCSSync.exe' /DelayServices
mRun: [AdobeAAMUpdater-1.0] 'c:program filescommon filesadobeoobepdappuwaUpdaterStartupUtility.exe'
mRun: [AdobeCS5ServiceManager] 'c:program filescommon filesadobecs5servicemanagerCS5ServiceManager.exe' -launchedbylogin
mRun: [Acrobat Assistant 8.0] 'c:program filesadobeacrobat 8.0acrobatAcrotray.exe'
mRun: [Adobe_ID0EYTHM] c:progra~1common~1adobeadobev~1serverbinVERSIO~2.EXE
mRun: [AVP] 'c:program fileskaspersky labkaspersky internet security 2012avp.exe'
mRun: [SunJavaUpdateSched] 'c:program filescommon filesjavajava updatejusched.exe'
mRun: [Malwarebytes' Anti-Malware] 'c:program filesmalwarebytes' anti-malwarembamgui.exe' /starttray
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupadobea~1.lnk - c:windowsinstaller{ac76ba86-1033-0000-7760-000000000003}_SC_Acrobat.exe
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupadobea~2.lnk - c:program filesadobeacrobat 8.0acrobatAdobeCollabSync.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:program fileskaspersky labkaspersky internet security 2012ie_banner_deny.htm
IE: Append to existing PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:program filesinternet download managerIEGetAll.htm
IE: Download with IDM - c:program filesinternet download managerIEExt.htm
IE: E&xport to Microsoft Excel - c:progra~1micros~2office14EXCEL.EXE/3000
IE: Se&nd to OneNote - c:progra~1micros~2office14ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:program filesmicrosoft officeoffice14ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:program fileskaspersky labkaspersky internet security 2012ievkbd.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:program filesmicrosoft officeoffice14ONBttnIELinkedNotes.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:program fileskaspersky labkaspersky internet security 2012klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 10.0.0.138
TCP: Interfaces{32FE1AC3-D5A9-47A7-91AB-001565A88058} : DhcpNameServer = 10.0.0.138
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:program filescommon filesmicrosoft sharedoffice14MSOXMLMF.DLL
Notify: klogon - c:windowssystem32klogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:progra~1micros~2office14GROOVEEX.DLL
SEH: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - SABShellExecuteHook Class
.
FIREFOX
.
FF - ProfilePath - c:usershell raiserappdataroamingmozillafirefoxprofiles7jjqq2eb.default
FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:program fileskaspersky labkaspersky internet security [email protected]
FF - component: c:program fileskaspersky labkaspersky internet security 2012ffextkavantibanner@kaspersky.rucomponentsff6abhelperxpcom6.dll
FF - component: c:program fileskaspersky labkaspersky internet security 2012ffextvirtualkeyboard@kaspersky.rucomponentsff6ffvkplugin6.dll
FF - component: c:program fileskaspersky labkaspersky internet security [email protected]
FF - component: c:program filesmozilla firefoxextensionsafurladvisor@anchorfree.comcomponentsafurladvisor.dll
FF - component: c:usershell raiserappdataroamingidmidmmzcc5componentsidmmzcc.dll
FF - plugin: c:progra~1micros~2office14NPAUTHZ.DLL
FF - plugin: c:progra~1micros~2office14NPSPWRAP.DLL
FF - plugin: c:program filesgoogleupdate1.3.21.65npGoogleUpdate3.dll
FF - plugin: c:program filesjavajre6binnew_pluginnpdeployJava1.dll
FF - plugin: c:usershell raiserappdatalocalgoogleupdate1.3.21.65npGoogleUpdate3.dll
FF - plugin: c:usershell raiserappdataroamingmozillapluginsnpgoogletalk.dll
FF - plugin: c:usershell raiserappdataroamingmozillapluginsnpgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:program filesmozilla firefoxextensions{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Anti-Banner: [email protected]_bak2 - c:program filesmozilla [email protected]_bak2
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationDotNetAssistantExtension
FF - Ext: Kaspersky Virtual Keyboard: [email protected] - c:program fileskaspersky labkaspersky internet security [email protected]
FF - Ext: Anti-Banner: [email protected] - c:program fileskaspersky labkaspersky internet security [email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%extensions{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%extensions{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: X-Forwarded-For Spoofer: [email protected] - %profile%[email protected]
FF - Ext: MAFIAAFIRE: Gee! No evil!: [email protected] - %profile%[email protected]
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%extensions{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: IDM CC: [email protected] - c:usershell raiserappdataroamingidmidmmzcc5
.
SERVICES / DRIVERS
.
R1 kl2;kl2;c:windowssystem32driverskl2.sys [2011-3-4 11352]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:windowssystem32driversklim6.sys [2011-3-10 23856]
R2 AVP;Kaspersky Anti-Virus Service;c:program fileskaspersky labkaspersky internet security 2012avp.exe [2011-4-24 202296]
R2 IDMWFP;IDMWFP;c:windowssystem32driversidmwfp.sys [2011-8-1 89376]
R2 MBAMService;MBAMService;c:program filesmalwarebytes' anti-malwarembamservice.exe [2011-7-18 366640]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:program filesnvidia corporationnvidia updatusdaemonu.exe [2011-6-16 2214504]
R2 TeamViewer6;TeamViewer 6;c:program filesteamviewerversion6TeamViewer_Service.exe [2011-6-26 2280312]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:windowssystem32driversklmouflt.sys [2009-11-2 19984]
R3 MBAMProtector;MBAMProtector;c:windowssystem32driversmbam.sys [2011-7-18 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:windowsmicrosoft.netframeworkv4.0.30319mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2011-6-9 136176]
S2 KMService;KMService;c:windowssystem32srvany.exe [2011-6-6 8192]
S3 gupdatem;Google Update Service (gupdatem);c:program filesgoogleupdateGoogleUpdate.exe [2011-6-9 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:windowssystem32driversmbamswissarmy.sys [2011-7-18 41272]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:program filesmicrosoft officeoffice14GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:program filescommon filesmicrosoft sharedofficesoftwareprotectionplatformOSPPSVC.EXE [2010-1-9 4640000]
S3 teamviewervpn;TeamViewer VPN Adapter;c:windowssystem32driversteamviewervpn.sys [2011-3-30 25088]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:program filesmicrosoft visual studio 10.0team toolsperformance toolsVSPerfDrv100.sys [2009-12-8 48128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:windowsmicrosoft.netframeworkv4.0.30319wpfWPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:program filesmicrosoft sql server100sharedsqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:windowssystem32driversRsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:program filesmicrosoft sql servermssql10.sqlexpressmssqlbinnSQLAGENT.EXE [2009-3-30 366936]
.
Created Last 30
.
2011-08-19 01:56:19 -------- d-----w- c:programdatahsswpr
2011-08-17 11:28:55 -------- d-----w- c:program filesESET
2011-08-14 06:58:29 -------- d-----w- c:usershell raiserappdatalocalAdobe
2011-08-14 04:10:27 6881616 ----a-w- c:programdatamicrosoftwindows defenderdefinition updates{8071d0bf-d7a6-4007-851e-44a8626d2d78}mpengine.dll
2011-08-11 00:18:36 -------- d-----w- c:program filesProxy Labs
2011-08-07 21:52:45 -------- d-----w- c:usershell raiserappdataroamingIP Monitor
2011-08-07 09:27:40 -------- d-----w- c:usershell raiserappdataroamingmIRC
2011-08-07 09:27:40 -------- d-----w- c:program filesmIRC
2011-08-07 07:26:16 -------- d-----w- c:usershell raiserappdataroamingXilisoft
2011-08-07 07:24:59 -------- d-----w- c:programdataXilisoft
2011-08-07 07:24:59 -------- d-----w- c:program filesXilisoft
2011-08-06 18:47:49 -------- d-----w- c:usershell raiserappdataroamingCleanMyPC Software
2011-08-03 16:09:43 -------- d-----w- C:speed_converter
2011-08-03 03:31:46 -------- d-s---w- C:ComboFix
2011-08-03 02:48:39 -------- d-sh--w- C:$RECYCLE.BIN
2011-08-03 02:25:36 98816 ----a-w- c:windowssed.exe
2011-08-03 02:25:36 518144 ----a-w- c:windowsSWREG.exe
2011-08-03 02:25:36 256000 ----a-w- c:windowsPEV.exe
2011-08-03 02:25:36 208896 ----a-w- c:windowsMBR.exe
2011-08-01 19:17:12 315392 ----a-w- c:windowssystem32sbcrreag.dll
2011-08-01 17:48:09 -------- d-----w- c:programdataSpybot - Search & Destroy
2011-08-01 17:48:09 -------- d-----w- c:program filesSpybot - Search & Destroy
2011-08-01 14:28:10 89376 ----a-w- c:windowssystem32driversidmwfp.sys
2011-07-27 22:31:44 645632 ----a-w- c:windowssystem32xvidcore.dll
2011-07-27 22:31:44 240640 ----a-w- c:windowssystem32xvidvfw.dll
2011-07-27 22:31:44 153088 ----a-w- c:windowssystem32xvid.ax
2011-07-27 22:31:44 -------- d-----w- c:program filesXvid
2011-07-25 15:15:53 222080 ------w- c:windowssystem32MpSigStub.exe
2011-07-23 11:43:53 -------- d-----w- c:programdataImTOO
2011-07-23 11:43:53 -------- d-----w- c:program filesImTOO
.
Find3M
.
2011-07-22 23:42:20 319456 ----a-w- c:windowsDIFxAPI.dll
2011-07-08 00:39:43 472808 ----a-w- c:windowssystem32deployJava1.dll
2011-07-06 16:52:42 41272 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2011-07-06 16:52:42 22712 ----a-w- c:windowssystem32driversmbam.sys
2011-06-21 02:52:48 404640 ----a-w- c:windowssystem32FlashPlayerCPLApp.cpl
2011-06-15 08:23:56 60156 ----a-w- c:windowssystem32driversscdemu.sys
2011-06-06 06:37:44 8192 ----a-w- c:windowssystem32srvany.exe
2011-06-06 06:23:13 315392 ----a-w- c:windowsHideWin.exe
.
FINISH: 5:14:25.00
Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft® Windows Vista™ Ultimate
Boot Device: DeviceHarddiskVolume1
Install Date: 6/6/2011 6:51:08 PM
System Uptime: 8/19/2011 3:59:48 AM (2 hours ago)
.
Motherboard: Quanta | | 30D2
Processor: Intel® Core™2 Duo CPU T5550 @ 1.83GHz | U2E1 | 1833/667mhz
.
Disk Partitions
.
C: is FIXED (NTFS) - 233 GiB total, 168.483 GiB free.
D: is FIXED (NTFS) - 233 GiB total, 141.054 GiB free.
E: is CDROM ()
F: is CDROM ()
.
Disabled Device Manager Items
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel® PRO/Wireless 3945BG Network Connection
Device ID: PCIVEN_8086&DEV_4222&SUBSYS_10058086&REV_024&30F4B131&0&00E0
Manufacturer: Intel Corporation
Name: Intel® PRO/Wireless 3945BG Network Connection
PNP Device ID: PCIVEN_8086&DEV_4222&SUBSYS_10058086&REV_024&30F4B131&0&00E0
Service: NETw3v32
.
Class GUID:
Description: Base System Device
Device ID: PCIVEN_1180&DEV_0843&SUBSYS_30CC103C&REV_124&DBB383&0&4AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCIVEN_1180&DEV_0843&SUBSYS_30CC103C&REV_124&DBB383&0&4AF0
Service:
.
Class GUID:
Description: Base System Device
Device ID: PCIVEN_1180&DEV_0592&SUBSYS_30CC103C&REV_124&DBB383&0&4BF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCIVEN_1180&DEV_0592&SUBSYS_30CC103C&REV_124&DBB383&0&4BF0
Service:
.
Class GUID:
Description: Base System Device
Device ID: PCIVEN_1180&DEV_0852&SUBSYS_30CC103C&REV_124&DBB383&0&4CF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCIVEN_1180&DEV_0852&SUBSYS_30CC103C&REV_124&DBB383&0&4CF0
Service:
.
Class GUID:
Description:
Device ID: ACPIHPQ00074&2DC9E43E&0
Manufacturer:
Name:
PNP Device ID: ACPIHPQ00074&2DC9E43E&0
Service:
.
System Restore Points
.
RP94: 8/1/2011 12:00:14 AM - Scheduled Checkpoint
RP95: 8/2/2011 11:08:39 AM - Scheduled Checkpoint
RP96: 8/3/2011 12:00:11 AM - Scheduled Checkpoint
RP97: 8/3/2011 2:27:37 PM - Scheduled Checkpoint
RP98: 8/5/2011 7:44:32 AM - Scheduled Checkpoint
RP99: 8/6/2011 12:00:08 AM - Scheduled Checkpoint
RP100: 8/7/2011 1:53:55 AM - Scheduled Checkpoint
RP101: 8/8/2011 12:13:09 AM - Scheduled Checkpoint
RP102: 8/9/2011 12:00:24 AM - Scheduled Checkpoint
RP103: 8/9/2011 6:47:34 PM - Scheduled Checkpoint
RP104: 8/11/2011 12:00:15 AM - Scheduled Checkpoint
RP105: 8/11/2011 3:17:00 AM - Installed ProxyCap
RP106: 8/12/2011 12:54:44 AM - Scheduled Checkpoint
RP107: 8/13/2011 1:17:17 AM - Scheduled Checkpoint
RP108: 8/13/2011 3:20:14 PM - Removed ProxyCap
RP109: 8/14/2011 7:09:40 AM - Windows Update
RP110: 8/17/2011 4:09:14 AM - Scheduled Checkpoint
RP111: 8/18/2011 3:08:08 PM - Scheduled Checkpoint
.
Installed Programs
.
µTorrent
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Acrobat 8 Professional
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Community Help
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS5
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Bigasoft Total Video Converter 3.4.0.4188
Boilsoft Video Joiner 6.55
CCleaner
Crystal Reports for Visual Studio
Dotfuscator Software Services - Community Edition
ESET Online Scanner v3
Fast File Renamer 2.0
FileZilla Client 3.3.4.1
Game Booster
GameSpy Arcade
Google Chrome
Google Talk Plugin
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImTOO DVD Ripper Platinum 6
Internet Download Manager
Java Auto Updater
Java™ 6 Update 26
Kaspersky Internet Security 2012
Malwarebytes' Anti-Malware version 1.51.1.1800
MediaInfo 0.7.44
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft Halo
Microsoft Help Viewer 1.0
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 R2 attempting to start the service WSearch with arguments ' in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8/14/2011 10:34:43 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error '1068' attempting to start the service netprofm with arguments ' in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
8/14/2011 10:34:43 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error '1068' attempting to start the service netman with arguments ' in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
8/14/2011 10:34:43 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error '1068' attempting to start the service fdPHost with arguments ' in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
8/14/2011 10:34:42 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error '1084' attempting to start the service EventSystem with arguments ' in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/14/2011 10:34:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error '1084' attempting to start the service ShellHWDetection with arguments ' in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
8/12/2011 9:44:29 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.90.96.2 for the Network Card with network address 00FF74E8F9B9 has been denied by the DHCP server 10.95.95.254 (The DHCP Server sent a DHCPNACK message).
8/12/2011 4:11:39 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.95.88.7 for the Network Card with network address 00FF74E8F9B9 has been denied by the DHCP server 10.93.15.254 (The DHCP Server sent a DHCPNACK message).
.
End Of File
Gmer log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-19 08:49:23
Windows 6.0.6002 Service Pack 2 Harddisk0DR0 -> DeviceIdeIdeDeviceP2T0L0-4 WDC_WD5000BEVT-00A0RT0 rev.01.01A01
Running: gmer.exe; Driver: C:UsersHELLRA~1AppDataLocalTempuxldapow.sys
---- System - GMER 1.0.15 ----
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x8BD3928A]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcConnectPort [0x8BD53342]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcCreatePort [0x8BD53678]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcSendWaitReceivePort [0x8BD539EE]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x8BD39D04]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x8BD5302A]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateEvent [0x8BD3A276]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateMutant [0x8BD3A164]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreatePort [0x8BD534E8]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSection [0x8BD39046]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSemaphore [0x8BD3A38E]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThread [0x8BD398BA]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateWaitablePort [0x8BD535B0]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x8BD3A74E]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0x8BD39D46]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDuplicateObject [0x8BD3B750]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwLoadDriver [0x8BD3A840]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwMapViewOfSection [0x8BD3ADAC]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwNotifyChangeKey [0x8BD51840]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenEvent [0x8BD3A308]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenMutant [0x8BD3A1F0]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenProcess [0x8BD394C4]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x8BD3AB90]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSemaphore [0x8BD3A420]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x8BD393B8]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryDirectoryObject [0x8BD3A55C]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryObject [0x8BD51A38]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQuerySection [0x8BD3B0D2]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueueApcThread [0x8BD3A9E0]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyPort [0x8BD537DC]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0x8BD5372A]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x8BD53848]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x8BD3B5F2]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x8BD531B2]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetContextThread [0x8BD39BA4]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSystemInformation [0x8BD3B222]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x8BD3B316]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendThread [0x8BD3B450]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSystemDebugControl [0x8BD3A670]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateProcess [0x8BD39664]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateThread [0x8BD395BA]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0x8BD3AF8A]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0x8BD39750]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThreadEx [0x8BD39A2A]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateUserProcess [0x8BD3A4A6]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 119 818AC85C 4 Bytes [8A, 92, D3, 8B]
.text ntkrnlpa.exe!KeSetEvent + 13D 818AC880 8 Bytes [42, 33, D5, 8B, 78, 36, D5, ...] {INC EDX; XOR EDX, EBP; MOV EDI, [EAX+0x36]; AAD 0x8b}
.text ntkrnlpa.exe!KeSetEvent + 181 818AC8C4 4 Bytes [EE, 39, D5, 8B]
.text ntkrnlpa.exe!KeSetEvent + 1A9 818AC8EC 4 Bytes [04, 9D, D3, 8B]
.text ntkrnlpa.exe!KeSetEvent + 1C1 818AC904 4 Bytes [2A, 30, D5, 8B] {SUB DH, [EAX]; AAD 0x8b}
.text ...
? System32driversunlhv.sys The system cannot find the path specified. !
? C:UsersHELLRA~1AppDataLocalTempmbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:Program FilesMozilla Firefoxfirefox.exe[4424] ntdll.dll!LdrLoadDll 770A9390 5 Bytes JMP 012213F0 C:Program FilesMozilla Firefoxfirefox.exe (Firefox/Mozilla Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice Drivertdx DeviceTcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice Drivervolmgr DeviceHarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivertdx DeviceUdp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice Drivertdx DeviceRawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
---- Processes - GMER 1.0.15 ----
Library C:Program (*** hidden *** ) @ C:Program FilesMozilla Firefoxfirefox.exe [4424] 0x6AC20000
---- Services - GMER 1.0.15 ----
Service C:WindowsSystem32alg.exe? (*** hidden *** ) [MANUAL] ALG <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys001e37a50373
Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys001e37a50373@001baf87ee17 0xE9 0x33 0xEF 0x68 ...
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys001e37a50373 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys001e37a50373@001baf87ee17 0xE9 0x33 0xEF 0x68 ...
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{54683434-A8B8-177C-A58C-15A3B4629C31}
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{54683434-A8B8-177C-A58C-15A3B4629C31}@oaagmdjjfkcnjokbggajnbageobdmk 0x69 0x61 0x6C 0x63 ...
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{54683434-A8B8-177C-A58C-15A3B4629C31}@pakfcgkejfioibodciiikkbgepcifogd 0x69 0x61 0x6C 0x63 ...
---- EOF - GMER 1.0.15 ----
Thanks!
Poser: Lament Configuration for Poser - This is the Hellraiser Puzzle Box as a complete figure for. Show Image 1 Show Image 2 Show Image 3 Show Image 4.
I have been instructed by Broni to post in this forum because Broni has been helping me to get rid of the Backdoor.Bot but it wasn't possible. So here i am...Link to the topic = http://www.bleepingcomputer.com/forums/topic414323.html
OK i went through the posting guide so i have disabled the CD Emulation Software with DeFogger.
And here are the logs.
Malwarebytes' Anti-Malware log:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7503
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18828
8/19/2011 5:11:45 AM
mbam-log-2011-08-19 (05-11-45).txt
Scan type: Quick scan
Objects scanned: 180310
Time elapsed: 4 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun{634DE189-7520-2952-7B81-C2B7F4CD4A6E} (Backdoor.Bot) -> Value: {634DE189-7520-2952-7B81-C2B7F4CD4A6E} -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun{634DE189-7520-2952-7B81-C2B7F4CD4A6E} (Backdoor.Bot) -> Value: {634DE189-7520-2952-7B81-C2B7F4CD4A6E} -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunnet.runtime (Backdoor.Bot) -> Value: net.runtime -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
DDS.txt:
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_26
Run by Hell Raiser at 5:12:32 on 2011-08-19
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.1022.247 [GMT 3:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Internet Security *Enabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Enabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
.
Running Processes
.
C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32nvvsvc.exe
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Program FilesKaspersky LabKaspersky Internet Security 2012avp.exe
C:Program FilesBonjourmDNSResponder.exe
C:Windowssystem32svchost.exe -k bthsvcs
c:Program FilesMicrosoft SQL ServerMSSQL10.SQLEXPRESSMSSQLBinnsqlservr.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
c:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:Windowssystem32svchost.exe -k imgsvc
C:Program FilesTeamViewerVersion6TeamViewer_Service.exe
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Program FilesMalwarebytes' Anti-Malwarembamservice.exe
C:Program FilesNVIDIA CorporationNVIDIA Updatusdaemonu.exe
C:Program FilesNVIDIA CorporationDisplaynvxdsync.exe
C:Windowssystem32nvvsvc.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:WindowsRtHDVCpl.exe
C:Program FilesNVIDIA CorporationDisplaynvtray.exe
C:Program FilesAdobeAcrobat 8.0Acrobatacrotray.exe
C:Program FilesKaspersky LabKaspersky Internet Security 2012avp.exe
C:Program FilesCommon FilesJavaJava Updatejusched.exe
C:Program FilesMalwarebytes' Anti-Malwarembamgui.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesInternet Download ManagerIDMan.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
C:Program FilesInternet Download ManagerIEMonitor.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Windowsexplorer.exe
C:Windowssystem32wbemwmiprvse.exe
.
Pseudo HJT Report
.
uStart Page = hxxp://www.google.com.bh/
uInternet Settings,ProxyOverride = *.local
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:program filesinternet download managerIDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:program fileskaspersky labkaspersky internet security 2012ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:progra~1micros~2office14GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:progra~1micros~2office14URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - c:program filesmicrosoft visual studio 10.0common7ideprivateassembliesMicrosoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:program fileskaspersky labkaspersky internet security 2012klwtbbho.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [IDMan] c:program filesinternet download managerIDMan.exe /onboot
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
uRun: [{634DE189-7520-2952-7B81-C2B7F4CD4A6E}] c:usershell raiserappdataroamingruntime.exe
uRun: [net.runtime] c:usershell raiserappdataroamingruntime.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [BCSSync] 'c:program filesmicrosoft officeoffice14BCSSync.exe' /DelayServices
mRun: [AdobeAAMUpdater-1.0] 'c:program filescommon filesadobeoobepdappuwaUpdaterStartupUtility.exe'
mRun: [AdobeCS5ServiceManager] 'c:program filescommon filesadobecs5servicemanagerCS5ServiceManager.exe' -launchedbylogin
mRun: [Acrobat Assistant 8.0] 'c:program filesadobeacrobat 8.0acrobatAcrotray.exe'
mRun: [Adobe_ID0EYTHM] c:progra~1common~1adobeadobev~1serverbinVERSIO~2.EXE
mRun: [AVP] 'c:program fileskaspersky labkaspersky internet security 2012avp.exe'
mRun: [SunJavaUpdateSched] 'c:program filescommon filesjavajava updatejusched.exe'
mRun: [Malwarebytes' Anti-Malware] 'c:program filesmalwarebytes' anti-malwarembamgui.exe' /starttray
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupadobea~1.lnk - c:windowsinstaller{ac76ba86-1033-0000-7760-000000000003}_SC_Acrobat.exe
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupadobea~2.lnk - c:program filesadobeacrobat 8.0acrobatAdobeCollabSync.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:program fileskaspersky labkaspersky internet security 2012ie_banner_deny.htm
IE: Append to existing PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:program filesinternet download managerIEGetAll.htm
IE: Download with IDM - c:program filesinternet download managerIEExt.htm
IE: E&xport to Microsoft Excel - c:progra~1micros~2office14EXCEL.EXE/3000
IE: Se&nd to OneNote - c:progra~1micros~2office14ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:program filesmicrosoft officeoffice14ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:program fileskaspersky labkaspersky internet security 2012ievkbd.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:program filesmicrosoft officeoffice14ONBttnIELinkedNotes.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:program fileskaspersky labkaspersky internet security 2012klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 10.0.0.138
TCP: Interfaces{32FE1AC3-D5A9-47A7-91AB-001565A88058} : DhcpNameServer = 10.0.0.138
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:program filescommon filesmicrosoft sharedoffice14MSOXMLMF.DLL
Notify: klogon - c:windowssystem32klogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:progra~1micros~2office14GROOVEEX.DLL
SEH: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - SABShellExecuteHook Class
.
FIREFOX
.
FF - ProfilePath - c:usershell raiserappdataroamingmozillafirefoxprofiles7jjqq2eb.default
FF - prefs.js: browser.search.selectedEngine - Hotspot Shield Private Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.hotspotshield.com/g/results.php?c=s&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:program fileskaspersky labkaspersky internet security [email protected]
FF - component: c:program fileskaspersky labkaspersky internet security 2012ffextkavantibanner@kaspersky.rucomponentsff6abhelperxpcom6.dll
FF - component: c:program fileskaspersky labkaspersky internet security 2012ffextvirtualkeyboard@kaspersky.rucomponentsff6ffvkplugin6.dll
FF - component: c:program fileskaspersky labkaspersky internet security [email protected]
FF - component: c:program filesmozilla firefoxextensionsafurladvisor@anchorfree.comcomponentsafurladvisor.dll
FF - component: c:usershell raiserappdataroamingidmidmmzcc5componentsidmmzcc.dll
FF - plugin: c:progra~1micros~2office14NPAUTHZ.DLL
FF - plugin: c:progra~1micros~2office14NPSPWRAP.DLL
FF - plugin: c:program filesgoogleupdate1.3.21.65npGoogleUpdate3.dll
FF - plugin: c:program filesjavajre6binnew_pluginnpdeployJava1.dll
FF - plugin: c:usershell raiserappdatalocalgoogleupdate1.3.21.65npGoogleUpdate3.dll
FF - plugin: c:usershell raiserappdataroamingmozillapluginsnpgoogletalk.dll
FF - plugin: c:usershell raiserappdataroamingmozillapluginsnpgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:program filesmozilla firefoxextensions{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Anti-Banner: [email protected]_bak2 - c:program filesmozilla [email protected]_bak2
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationDotNetAssistantExtension
FF - Ext: Kaspersky Virtual Keyboard: [email protected] - c:program fileskaspersky labkaspersky internet security [email protected]
FF - Ext: Anti-Banner: [email protected] - c:program fileskaspersky labkaspersky internet security [email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%extensions{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%extensions{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: X-Forwarded-For Spoofer: [email protected] - %profile%[email protected]
FF - Ext: MAFIAAFIRE: Gee! No evil!: [email protected] - %profile%[email protected]
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%extensions{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: IDM CC: [email protected] - c:usershell raiserappdataroamingidmidmmzcc5
.
SERVICES / DRIVERS
.
R1 kl2;kl2;c:windowssystem32driverskl2.sys [2011-3-4 11352]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:windowssystem32driversklim6.sys [2011-3-10 23856]
R2 AVP;Kaspersky Anti-Virus Service;c:program fileskaspersky labkaspersky internet security 2012avp.exe [2011-4-24 202296]
R2 IDMWFP;IDMWFP;c:windowssystem32driversidmwfp.sys [2011-8-1 89376]
R2 MBAMService;MBAMService;c:program filesmalwarebytes' anti-malwarembamservice.exe [2011-7-18 366640]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:program filesnvidia corporationnvidia updatusdaemonu.exe [2011-6-16 2214504]
R2 TeamViewer6;TeamViewer 6;c:program filesteamviewerversion6TeamViewer_Service.exe [2011-6-26 2280312]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:windowssystem32driversklmouflt.sys [2009-11-2 19984]
R3 MBAMProtector;MBAMProtector;c:windowssystem32driversmbam.sys [2011-7-18 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:windowsmicrosoft.netframeworkv4.0.30319mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2011-6-9 136176]
S2 KMService;KMService;c:windowssystem32srvany.exe [2011-6-6 8192]
S3 gupdatem;Google Update Service (gupdatem);c:program filesgoogleupdateGoogleUpdate.exe [2011-6-9 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:windowssystem32driversmbamswissarmy.sys [2011-7-18 41272]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:program filesmicrosoft officeoffice14GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:program filescommon filesmicrosoft sharedofficesoftwareprotectionplatformOSPPSVC.EXE [2010-1-9 4640000]
S3 teamviewervpn;TeamViewer VPN Adapter;c:windowssystem32driversteamviewervpn.sys [2011-3-30 25088]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:program filesmicrosoft visual studio 10.0team toolsperformance toolsVSPerfDrv100.sys [2009-12-8 48128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:windowsmicrosoft.netframeworkv4.0.30319wpfWPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:program filesmicrosoft sql server100sharedsqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:windowssystem32driversRsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:program filesmicrosoft sql servermssql10.sqlexpressmssqlbinnSQLAGENT.EXE [2009-3-30 366936]
.
Created Last 30
.
2011-08-19 01:56:19 -------- d-----w- c:programdatahsswpr
2011-08-17 11:28:55 -------- d-----w- c:program filesESET
2011-08-14 06:58:29 -------- d-----w- c:usershell raiserappdatalocalAdobe
2011-08-14 04:10:27 6881616 ----a-w- c:programdatamicrosoftwindows defenderdefinition updates{8071d0bf-d7a6-4007-851e-44a8626d2d78}mpengine.dll
2011-08-11 00:18:36 -------- d-----w- c:program filesProxy Labs
2011-08-07 21:52:45 -------- d-----w- c:usershell raiserappdataroamingIP Monitor
2011-08-07 09:27:40 -------- d-----w- c:usershell raiserappdataroamingmIRC
2011-08-07 09:27:40 -------- d-----w- c:program filesmIRC
2011-08-07 07:26:16 -------- d-----w- c:usershell raiserappdataroamingXilisoft
2011-08-07 07:24:59 -------- d-----w- c:programdataXilisoft
2011-08-07 07:24:59 -------- d-----w- c:program filesXilisoft
2011-08-06 18:47:49 -------- d-----w- c:usershell raiserappdataroamingCleanMyPC Software
2011-08-03 16:09:43 -------- d-----w- C:speed_converter
2011-08-03 03:31:46 -------- d-s---w- C:ComboFix
2011-08-03 02:48:39 -------- d-sh--w- C:$RECYCLE.BIN
2011-08-03 02:25:36 98816 ----a-w- c:windowssed.exe
2011-08-03 02:25:36 518144 ----a-w- c:windowsSWREG.exe
2011-08-03 02:25:36 256000 ----a-w- c:windowsPEV.exe
2011-08-03 02:25:36 208896 ----a-w- c:windowsMBR.exe
2011-08-01 19:17:12 315392 ----a-w- c:windowssystem32sbcrreag.dll
2011-08-01 17:48:09 -------- d-----w- c:programdataSpybot - Search & Destroy
2011-08-01 17:48:09 -------- d-----w- c:program filesSpybot - Search & Destroy
2011-08-01 14:28:10 89376 ----a-w- c:windowssystem32driversidmwfp.sys
2011-07-27 22:31:44 645632 ----a-w- c:windowssystem32xvidcore.dll
2011-07-27 22:31:44 240640 ----a-w- c:windowssystem32xvidvfw.dll
2011-07-27 22:31:44 153088 ----a-w- c:windowssystem32xvid.ax
2011-07-27 22:31:44 -------- d-----w- c:program filesXvid
2011-07-25 15:15:53 222080 ------w- c:windowssystem32MpSigStub.exe
2011-07-23 11:43:53 -------- d-----w- c:programdataImTOO
2011-07-23 11:43:53 -------- d-----w- c:program filesImTOO
.
Find3M
.
2011-07-22 23:42:20 319456 ----a-w- c:windowsDIFxAPI.dll
2011-07-08 00:39:43 472808 ----a-w- c:windowssystem32deployJava1.dll
2011-07-06 16:52:42 41272 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2011-07-06 16:52:42 22712 ----a-w- c:windowssystem32driversmbam.sys
2011-06-21 02:52:48 404640 ----a-w- c:windowssystem32FlashPlayerCPLApp.cpl
2011-06-15 08:23:56 60156 ----a-w- c:windowssystem32driversscdemu.sys
2011-06-06 06:37:44 8192 ----a-w- c:windowssystem32srvany.exe
2011-06-06 06:23:13 315392 ----a-w- c:windowsHideWin.exe
.
FINISH: 5:14:25.00
Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft® Windows Vista™ Ultimate
Boot Device: DeviceHarddiskVolume1
Install Date: 6/6/2011 6:51:08 PM
System Uptime: 8/19/2011 3:59:48 AM (2 hours ago)
.
Motherboard: Quanta | | 30D2
Processor: Intel® Core™2 Duo CPU T5550 @ 1.83GHz | U2E1 | 1833/667mhz
.
Disk Partitions
.
C: is FIXED (NTFS) - 233 GiB total, 168.483 GiB free.
D: is FIXED (NTFS) - 233 GiB total, 141.054 GiB free.
E: is CDROM ()
F: is CDROM ()
.
Disabled Device Manager Items
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel® PRO/Wireless 3945BG Network Connection
Device ID: PCIVEN_8086&DEV_4222&SUBSYS_10058086&REV_024&30F4B131&0&00E0
Manufacturer: Intel Corporation
Name: Intel® PRO/Wireless 3945BG Network Connection
PNP Device ID: PCIVEN_8086&DEV_4222&SUBSYS_10058086&REV_024&30F4B131&0&00E0
Service: NETw3v32
.
Class GUID:
Description: Base System Device
Device ID: PCIVEN_1180&DEV_0843&SUBSYS_30CC103C&REV_124&DBB383&0&4AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCIVEN_1180&DEV_0843&SUBSYS_30CC103C&REV_124&DBB383&0&4AF0
Service:
.
Class GUID:
Description: Base System Device
Device ID: PCIVEN_1180&DEV_0592&SUBSYS_30CC103C&REV_124&DBB383&0&4BF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCIVEN_1180&DEV_0592&SUBSYS_30CC103C&REV_124&DBB383&0&4BF0
Service:
.
Class GUID:
Description: Base System Device
Device ID: PCIVEN_1180&DEV_0852&SUBSYS_30CC103C&REV_124&DBB383&0&4CF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCIVEN_1180&DEV_0852&SUBSYS_30CC103C&REV_124&DBB383&0&4CF0
Service:
.
Class GUID:
Description:
Device ID: ACPIHPQ00074&2DC9E43E&0
Manufacturer:
Name:
PNP Device ID: ACPIHPQ00074&2DC9E43E&0
Service:
.
System Restore Points
.
RP94: 8/1/2011 12:00:14 AM - Scheduled Checkpoint
RP95: 8/2/2011 11:08:39 AM - Scheduled Checkpoint
RP96: 8/3/2011 12:00:11 AM - Scheduled Checkpoint
RP97: 8/3/2011 2:27:37 PM - Scheduled Checkpoint
RP98: 8/5/2011 7:44:32 AM - Scheduled Checkpoint
RP99: 8/6/2011 12:00:08 AM - Scheduled Checkpoint
RP100: 8/7/2011 1:53:55 AM - Scheduled Checkpoint
RP101: 8/8/2011 12:13:09 AM - Scheduled Checkpoint
RP102: 8/9/2011 12:00:24 AM - Scheduled Checkpoint
RP103: 8/9/2011 6:47:34 PM - Scheduled Checkpoint
RP104: 8/11/2011 12:00:15 AM - Scheduled Checkpoint
RP105: 8/11/2011 3:17:00 AM - Installed ProxyCap
RP106: 8/12/2011 12:54:44 AM - Scheduled Checkpoint
RP107: 8/13/2011 1:17:17 AM - Scheduled Checkpoint
RP108: 8/13/2011 3:20:14 PM - Removed ProxyCap
RP109: 8/14/2011 7:09:40 AM - Windows Update
RP110: 8/17/2011 4:09:14 AM - Scheduled Checkpoint
RP111: 8/18/2011 3:08:08 PM - Scheduled Checkpoint
.
Installed Programs
.
µTorrent
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Acrobat 8 Professional
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Community Help
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS5
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Bigasoft Total Video Converter 3.4.0.4188
Boilsoft Video Joiner 6.55
CCleaner
Crystal Reports for Visual Studio
Dotfuscator Software Services - Community Edition
ESET Online Scanner v3
Fast File Renamer 2.0
FileZilla Client 3.3.4.1
Game Booster
GameSpy Arcade
Google Chrome
Google Talk Plugin
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImTOO DVD Ripper Platinum 6
Internet Download Manager
Java Auto Updater
Java™ 6 Update 26
Kaspersky Internet Security 2012
Malwarebytes' Anti-Malware version 1.51.1.1800
MediaInfo 0.7.44
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft Halo
Microsoft Help Viewer 1.0
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 R2 attempting to start the service WSearch with arguments ' in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8/14/2011 10:34:43 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error '1068' attempting to start the service netprofm with arguments ' in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
8/14/2011 10:34:43 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error '1068' attempting to start the service netman with arguments ' in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
8/14/2011 10:34:43 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error '1068' attempting to start the service fdPHost with arguments ' in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
8/14/2011 10:34:42 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error '1084' attempting to start the service EventSystem with arguments ' in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/14/2011 10:34:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error '1084' attempting to start the service ShellHWDetection with arguments ' in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
8/12/2011 9:44:29 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.90.96.2 for the Network Card with network address 00FF74E8F9B9 has been denied by the DHCP server 10.95.95.254 (The DHCP Server sent a DHCPNACK message).
8/12/2011 4:11:39 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.95.88.7 for the Network Card with network address 00FF74E8F9B9 has been denied by the DHCP server 10.93.15.254 (The DHCP Server sent a DHCPNACK message).
.
End Of File
Gmer log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-19 08:49:23
Windows 6.0.6002 Service Pack 2 Harddisk0DR0 -> DeviceIdeIdeDeviceP2T0L0-4 WDC_WD5000BEVT-00A0RT0 rev.01.01A01
Running: gmer.exe; Driver: C:UsersHELLRA~1AppDataLocalTempuxldapow.sys
---- System - GMER 1.0.15 ----
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x8BD3928A]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcConnectPort [0x8BD53342]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcCreatePort [0x8BD53678]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcSendWaitReceivePort [0x8BD539EE]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x8BD39D04]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x8BD5302A]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateEvent [0x8BD3A276]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateMutant [0x8BD3A164]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreatePort [0x8BD534E8]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSection [0x8BD39046]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSemaphore [0x8BD3A38E]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThread [0x8BD398BA]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateWaitablePort [0x8BD535B0]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x8BD3A74E]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0x8BD39D46]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDuplicateObject [0x8BD3B750]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwLoadDriver [0x8BD3A840]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwMapViewOfSection [0x8BD3ADAC]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwNotifyChangeKey [0x8BD51840]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenEvent [0x8BD3A308]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenMutant [0x8BD3A1F0]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenProcess [0x8BD394C4]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x8BD3AB90]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSemaphore [0x8BD3A420]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x8BD393B8]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryDirectoryObject [0x8BD3A55C]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryObject [0x8BD51A38]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQuerySection [0x8BD3B0D2]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueueApcThread [0x8BD3A9E0]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyPort [0x8BD537DC]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0x8BD5372A]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x8BD53848]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x8BD3B5F2]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x8BD531B2]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetContextThread [0x8BD39BA4]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetInformationToken [0x8BD3A5FA]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSystemInformation [0x8BD3B222]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x8BD3B316]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendThread [0x8BD3B450]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSystemDebugControl [0x8BD3A670]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateProcess [0x8BD39664]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateThread [0x8BD395BA]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0x8BD3AF8A]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0x8BD39750]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThreadEx [0x8BD39A2A]
SSDT SystemRootsystem32DRIVERSklif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateUserProcess [0x8BD3A4A6]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 119 818AC85C 4 Bytes [8A, 92, D3, 8B]
.text ntkrnlpa.exe!KeSetEvent + 13D 818AC880 8 Bytes [42, 33, D5, 8B, 78, 36, D5, ...] {INC EDX; XOR EDX, EBP; MOV EDI, [EAX+0x36]; AAD 0x8b}
.text ntkrnlpa.exe!KeSetEvent + 181 818AC8C4 4 Bytes [EE, 39, D5, 8B]
.text ntkrnlpa.exe!KeSetEvent + 1A9 818AC8EC 4 Bytes [04, 9D, D3, 8B]
.text ntkrnlpa.exe!KeSetEvent + 1C1 818AC904 4 Bytes [2A, 30, D5, 8B] {SUB DH, [EAX]; AAD 0x8b}
.text ...
? System32driversunlhv.sys The system cannot find the path specified. !
? C:UsersHELLRA~1AppDataLocalTempmbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:Program FilesMozilla Firefoxfirefox.exe[4424] ntdll.dll!LdrLoadDll 770A9390 5 Bytes JMP 012213F0 C:Program FilesMozilla Firefoxfirefox.exe (Firefox/Mozilla Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice Drivertdx DeviceTcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice Drivervolmgr DeviceHarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivertdx DeviceUdp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice Drivertdx DeviceRawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
---- Processes - GMER 1.0.15 ----
Library C:Program (*** hidden *** ) @ C:Program FilesMozilla Firefoxfirefox.exe [4424] 0x6AC20000
---- Services - GMER 1.0.15 ----
Service C:WindowsSystem32alg.exe? (*** hidden *** ) [MANUAL] ALG <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys001e37a50373
Reg HKLMSYSTEMCurrentControlSetServicesBTHPORTParametersKeys001e37a50373@001baf87ee17 0xE9 0x33 0xEF 0x68 ...
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys001e37a50373 (not active ControlSet)
Reg HKLMSYSTEMControlSet003ServicesBTHPORTParametersKeys001e37a50373@001baf87ee17 0xE9 0x33 0xEF 0x68 ...
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{54683434-A8B8-177C-A58C-15A3B4629C31}
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{54683434-A8B8-177C-A58C-15A3B4629C31}@oaagmdjjfkcnjokbggajnbageobdmk 0x69 0x61 0x6C 0x63 ...
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{54683434-A8B8-177C-A58C-15A3B4629C31}@pakfcgkejfioibodciiikkbgepcifogd 0x69 0x61 0x6C 0x63 ...
---- EOF - GMER 1.0.15 ----
Thanks!
Shop millions of handmade and vintage items on the world’s most imaginative marketplace
Horror Movies Art, Illustration, horror fan gift, horror art, horror film art, Freddy Krueger, slasher movies, horror poster, scary movie
€53.11VINTAGE HORROR MOVIE - Hellraiser Poster - Cult Movie Poster - Paperback Movie Art - Fan Art
€13.16Classic Horror Movie Bundle // 5% off Friday the 13th, Nightmare on Elm Street, and Hellraiser Vintage-inspired Alternative Movie Posters
€51.87Pinhead, Hellraiser, Horror Movie Decor, Horror Movie Gift, Horror Print, Woodcut Wall Art, Classic Horror, Personalized Man Cave Gift Idea
€93.37Only 1 available and it's in 1 person's cartHellraiser Movie Poster,Canvas Art,Bedroom art,Wall Art,No frame
€10.34€12.16€12.16 (15% off)FREE shipping3 SIZES Hellraiser Pinhead Poster Cenobites Canvas Metallic Art Print Clive Barker Horror movie monsters by Scott Jackson
€18.86Hellraiser Print
€18.86Demon To Some - A6/A5/A4/A3 Signed Art Print (Inspired by Hellraiser)
€4.13Pinhead - Hellraiser - Painting - Movie Poster - Clive Barker - Horror Art - Horror Decor - Horror Movie - Cenobite - Halloween Home Decor
€21.08Hellraiser: Horror Movie Poster
€9.43Hellraiser. Pinhead Video cssette Print - Classic, Cult 80s Horror Movies. VHS. Limited Edition Print
€17.69 FREE shippingHellraiser - Hillraiser - King Of The Hill Style Art Print, Limited Edition, Signed By Artist
€23.60 FREE shippingHellraiser 1987, Printable Wall Art, Andrew Robinson Film Horror Poster, Home Wall Decor, Classic Vintage Movie Posters, Digital Download
€8.98Gore Cross Horror Poster, Scary Halloween Wall Art, Matte or Photo Paper
€18.86Hellraiser Poster, Pop Culture Wall Art, Pop Culture Prints, Movie Posters, Movie Wall Art, Modern Wall Art, Modern Decor, Contemporary Art
€14.14€16.64€16.64 (15% off)Jaws Patch (3.5 Inch) DIY Embroidered Iron or Sew on Badge Applique Horror Movie Poster Shark Martin Brody The Revenge Souvenir Costume
€4.99Pinhead Print, Pinhead Artwork, Pinhead Tribute Art, Pinhead Poster for Hellraiser Fans
€12.72€14.14€14.14 (10% off)Final Girls & Cinema Survivors: Kirsty Cotton
€10.69Hellraiser Alternate Movie Poster (Lament Configuration Variant)
€9.433 SIZES MASTERS of SLASH Jason Freddy Pinhead Michael Jigsaw Doyle Leatherface canvas art print Masters of Slash by Scott Jackson
€18.86VINTAGE HORROR MOVIE - Hellraiser Poster - Cult Movie Poster - Paperback Movie Art - Fan Art
€13.16HELLRAISER - portrait - alternative movie poster print minimalist pop art draw paint cenobites Ashley Laurence pinhead horror gore
€14.00Only 1 left3 SIZES Superman vs Hellraiser art poster print Superheroes horror movies Monster Mash-up #27 by artist Scott Jackson
€18.86Hellraiser, Halloween Decor, 8x10 Dictionary Art Print, Spooky Art, Horror, Movie Poster
€9.43HELLRAISER print GICLÉE
€100.00 FREE shippingHellraiser: SciFi Horror Movie Poster // A Universe of Endless of Horror // Golden puzzle box and rough, coarse textured vintage print
€21.69Hellraiser puzzlebox, Hellraiser poster, minimalist movie poster, Pinhead, movie quotes, movie poster, movie art, movie prints, horror print
€15.34HELLRAISER - portrait - alternative movie poster print minimalist pop art draw paint cenobites Ashley Laurence pinhead horror gore
€14.00Only 1 leftHellraiser illustration print
€11.80 FREE shippingPinhead, Hellraiser, Horror Movie Decor, Horror Movie Gift, Horror Print, Woodcut Wall Art, Classic Horror, Personalized Man Cave Gift Idea
€93.37Only 1 available and it's in 1 person's cartHellraiser: SciFi Horror Movie Poster // A Universe of Endless of Horror // Golden puzzle box and rough, coarse textured vintage print
€21.69HELLRAISER - portrait - alternative movie poster print minimalist pop art draw paint cenobites Ashley Laurence pinhead horror gore
€14.00HELLRAISER - portrait - alternative movie poster print minimalist pop art draw paint cenobites Ashley Laurence pinhead horror gore
€14.00Classic Horror Movie Bundle // 5% off Friday the 13th, Nightmare on Elm Street, and Hellraiser Vintage-inspired Alternative Movie Posters
€51.87Hellraiser 1987, Printable Wall Art, Andrew Robinson Film Horror Poster, Home Wall Decor, Classic Vintage Movie Posters, Digital Download
€8.98Vintage Demon To Some - A4 Signed Art Print (Inspired by Hellraiser)
€8.26Pinhead Hellraiser Movie Poster, Print. Oil on Canvas
€17.7080's Horror movie villain reunion - 11' x 14' digital print of original handpainted acrylic painting - Limited Run
€14.16Pinhead Mini Print (horror art print cenobite hellraiser chatterrer butterball puzzle box laments configuration poster frame)
€9.43HELLRAISER 2 - Clive Barker - cult / classic alternative movie poster / print [ horror ] Doug Bradley Ashley Laurence Andrew Robinson
€16.03The Necronomicon, full color poster size 24x36 wall art, digital download
€6.74Horror Art Print - inspired by Clive Barkers Hellraiser, horror, 80's, gore, blood, Pinhead, Hellbound, popculture, movie art , the box
€3.54Chatterer - Hellraiser - Painting - Movie Poster - Clive Barker - Horror Art - Horror Decor - Horror Movie - Cenobite - Pinhead - Halloween
€21.08Hellraiser Horror Movie Poster, instant download, vintage horror poster, movie poster, movie prints wall art, retro film original poster
€1.83Hellraiser movie poster button
€1.18Chatterer - Painting - Hellraiser - Horror Decor - Movie Art Print - Movie Poster - Clive Barker - Pinhead - Cenobite - Monster - Dark Art
€21.08New Giclée Art Print 1992 Movie Lobby Card Poster Clive Barker's 'Hellraiser III -Hell On Earth'
€13.19Hellraiser puzzle box minimalist movie poster, Pinhead, printable, movie quotes, movie poster, movie art, movie prints, horror movie
€5.62Hellraiser Pinhead Cenobite Poster Print Chris Oz Fulton
€14.85€16.50€16.50 (10% off)Hellraiser Horror Movie Poster, instant download, vintage horror poster, movie poster, movie prints wall art, retro film original poster
€1.83HELLRAISER - portrait - alternative movie poster print minimalist pop art draw paint cenobites Ashley Laurence pinhead horror gore
€14.00Butterball - Hellraiser - Painting - Movie Poster - Clive Barker - Horror Art - Horror Decor - Horror Movie - Cenobite - Halloween Decor
€21.08Hellraiser Movie Poster Fridge Magnet
€6.55Hellbound: Hellraiser II • Colouring Page • Poster
€1.25New Giclée Art Print 2000 Movie Lobby Card Poster Clive Barker's 'Hellraiser Inferno' (French Language)
€13.19Pinhead from Hellraiser Illustration - Horror Movie Pop Art Halloween Home Decor in Poster Print or Canvas
€18.86Monochrome Demon To Some - A4 Signed Art Print (Inspired by Hellraiser)
€8.26HELLRAISER (1987) Inspired Movie Poster, 'We Have Such Sights to Show You!'. By Cutestreak Designs, 2014.
€28.29