Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

about 5 rootkits in c:\winnt


  • Please log in to reply
31 replies to this topic

#1 salguy

salguy

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 19 December 2008 - 08:06 PM

It would be great if somebody had the time to look at this. thank you very much

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:19 PM, on 12/19/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1218755882\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189088665447
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AutoShutdown - Dell Computer Corporation - C:\WINNT\System32\PSSVC.EXE
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe
O24 - Desktop Component 1: MSNBC Weather - HTTP://www.msnbc.com/modules/weather/ie4weather.htm
O24 - Desktop Component 2: J-Track: Satellite Tracking - http://liftoff.msfc.nasa.gov/RealTime/JTrack/Desktop.html

--
End of file - 6097 bytes

BC AdBot (Login to Remove)

 


#2 salguy

salguy
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 21 December 2008 - 12:44 PM

Hi again I guess no reply answers my question.. computer is roadkill... I tried again to download RSIT.exe but it won't allow me to save to desktop. I found where it downloaded it and I tried to download it, but it won't download. it just stops.
when i try to boot up in regular mode it goes in circles ..it starts dell optiplex gx110 then windows 2000 professional then back to dell. so I can start in safe mode but it take awhile. it disabled avast I tried to download AVG and it gets to the end of download, and it stops. i ran avast and it found the 5 rootkits but won't delete them. I know where it came from. my brother downloaded superantispyware from somewhere and ran it while I going to pick up pizza.. that was the last time it started in regular mode.... If you would just tell me what I guess I already know I will dump it.. thank you merry x mas

#3 salguy

salguy
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 21 December 2008 - 01:40 PM

I tried RSIT two more times and got this ..
thank you

Logfile of random's system information tool 1.05 (written by random/random)
Run by Joseph roehm at 2008-12-21 13:17:47
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 3 GB (43%) free of 7 GB
Total RAM: 318 MB (68% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:48 PM, on 12/21/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Joseph roehm\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Joseph roehm.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1218755882\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189088665447
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AutoShutdown - Dell Computer Corporation - C:\WINNT\System32\PSSVC.EXE
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe
O24 - Desktop Component 1: MSNBC Weather - HTTP://www.msnbc.com/modules/weather/ie4weather.htm
O24 - Desktop Component 2: J-Track: Satellite Tracking - http://liftoff.msfc.nasa.gov/RealTime/JTrack/Desktop.html

--
End of file - 6107 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\{B460C719-6155-44AA-85CD-BED0F2B239FD}_BABY_Joseph roehm.job
C:\WINNT\tasks\{8124E7B4-7614-4323-AF08-4CACAB8ADE66}_BABY_Joseph roehm.job
C:\WINNT\tasks\Disk Cleanup.job
C:\WINNT\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINNT\system32\msdxm.ocx [2005-03-31 844560]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"TCASUTIEXE"=TCAUDIAG -off []
"PrinTray"=C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe []
"NeroCheck"=C:\WINNT\system32\\NeroCheck.exe [2001-07-09 155648]
"DeviceDiscovery"=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-05-21 229437]
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [2005-02-16 49152]
"HP Component Manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2003-10-23 233472]
"HPDJ Taskbar Utility"=C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe [2003-07-28 188416]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-09-01 282624]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-03-13 919016]
"Device Detector"=C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe [2004-09-02 221184]
"HostManager"=C:\Program Files\Common Files\AOL\1218755882\ee\AOLSoftware.exe [2006-09-25 50736]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-11-26 81000]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2008-12-03 399504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe []
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-03 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nwprovau]
C:\WINNT\system32\nwprovau.dll [2006-09-01 140048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-12-21 11:23:15 ----D---- C:\rsit
2008-12-20 14:15:17 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-20 11:45:48 ----A---- C:\WINNT\ntbtlog.txt
2008-12-19 19:19:32 ----D---- C:\Program Files\CCleaner
2008-12-19 18:33:12 ----D---- C:\Program Files\Trend Micro
2008-12-18 10:01:53 ----A---- C:\WINNT\system32\aswBoot.exe
2008-12-16 12:32:23 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-16 12:32:23 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-12 12:46:28 ----D---- C:\Program Files\SUPERAntiSpyware
2008-12-12 11:33:47 ----D---- C:\Documents and Settings\Joseph roehm\Application Data\Malwarebytes
2008-12-12 11:33:35 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-12 09:28:10 ----D---- C:\Program Files\ACD Systems
2008-12-11 09:38:21 ----D---- C:\Program Files\Lavasoft
2008-12-11 09:37:27 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-04 11:21:40 ----D---- C:\FOUND.006
2008-12-04 11:05:30 ----D---- C:\FOUND.005

======List of files/folders modified in the last 1 months======

2008-12-21 10:58:52 ----A---- C:\WINNT\win.ini
2008-12-09 18:24:38 ----A---- C:\WINNT\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINNT\system32\drivers\AFS2K.sys [2006-05-04 43672]
R1 aswTdi;avast! Network Shield Support; C:\WINNT\system32\drivers\aswTdi.sys [2008-11-26 50864]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2006-10-04 2432]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2006-10-04 2560]
R1 vsdatant;vsdatant; C:\WINNT\System32\vsdatant.sys [2008-03-13 394952]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver; C:\WINNT\System32\DRIVERS\el90xbc5.sys [1999-10-23 61712]
R3 pfc;Padus ASPI Shell; C:\WINNT\system32\drivers\pfc.sys [2008-08-07 9856]
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbehci.sys [2003-06-19 19728]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\System32\DRIVERS\usbhub.sys [2003-06-19 40176]
R3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]
R3 wanatw;WAN Miniport (ATW); C:\WINNT\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINNT\system32\drivers\Aavmker4.sys [2008-11-26 26944]
S1 aswSP;avast! Self Protection; C:\WINNT\system32\drivers\aswSP.sys [2008-11-26 111184]
S1 BANTExt;Belarc SMBios Access; C:\WINNT\System32\Drivers\BANTExt.sys [2008-02-27 3840]
S1 cmosa;cmosa; C:\WINNT\system32\drivers\cmosa.sys [2000-01-28 23808]
S1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
S2 ASCTRM;ASCTRM; C:\WINNT\system32\drivers\ASCTRM.sys [2007-05-10 8552]
S2 aswFsBlk;aswFsBlk; C:\WINNT\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]
S2 aswMon;avast! Standard Shield Support; C:\WINNT\system32\drivers\aswMon.sys [2008-11-26 93296]
S2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINNT\System32\DRIVERS\nwlnkipx.sys [2003-06-19 91408]
S2 NwlnkNb;NWLink NetBIOS; C:\WINNT\System32\DRIVERS\nwlnknb.sys [2003-06-19 65520]
S2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINNT\System32\DRIVERS\nwlnkspx.sys [1999-12-07 58480]
S2 TCAITDI;TCAITDI Protocol; C:\WINNT\System32\DRIVERS\TCAITDI.sys [2000-03-06 20720]
S3 aswRdr;aswRdr; C:\WINNT\system32\drivers\aswRdr.sys [2008-11-26 23152]
S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\Common Files\AOL\ACS\ATWPKT2.SYS []
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2004-07-09 16384]
S3 i81x;i81x; C:\WINNT\System32\DRIVERS\i81xnt5.sys [2003-06-19 68336]
S3 ichaud;Service for AC'97 Driver (WDM); C:\WINNT\system32\drivers\ichaud.sys [1999-10-22 32592]
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2004-07-09 15104]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2002-12-12 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\system32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 NWRDR;NetWare Rdr; C:\WINNT\System32\DRIVERS\nwrdr.sys [2006-08-31 161520]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2004-07-09 10880]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 tcaicchg;tcaicchg; \??\C:\WINNT\System32\tcaicchg.sys []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\system32\DRIVERS\usbprint.sys [2003-06-19 21872]
S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\system32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S3 Winacpci;Winacpci; C:\WINNT\System32\DRIVERS\winacpci.sys [2000-01-21 880028]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2004-07-09 18688]
S4 BsUDF;InCD UDF Driver; C:\WINNT\system32\drivers\BsUDF.sys [2003-02-12 320437]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 vsmon;TrueVector Internet Monitor; C:\WINNT\system32\ZONELABS\vsmon.exe [2008-03-13 75304]
S2 AOL ACS;AOL Connectivity Service; C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe [2004-04-21 1434848]
S2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-11-26 18752]
S2 AutoShutdown;AutoShutdown; C:\WINNT\System32\PSSVC.EXE [1999-04-28 36864]
S2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-11-26 155160]
S2 dmisrv;dmisrv; C:\DMI\bin\dmisrv.exe [1999-06-08 45056]
S2 hpdj;hpdj; C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\hpdj.exe -servicerunning=true -uninstall=hp deskjet 5100 series -product= []
S2 LexBceS;LexBce Server; C:\WINNT\system32\LEXBCES.EXE [2000-08-16 278016]
S2 NWCWorkstation;Client Service for NetWare; C:\WINNT\System32\services.exe [2005-04-08 92944]
S2 WANMiniportService;WAN Miniport (ATW) Service; C:\WINNT\wanmpsvc.exe [2003-08-27 65536]
S2 Win32sl;Win32sl; C:\DMI\bin\win32sl.exe [1999-01-19 249344]
S2 WMDM PMSP Service;WMDM PMSP Service; C:\WINNT\system32\mspmspsv.exe [2000-06-26 53520]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-11-26 254040]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-11-26 352920]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe []
S3 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\System32\svchost.exe [1999-12-07 7952]

-----------------EOF-----------------

#4 salguy

salguy
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 26 December 2008 - 08:54 PM

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows 2000 Professional
Boot Device: \Device\Harddisk0\Partition1
Install Date:
System Uptime: 12/26/2008 11:45:31 AM (9 hours ago)
Processor: Intel Pentium III processor | | 731/mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 7 GiB total, 3.019 GiB free.
D: is CDROM ()
E: is FIXED (FAT) - 0 GiB total, 0 GiB free.
F: is FIXED (NTFS) - 12 GiB total, 3.503 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

3Com NIC Diagnostics
ACDSee for PENTAX 2.0
Ad-Aware
Ad-aware 6 Personal
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Download Manager (Remove Only)
Adobe Flash Player ActiveX
Ahead InCD
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
Apple Software Update
avast! Antivirus
Belarc Advisor 6.1
Belarc Advisor 7.2
BizPlanBuilder
CCleaner (remove only)
Dell Documents
Dell OpenManage Client Instrumentation
Dell ResourceCD
GdiplusUpgrade
HijackThis 2.0.2
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.53 (KB927779)
hp deskjet 5100
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
HP Software Update
HP Update
ImageMixer
Internet Explorer Q903235
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Hotfix (KB947742)
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Small Business
Microsoft Office Sounds
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Microsoft XML Parser and SDK
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
OnDVD
Picasa 2
PowerDVD
QuickTime
RealPlayer Basic
Security Update for CAPICOM (KB931906)
Security Update for DirectX 9 (KB941568)
Security Update for DirectX 9 (KB951698)
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows 2000 (KB941569)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 6.4 (KB954600)
Security Update for Windows Media Player 7.1 (KB911565)
Security Update for Windows Media Player 7.1 (KB917734)
Security Update for Windows Media Player 7.1 (KB936782)
Security Update for Windows Media Player 9 (KB936782)
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Uninstall AOL Emergency Connect Utility 1.0
Update Rollup 1 for Windows 2000 SP4
Viewpoint Media Player
WebFldrs
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912812
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB918439
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921503
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB922760
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931768
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB932168
Windows 2000 Hotfix - KB933566
Windows 2000 Hotfix - KB933729
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB936021
Windows 2000 Hotfix - KB937143
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938464
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB938829
Windows 2000 Hotfix - KB939653
Windows 2000 Hotfix - KB941202
Windows 2000 Hotfix - KB941644
Windows 2000 Hotfix - KB941693
Windows 2000 Hotfix - KB942615
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944338
Windows 2000 Hotfix - KB944533
Windows 2000 Hotfix - KB945553
Windows 2000 Hotfix - KB947864
Windows 2000 Hotfix - KB948590
Windows 2000 Hotfix - KB948881
Windows 2000 Hotfix - KB950749
Windows 2000 Hotfix - KB950759
Windows 2000 Hotfix - KB950760
Windows 2000 Hotfix - KB950974
Windows 2000 Hotfix - KB951066
Windows 2000 Hotfix - KB951748
Windows 2000 Hotfix - KB952954
Windows 2000 Hotfix - KB953838
Windows 2000 Hotfix - KB953839
Windows 2000 Hotfix - KB954211
Windows 2000 Hotfix - KB955069
Windows 2000 Hotfix - KB956390
Windows 2000 Hotfix - KB956391
Windows 2000 Hotfix - KB956802
Windows 2000 Hotfix - KB957095
Windows 2000 Hotfix - KB957097
Windows 2000 Hotfix - KB958215
Windows 2000 Hotfix - KB958644
Windows 2000 Hotfix (SP5) Q818043
Windows 2000 Service Pack 4
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See wm828026 for more information]
Windows Media Player system update (9 Series)
ZoneAlarm
ZoneAlarm Spy Blocker

==== End Of File ===========================
DDS (Version 1.1.0) - FAT32x86 NETWORK
Run by Joseph roehm at 20:39:53.01 on Fri 12/26/2008
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.318.190 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Player\logagent.exe
C:\Program Files\Windows Media Player\logagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joseph roehm\Desktop\dds.scr
C:\WINNT\System32\WBEM\WinMgmt.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://smbusiness.dellnet.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [TCASUTIEXE] TCAUDIAG -off
mRun: [PrinTray] c:\winnt\system32\spool\drivers\w32x86\2\printray.exe
mRun: [NeroCheck] c:\winnt\system32\\NeroCheck.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\winnt\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Device Detector] "c:\program files\common files\acd systems\en\DevDetect.exe" -autorun
mRun: [HostManager] c:\program files\common files\aol\1218755882\ee\AOLSoftware.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winnt\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: nwprovau - nwprovau.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 PowerSwitch;PowerSwitch;c:\winnt\system32\drivers\psdvr.sys [1999-4-28 4808]
R1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2007-11-1 394952]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service []
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2000-7-5 61712]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-8-20 49776]
S1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2008-12-18 111184]
S1 cmosa;cmosa;c:\winnt\system32\drivers\cmosa.sys [2000-7-5 23808]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
S2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2008-12-18 20560]
S2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswMon.sys [2008-12-18 93296]
S2 AutoShutdown;AutoShutdown;c:\winnt\system32\PSSVC.EXE [1999-4-28 36864]
S2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2008-12-18 155160]
S2 TCAITDI;TCAITDI Protocol;c:\winnt\system32\drivers\TCAITDI.sys [1980-1-1 20720]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2008-12-18 254040]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2008-12-18 352920]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 tcaicchg;tcaicchg;\??\c:\winnt\system32\tcaicchg.sys [1980-1-1 10449]
S3 Winacpci;Winacpci;c:\winnt\system32\drivers\winacpci.sys [1980-1-1 880028]
S4 BsUDF;InCD UDF Driver;c:\winnt\system32\drivers\BsUDF.sys [2003-11-1 320437]

=============== Created Last 30 ================

2008-12-26 20:39 16,384 a------- c:\winnt\system32\Perflib_Perfdata_310.dat
2008-12-25 16:57 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2008-12-25 16:57 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2008-12-25 16:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-25 15:59 365 a------- c:\winnt\gmer.ini
2008-12-25 14:06 <DIR> --d----- c:\program files\Belarc
2008-12-21 11:23 16,384 a------- c:\winnt\system32\Perflib_Perfdata_38c.dat
2008-12-21 10:57 1,409 a------- c:\winnt\QTFont.for
2008-12-21 10:57 54,156 a---h--- c:\winnt\QTFont.qfn
2008-12-19 19:19 <DIR> --d----- c:\program files\CCleaner
2008-12-19 18:33 <DIR> --d----- c:\program files\Trend Micro
2008-12-16 12:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-16 12:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-12 12:46 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-12 11:33 <DIR> --d----- c:\docume~1\joseph~1\applic~1\Malwarebytes
2008-12-12 11:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-12 09:48 16,384 a------- c:\winnt\system32\Perflib_Perfdata_268.dat
2008-12-12 09:28 <DIR> --d----- c:\program files\ACD Systems
2008-12-12 09:12 16,384 a------- c:\winnt\system32\Perflib_Perfdata_328.dat
2008-12-11 09:38 <DIR> --d----- c:\program files\Lavasoft
2008-12-11 09:37 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-05 13:52 16,384 a------- c:\winnt\system32\Perflib_Perfdata_2f4.dat
2008-12-04 12:44 16,384 a------- c:\winnt\system32\Perflib_Perfdata_31c.dat
2008-12-04 11:21 <DIR> --d----- C:\FOUND.006
2008-12-04 11:05 <DIR> --d----- C:\FOUND.005
2008-11-28 09:18 <DIR> --d----- c:\documents and settings\joseph roehm\DoctorWeb

==================== Find3M ====================

2008-11-07 18:32 2,109,440 -------- c:\winnt\system32\dllcache\WMVCore.dll
2008-11-06 09:21 16,384 a------- c:\winnt\system32\Perflib_Perfdata_25c.dat
2008-10-24 09:16 16,384 a------- c:\winnt\system32\Perflib_Perfdata_320.dat
2008-10-23 08:50 16,384 a------- c:\winnt\system32\Perflib_Perfdata_324.dat
2008-10-23 00:27 237,840 a------- c:\winnt\system32\GDI32.DLL
2008-10-23 00:27 237,840 a------- c:\winnt\system32\dllcache\GDI32.DLL
2008-10-17 13:41 310,032 -------- c:\winnt\system32\dllcache\NETAPI32.DLL
2008-10-16 14:13 1,809,944 a------- c:\winnt\system32\dllcache\wuaueng.dll
2008-10-16 14:09 92,696 a------- c:\winnt\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\winnt\system32\dllcache\wuauclt.exe
2008-10-16 14:06 268,648 a------- c:\winnt\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\winnt\system32\muweb.dll
2008-10-15 14:12 132,096 a------- c:\winnt\system32\dllcache\MSRATING.DLL
2008-10-15 14:12 143,360 a------- c:\winnt\system32\dllcache\CDFVIEW.DLL
2008-10-15 14:12 1,018,368 a------- c:\winnt\system32\dllcache\BROWSEUI.DLL
2008-10-15 14:12 1,340,416 a------- c:\winnt\system32\dllcache\SHDOCVW.DLL
2008-10-15 14:11 402,944 a------- c:\winnt\system32\dllcache\SHLWAPI.DLL
2008-10-15 13:53 575,488 a------- c:\winnt\system32\WININET.DLL
2008-10-15 13:53 575,488 a------- c:\winnt\system32\dllcache\WININET.DLL
2008-10-15 13:53 462,336 a------- c:\winnt\system32\dllcache\URLMON.DLL
2008-10-15 13:53 12,288 a------- c:\winnt\system32\dllcache\JSPROXY.DLL
2008-10-15 13:53 69,632 a------- c:\winnt\system32\dllcache\INSENG.DLL
2008-10-15 13:53 2,706,432 a------- c:\winnt\system32\dllcache\MSHTML.DLL
2008-10-15 13:52 236,032 a------- c:\winnt\system32\dllcache\IEPEERS.DLL
2008-10-15 13:52 34,816 a------- c:\winnt\system32\dllcache\PNGFILT.DLL
2008-10-15 13:52 351,744 a------- c:\winnt\system32\dllcache\DXTMSFT.DLL
2008-10-15 13:52 192,512 a------- c:\winnt\system32\dllcache\DXTRANS.DLL
2008-10-15 13:52 498,176 a------- c:\winnt\system32\dllcache\MSTIME.DLL
2008-10-09 11:53 16,384 a------- c:\winnt\system32\Perflib_Perfdata_28c.dat
2008-09-30 16:43 1,286,152 a------- c:\winnt\system32\msxml4.dll
2000-07-05 10:37 21,952 ----h--- c:\program files\folder.htt
2000-07-05 10:37 271 ----h--- c:\program files\desktop.ini
1999-12-07 12:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 20:40:27.40 ===============

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,949 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:06 AM

Posted 27 December 2008 - 07:11 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 salguy

salguy
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 27 December 2008 - 09:28 PM

hello blossom I hope you had a great holiday.. thank you for your reply. I have been trying some scans. I know it is useless but just thought I would try something. it won't start in regular mode. it goes in circles untill it make itself dizzy. there is a flash of a blue screen in the circle that makes it start all over. no need for me to disable avg or avast or adaware. this thing has disabled everything but zonealarm. I downloaded avg and tried to start it, but no way.I don't know what else to tell you except I am computer dummy i have been tring to figure how to zip attach.txt . I hope you get it.. thanks again.
DDS (Version 1.1.0) - FAT32x86 NETWORK
Run by Joseph roehm at 20:20:42.08 on Sat 12/27/2008
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.318.208 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\Common Files\AOL\1218755882\ee\aolsoftware.exe
C:\Documents and Settings\Joseph roehm\Desktop\dds.scr
C:\WINNT\System32\WBEM\WinMgmt.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://smbusiness.dellnet.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [TCASUTIEXE] TCAUDIAG -off
mRun: [PrinTray] c:\winnt\system32\spool\drivers\w32x86\2\printray.exe
mRun: [NeroCheck] c:\winnt\system32\\NeroCheck.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\winnt\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Device Detector] "c:\program files\common files\acd systems\en\DevDetect.exe" -autorun
mRun: [HostManager] c:\program files\common files\aol\1218755882\ee\AOLSoftware.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winnt\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: nwprovau - nwprovau.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 PowerSwitch;PowerSwitch;c:\winnt\system32\drivers\psdvr.sys [1999-4-28 4808]
R1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2007-11-1 394952]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service []
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2000-7-5 61712]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-8-20 49776]
S1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2008-12-18 111184]
S1 cmosa;cmosa;c:\winnt\system32\drivers\cmosa.sys [2000-7-5 23808]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
S2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2008-12-18 20560]
S2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswMon.sys [2008-12-18 93296]
S2 AutoShutdown;AutoShutdown;c:\winnt\system32\PSSVC.EXE [1999-4-28 36864]
S2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2008-12-18 155160]
S2 TCAITDI;TCAITDI Protocol;c:\winnt\system32\drivers\TCAITDI.sys [1980-1-1 20720]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2008-12-18 254040]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2008-12-18 352920]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 tcaicchg;tcaicchg;\??\c:\winnt\system32\tcaicchg.sys [1980-1-1 10449]
S3 Winacpci;Winacpci;c:\winnt\system32\drivers\winacpci.sys [1980-1-1 880028]
S4 BsUDF;InCD UDF Driver;c:\winnt\system32\drivers\BsUDF.sys [2003-11-1 320437]

=============== Created Last 30 ================

2008-12-27 20:20 16,384 a------- c:\winnt\system32\Perflib_Perfdata_378.dat
2008-12-25 16:57 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2008-12-25 16:57 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2008-12-25 16:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-25 15:59 365 a------- c:\winnt\gmer.ini
2008-12-25 14:06 <DIR> --d----- c:\program files\Belarc
2008-12-21 11:23 16,384 a------- c:\winnt\system32\Perflib_Perfdata_38c.dat
2008-12-21 10:57 1,409 a------- c:\winnt\QTFont.for
2008-12-21 10:57 54,156 a---h--- c:\winnt\QTFont.qfn
2008-12-19 19:19 <DIR> --d----- c:\program files\CCleaner
2008-12-19 18:33 <DIR> --d----- c:\program files\Trend Micro
2008-12-16 12:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-16 12:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-12 12:46 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-12 11:33 <DIR> --d----- c:\docume~1\joseph~1\applic~1\Malwarebytes
2008-12-12 11:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-12 09:48 16,384 a------- c:\winnt\system32\Perflib_Perfdata_268.dat
2008-12-12 09:28 <DIR> --d----- c:\program files\ACD Systems
2008-12-12 09:12 16,384 a------- c:\winnt\system32\Perflib_Perfdata_328.dat
2008-12-11 09:38 <DIR> --d----- c:\program files\Lavasoft
2008-12-11 09:37 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-05 13:52 16,384 a------- c:\winnt\system32\Perflib_Perfdata_2f4.dat
2008-12-04 12:44 16,384 a------- c:\winnt\system32\Perflib_Perfdata_31c.dat
2008-12-04 11:21 <DIR> --d----- C:\FOUND.006
2008-12-04 11:05 <DIR> --d----- C:\FOUND.005
2008-11-28 09:18 <DIR> --d----- c:\documents and settings\joseph roehm\DoctorWeb

==================== Find3M ====================

2008-11-07 18:32 2,109,440 -------- c:\winnt\system32\dllcache\WMVCore.dll
2008-11-06 09:21 16,384 a------- c:\winnt\system32\Perflib_Perfdata_25c.dat
2008-10-24 09:16 16,384 a------- c:\winnt\system32\Perflib_Perfdata_320.dat
2008-10-23 08:50 16,384 a------- c:\winnt\system32\Perflib_Perfdata_324.dat
2008-10-23 00:27 237,840 a------- c:\winnt\system32\GDI32.DLL
2008-10-23 00:27 237,840 a------- c:\winnt\system32\dllcache\GDI32.DLL
2008-10-17 13:41 310,032 -------- c:\winnt\system32\dllcache\NETAPI32.DLL
2008-10-16 14:13 1,809,944 a------- c:\winnt\system32\dllcache\wuaueng.dll
2008-10-16 14:09 92,696 a------- c:\winnt\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\winnt\system32\dllcache\wuauclt.exe
2008-10-16 14:06 268,648 a------- c:\winnt\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\winnt\system32\muweb.dll
2008-10-15 14:12 132,096 a------- c:\winnt\system32\dllcache\MSRATING.DLL
2008-10-15 14:12 143,360 a------- c:\winnt\system32\dllcache\CDFVIEW.DLL
2008-10-15 14:12 1,018,368 a------- c:\winnt\system32\dllcache\BROWSEUI.DLL
2008-10-15 14:12 1,340,416 a------- c:\winnt\system32\dllcache\SHDOCVW.DLL
2008-10-15 14:11 402,944 a------- c:\winnt\system32\dllcache\SHLWAPI.DLL
2008-10-15 13:53 575,488 a------- c:\winnt\system32\WININET.DLL
2008-10-15 13:53 575,488 a------- c:\winnt\system32\dllcache\WININET.DLL
2008-10-15 13:53 462,336 a------- c:\winnt\system32\dllcache\URLMON.DLL
2008-10-15 13:53 12,288 a------- c:\winnt\system32\dllcache\JSPROXY.DLL
2008-10-15 13:53 69,632 a------- c:\winnt\system32\dllcache\INSENG.DLL
2008-10-15 13:53 2,706,432 a------- c:\winnt\system32\dllcache\MSHTML.DLL
2008-10-15 13:52 236,032 a------- c:\winnt\system32\dllcache\IEPEERS.DLL
2008-10-15 13:52 34,816 a------- c:\winnt\system32\dllcache\PNGFILT.DLL
2008-10-15 13:52 351,744 a------- c:\winnt\system32\dllcache\DXTMSFT.DLL
2008-10-15 13:52 192,512 a------- c:\winnt\system32\dllcache\DXTRANS.DLL
2008-10-15 13:52 498,176 a------- c:\winnt\system32\dllcache\MSTIME.DLL
2008-10-09 11:53 16,384 a------- c:\winnt\system32\Perflib_Perfdata_28c.dat
2008-09-30 16:43 1,286,152 a------- c:\winnt\system32\msxml4.dll
2000-07-05 10:37 21,952 ----h--- c:\program files\folder.htt
2000-07-05 10:37 271 ----h--- c:\program files\desktop.ini
1999-12-07 12:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 20:21:22.45 ===============

Attached Files



#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:06 AM

Posted 30 December 2008 - 07:30 AM

Hello Salguy,

Since your logs don't show that much abnormalities,
I'm guessing your abundance of security programs may add to the problem.
Let's start from scratch :

Go to Start > Contro Panel > Software > Add/remove programs and uninstall next, if present: :Ad-Aware
Ad-aware 6 Personal
Ad-Aware SE Personal
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Viewpoint Media Player
WebFldrs
ZoneAlarm
ZoneAlarm Spy Blocker

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\hpdj.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot your system, update MBAM and run a quick scan.
Please post the log in your next reply, as well as a fresh HijackThis log.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 salguy

salguy
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 30 December 2008 - 10:07 AM

Hello THUNDER thank you for your reply. it is driving me nuts. I don't know how many starts I have left.It still won't start in regular mode.that blue screen is still cauing it to go in circles.It take about 6 or 7 shutdowns for safe mode to start.and safe mode takes a long time to get to sign in page.It says keybourd failure' but I have changed keybourd and no change. I did not find WEBFLDRS ad-aware and superantispyware free edition BOTH will not go. a box comes up say'ing The windows installer service could not be accessed. thanks again for reply.
Malwarebytes' Anti-Malware 1.31
Database version: 1577
Windows 5.0.2195 Service Pack 4

12/30/2008 9:50:32 AM
mbam-log-2008-12-30 (09-50-32).txt

Scan type: Quick Scan
Objects scanned: 46508
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:51 AM, on 12/30/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1218755882\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [ZoneAlarmSB Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189088665447
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AutoShutdown - Dell Computer Corporation - C:\WINNT\System32\PSSVC.EXE
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe
O24 - Desktop Component 1: MSNBC Weather - HTTP://www.msnbc.com/modules/weather/ie4weather.htm
O24 - Desktop Component 2: J-Track: Satellite Tracking - http://liftoff.msfc.nasa.gov/RealTime/JTrack/Desktop.html

--
End of file - 5094 bytes

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:06 AM

Posted 30 December 2008 - 11:01 AM

Hello Salguy,

Some programs will not allow uninstalling from safe mode. :thumbsup:

I'd like to check the consistancy of your systemdrive and system files first though :

Go to Start > Run and type (or copy/paste) : chkdsk /r and click OK.
This will try to repair problems related to bad sectors, lost clusters, cross-linked files, and directory errors. To use Chkdsk, you must log on as an administrator or as a member of the Administrators group.

If problems persist, and you have a Windows XP install CD handy :
Go to Start > Run and type (or copy/paste) : sfc /scannow and click OK.
If a damaged or incorrect system file is found, it replaces the incorrect file. System File Checker also checks and repopulates the cache folder. You must be logged on as an administrator or as a member of the Administrators group to run System File Checker.

If the situation remains unchanged, then
please download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.)
  • Close all other running programs.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
Upon reboot, run Gmer again and click on the Rootkit tab.
  • On the right (under Files) uncheck all drives with the exception of your C: drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop button turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

Greetings,
Thunder

Edited by Thunder, 30 December 2008 - 11:01 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 salguy

salguy
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 30 December 2008 - 02:11 PM

Hello again THUNDER I tried chkdsk /r it say system is fat 32 cannot run because volume is in use by another process.. tried sfc /scannow and a black box CAME and WENT so fast I don't know what it said. sorry but I think I did not tell you I am running windows 2000 if it matters.my bad.. I hope I got the results from gmer that was confussing for me. It is really starting up slow now. when I had to restart it froze at every screen for 15 minutes untill started. thanks again for replying.

Attached Files



#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:06 AM

Posted 30 December 2008 - 03:50 PM

Hello Salguy,

I tried chkdsk /r it say system is fat 32 cannot run because volume is in use by another process.

You have to make sure all windows are closed prior to running that command.
Even if you get the "in use" error, you still should get the option to run it on reboot ?

tried sfc /scannow and a black box CAME and WENT so fast I don't know what it said.

In that case try sfc /scanonce and reboot, wich will initiate the system file check.

I hope I got the results from gmer that was confussing for me.

This is not the Gmer log I hoped for. :thumbsup:
Try running Gmer in safe mode (explanation on how to run in safe mode available following the link above)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#12 salguy

salguy
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 30 December 2008 - 08:00 PM

Hello THUNDER I'm not doing to good . I tried chkdsk /r again with no luck.I went to task manager and looked at applications and it was blank. nothing is running. I took option to run at startup. when I start in safe mode nothing will run at startup. something won't allow it.. I tried sfc /scanonce and reboot. again nothing at startup. I tried gmer again and when I click on rootkit tab and try to scan. It wont allow it to even start. I watched that scan button and it never changed. Is there a way to delete any thing that superantispyware. thats where my problems came from and it won't let me kill it. thanks alot for trying to help. thats why I can not get the right gmer results that you need..

#13 salguy

salguy
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 30 December 2008 - 08:53 PM

Hello THUNDER I wanted to show you this. when I scan with avast early in the scan a box comes up showing these. I copyed this by hand so they might not be exact. but very close.. It won't let me delete or any do any thing with them.My thougt was this could be my problem.just thought I would bring that to your attention. thanks again for any help. c:\winnt\system32\spoolsv.exe\prtprocs\w32x86\LMPRINT.DLL rootkit:hidde
c:\winnt\system32\spoolss.dll\drivers\w32x86\2\LXACUI.DLL rootkit:hidde
c:\winnt\system32\spoolss.dll\prtprocs\w32x86\LMPRIMT.DLL rootkit:hidde
c:\winnt\system.ini\WING32.Dll rootkit:hidde

c:\winnt\system32\spoolsv.exe\drivers\w32x86\2\LXACUI.dll rootkit:hidde

#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:06 AM

Posted 31 December 2008 - 05:50 AM

Hello Salguy,

Those Avast results all seem to be false positives,
you can mark them to be "ignored" for now. :thumbsup:

Do you have a Windows2000 install-CD at hand,
so we can attempt to boot to the Recovery Console ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#15 salguy

salguy
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 31 December 2008 - 08:29 AM

good morning THUNDER I don't have a recovery console?? I have something that says microsoft windows 95 companion. and a dell product recovery CD windows 2000
so you think there are no rootkits. thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users