Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange XP lockups possibly virus / Malware


  • This topic is locked This topic is locked
16 replies to this topic

#1 RefinedFire

RefinedFire

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 30 December 2008 - 08:04 PM

I have an XP installation for my Home media server / HTPC for around 5 years, it is currently XP Pro, SP3. Recently I helped my daughter clean her desktop which was riddled with viruses / trojans. Soon after my HTPC machine began behaving strangely...no good deed goes unpunished! Her PC is fine of course.

Anyway I have tried most everything I read on this forum, as well as others to isolate the problem, and the symptoms are strange indeed. The PC boots and operates normally for about 6-8 hours, then starts to kill processes, experience disk errors, and act as though it has run out of memory or handles. After reboot it acts fine for another 6-8 hours then drags to the crawl of death. In Safe mode this behavior does not repeat. I have Symantec AV, ZA firewall, and have run CCCleaner, Combofix, Malwarebytes, Adaware, Kapersky's scanner and Spybot, in sequence both in safe and normal modes. I am not seeing anything show up in the scan results that explains this behavior, but I am not as adept as the experts on this forum. I have also tried limiting all loaded programs / processes to bare minumum, and it still happens. Checking the Event logs, I see disk warnings, then increasing "not enough process memory" errors. Typically just before final oblivion the desktop starts popping up dialog boxes stating ".dll is a bad image", or "not enough storage to process this command". Images start disappearing and text / icons / start menu becomes unreadable and programs start to shut down. Eventually it just seizes up and requires a hard-boot. I have also run checkdsk on the boot disk and no issues were detected. I hope someone can tell me I don't have to rebuild the HTPC from scratch... Any help is appreciated.



DDS (Version 1.1.0) - NTFSx86
Run by cholley at 18:49:09.28 on Tue 12/30/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1158 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Promixis\Girder\girder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SageTV\SageTV\SageTV.exe
C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe
C:\Documents and Settings\cholley.MEDIACTR-010120\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\cholley.MEDIACTR-010120\Local Settings\Temporary Internet Files\Content.IE5\PPFEE8BB\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Girder4] c:\program files\promixis\girder\girder.exe -startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [SageTV] "c:\program files\sagetv\sagetv\SageTV.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cholle~1.med\applic~1\mozilla\firefox\profiles\i946kh66.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

============= SERVICES / DRIVERS ===============

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [2007-6-1 215856]
R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2008-11-26 96384]
R1 cwmtdi;cwmtdi;c:\windows\system32\drivers\cwmtdi.sys [2007-5-14 48640]
R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-14 353680]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-10-4 185968]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-10-4 177776]
R2 havasvc;HAVA Service;c:\program files\monsoon multimedia\hava\common\havasvc.exe [2008-11-27 145920]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-11-15 1756912]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 CX88VID;FusionHDTV 88x AvStream Video Capture;c:\windows\system32\drivers\zl88avs.sys [2007-5-7 375040]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-28 99376]
R3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-12-15 34639]
R3 havabus;HAVA Bus Enumerator;c:\windows\system32\drivers\havabus.sys [2007-7-16 37376]
R3 havanet;HAVA NDIS Protocol Driver;c:\windows\system32\drivers\havanet.sys [2007-7-16 20480]
R3 HAVATV;Hava Video Device;c:\windows\system32\drivers\HAVATV.sys [2007-7-16 324224]
R3 HavaTV_10;Hava Remote Video Device;c:\windows\system32\drivers\HavaTV_10.sys [2007-7-16 324224]
R3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\drivers\hcwhdpvr.sys [2008-11-18 155648]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081228.003\naveng.sys [2008-12-29 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081228.003\navex15.sys [2008-12-29 876112]
S2 cx88xbar;FusionHDTV 88x, WDM Crossbar;c:\windows\system32\drivers\zl88xbar.sys []
S2 Zulu88Vid;FusionHDTV 88x, WDM Video Capture;c:\windows\system32\drivers\zl88vcap.sys []
S3 BoosterKey;Hava key Service;c:\windows\system32\drivers\havakey.sys []
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-10-4 83568]
S3 CXAVSAUD;FusionHDTV 880, WDM Audio Capture;c:\windows\system32\drivers\zl88aud.sys []
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2007-1-2 17149]
S3 SageTV;SageTV;"c:\program files\sagetv\sagetv\SageTVService.exe" [2008-12-22 1089536]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-11-15 169200]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-6-13 362944]
S3 Zulu88Ts;FusionHDTV 88x, BDA Receiver(ATSC-A);c:\windows\system32\drivers\zl88tcap.sys []
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\google\google desktop search\GoogleDesktop.exe" [2008-11-28 29744]
S4 WDBtnMgrSvc.exe;WD Drive Manager Service;"c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe" [2008-2-19 106496]

=============== Created Last 30 ================

2008-12-30 10:54 161,792 a------- c:\windows\SWREG.exe
2008-12-30 10:54 98,816 a------- c:\windows\sed.exe
2008-12-28 08:49 108,168 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-28 08:49 87,768 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-27 19:39 <DIR> --d----- c:\program files\Trend Micro
2008-12-26 19:30 2,577 a------- c:\windows\config.nt
2008-12-26 19:30 1,688 a------- c:\windows\autoexec.nt
2008-12-26 19:30 2,577 a------- c:\windows\system32\config.bak
2008-12-26 19:30 1,688 a------- c:\windows\system32\autoexec.bak
2008-12-26 09:13 375 a------- c:\windows\{62EA6D8F-76CA-402D-A24E-29E6869B39B7}_WiseFW.ini
2008-12-22 13:21 <DIR> --d----- c:\docume~1\cholle~1.med\applic~1\Malwarebytes
2008-12-22 13:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-22 13:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 13:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 13:21 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2008-12-21 13:40 <DIR> --d----- c:\program files\CoreCodec
2008-12-18 13:52 179,200 a------- c:\windows\system32\xvidvfw.dll
2008-12-18 13:51 629,760 a------- c:\windows\system32\xvidcore.dll
2008-12-17 08:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-17 08:22 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2008-12-16 14:27 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-16 14:27 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-14 08:46 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-14 08:26 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-14 08:23 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-14 08:22 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-12-14 08:22 348,371 a------- c:\windows\system32\vsconfig.xml
2008-12-13 23:43 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Avg8
2008-12-13 23:15 <DIR> a-dshr-- C:\cmdcons
2008-12-13 22:59 <DIR> --d----- C:\fixwareout
2008-12-13 22:08 <DIR> --d----- c:\program files\CCleaner
2008-12-13 14:01 77,824 a------- c:\windows\system32\xvid.ax
2008-12-13 08:51 <DIR> --d----- c:\documents and settings\cholley.mediactr-010120\.housecall6.6
2008-12-10 22:50 <DIR> --d----- c:\docume~1\cholle~1.med\applic~1\Red Kawa
2008-12-10 22:50 <DIR> --d----- c:\program files\Red Kawa
2008-12-10 22:49 <DIR> --d----- C:\OpenCandy
2008-12-10 21:21 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-10 07:58 <DIR> --d----- c:\program files\AVG

==================== Find3M ====================

2008-12-30 17:24 2,606 a------- c:\windows\bthservsdp.dat
2008-12-27 16:31 44,256 a------- c:\windows\system32\xvid-uninstall.exe
2008-12-26 21:03 4,464,720 a------- c:\windows\system32\drivers\hcwhdpvr.rom
2008-12-26 21:03 155,648 a------- c:\windows\system32\drivers\hcwhdpvr.sys
2008-12-04 11:34 27,784 a------- c:\windows\system32\drivers\point32.sys
2008-11-24 15:32 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-12 11:39 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-12 11:39 22,328 a------- c:\docume~1\cholle~1.med\applic~1\PnkBstrK.sys
2008-11-12 11:39 103,736 a------- c:\windows\system32\PnkBstrB.exe
2008-11-12 11:39 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 16:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 16:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 16:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-05-08 14:45 20,536 a------- c:\docume~1\cholle~1.med\applic~1\GDIPFONTCACHEV1.DAT
2008-04-23 16:34 0 a------- c:\program files\temp01
2007-12-30 21:59 47,360 a------- c:\docume~1\cholle~1.med\applic~1\pcouffin.sys
2004-07-30 08:56 90,112 a------- c:\program files\common files\PCSBclean.exe
2004-07-26 14:30 291,840 a------- c:\program files\common files\PCSBoff.exe
2007-03-01 18:32 56 ---shr-- c:\windows\system32\76F1F2EF91.sys
2007-08-04 12:49 14,912 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:49:51.64 ===============



Kapersky scan:



DDS (Version 1.1.0) - NTFSx86
Run by cholley at 18:49:09.28 on Tue 12/30/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1158 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Promixis\Girder\girder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SageTV\SageTV\SageTV.exe
C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe
C:\Documents and Settings\cholley.MEDIACTR-010120\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\cholley.MEDIACTR-010120\Local Settings\Temporary Internet Files\Content.IE5\PPFEE8BB\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Girder4] c:\program files\promixis\girder\girder.exe -startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [SageTV] "c:\program files\sagetv\sagetv\SageTV.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cholle~1.med\applic~1\mozilla\firefox\profiles\i946kh66.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

============= SERVICES / DRIVERS ===============

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [2007-6-1 215856]
R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2008-11-26 96384]
R1 cwmtdi;cwmtdi;c:\windows\system32\drivers\cwmtdi.sys [2007-5-14 48640]
R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-14 353680]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-10-4 185968]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-10-4 177776]
R2 havasvc;HAVA Service;c:\program files\monsoon multimedia\hava\common\havasvc.exe [2008-11-27 145920]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-11-15 1756912]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 CX88VID;FusionHDTV 88x AvStream Video Capture;c:\windows\system32\drivers\zl88avs.sys [2007-5-7 375040]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-28 99376]
R3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-12-15 34639]
R3 havabus;HAVA Bus Enumerator;c:\windows\system32\drivers\havabus.sys [2007-7-16 37376]
R3 havanet;HAVA NDIS Protocol Driver;c:\windows\system32\drivers\havanet.sys [2007-7-16 20480]
R3 HAVATV;Hava Video Device;c:\windows\system32\drivers\HAVATV.sys [2007-7-16 324224]
R3 HavaTV_10;Hava Remote Video Device;c:\windows\system32\drivers\HavaTV_10.sys [2007-7-16 324224]
R3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\drivers\hcwhdpvr.sys [2008-11-18 155648]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081228.003\naveng.sys [2008-12-29 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081228.003\navex15.sys [2008-12-29 876112]
S2 cx88xbar;FusionHDTV 88x, WDM Crossbar;c:\windows\system32\drivers\zl88xbar.sys []
S2 Zulu88Vid;FusionHDTV 88x, WDM Video Capture;c:\windows\system32\drivers\zl88vcap.sys []
S3 BoosterKey;Hava key Service;c:\windows\system32\drivers\havakey.sys []
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-10-4 83568]
S3 CXAVSAUD;FusionHDTV 880, WDM Audio Capture;c:\windows\system32\drivers\zl88aud.sys []
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2007-1-2 17149]
S3 SageTV;SageTV;"c:\program files\sagetv\sagetv\SageTVService.exe" [2008-12-22 1089536]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-11-15 169200]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-6-13 362944]
S3 Zulu88Ts;FusionHDTV 88x, BDA Receiver(ATSC-A);c:\windows\system32\drivers\zl88tcap.sys []
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\google\google desktop search\GoogleDesktop.exe" [2008-11-28 29744]
S4 WDBtnMgrSvc.exe;WD Drive Manager Service;"c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe" [2008-2-19 106496]

=============== Created Last 30 ================

2008-12-30 10:54 161,792 a------- c:\windows\SWREG.exe
2008-12-30 10:54 98,816 a------- c:\windows\sed.exe
2008-12-28 08:49 108,168 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-28 08:49 87,768 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-27 19:39 <DIR> --d----- c:\program files\Trend Micro
2008-12-26 19:30 2,577 a------- c:\windows\config.nt
2008-12-26 19:30 1,688 a------- c:\windows\autoexec.nt
2008-12-26 19:30 2,577 a------- c:\windows\system32\config.bak
2008-12-26 19:30 1,688 a------- c:\windows\system32\autoexec.bak
2008-12-26 09:13 375 a------- c:\windows\{62EA6D8F-76CA-402D-A24E-29E6869B39B7}_WiseFW.ini
2008-12-22 13:21 <DIR> --d----- c:\docume~1\cholle~1.med\applic~1\Malwarebytes
2008-12-22 13:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-22 13:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 13:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 13:21 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2008-12-21 13:40 <DIR> --d----- c:\program files\CoreCodec
2008-12-18 13:52 179,200 a------- c:\windows\system32\xvidvfw.dll
2008-12-18 13:51 629,760 a------- c:\windows\system32\xvidcore.dll
2008-12-17 08:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-17 08:22 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2008-12-16 14:27 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-16 14:27 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-14 08:46 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-14 08:26 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-14 08:23 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-14 08:22 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-12-14 08:22 348,371 a------- c:\windows\system32\vsconfig.xml
2008-12-13 23:43 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Avg8
2008-12-13 23:15 <DIR> a-dshr-- C:\cmdcons
2008-12-13 22:59 <DIR> --d----- C:\fixwareout
2008-12-13 22:08 <DIR> --d----- c:\program files\CCleaner
2008-12-13 14:01 77,824 a------- c:\windows\system32\xvid.ax
2008-12-13 08:51 <DIR> --d----- c:\documents and settings\cholley.mediactr-010120\.housecall6.6
2008-12-10 22:50 <DIR> --d----- c:\docume~1\cholle~1.med\applic~1\Red Kawa
2008-12-10 22:50 <DIR> --d----- c:\program files\Red Kawa
2008-12-10 22:49 <DIR> --d----- C:\OpenCandy
2008-12-10 21:21 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-10 07:58 <DIR> --d----- c:\program files\AVG

==================== Find3M ====================

2008-12-30 17:24 2,606 a------- c:\windows\bthservsdp.dat
2008-12-27 16:31 44,256 a------- c:\windows\system32\xvid-uninstall.exe
2008-12-26 21:03 4,464,720 a------- c:\windows\system32\drivers\hcwhdpvr.rom
2008-12-26 21:03 155,648 a------- c:\windows\system32\drivers\hcwhdpvr.sys
2008-12-04 11:34 27,784 a------- c:\windows\system32\drivers\point32.sys
2008-11-24 15:32 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-12 11:39 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-12 11:39 22,328 a------- c:\docume~1\cholle~1.med\applic~1\PnkBstrK.sys
2008-11-12 11:39 103,736 a------- c:\windows\system32\PnkBstrB.exe
2008-11-12 11:39 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 16:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 16:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 16:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-05-08 14:45 20,536 a------- c:\docume~1\cholle~1.med\applic~1\GDIPFONTCACHEV1.DAT
2008-04-23 16:34 0 a------- c:\program files\temp01
2007-12-30 21:59 47,360 a------- c:\docume~1\cholle~1.med\applic~1\pcouffin.sys
2004-07-30 08:56 90,112 a------- c:\program files\common files\PCSBclean.exe
2004-07-26 14:30 291,840 a------- c:\program files\common files\PCSBoff.exe
2007-03-01 18:32 56 ---shr-- c:\windows\system32\76F1F2EF91.sys
2007-08-04 12:49 14,912 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:49:51.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RefinedFire

RefinedFire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 30 December 2008 - 08:06 PM

Screwed up the paste on the Kapersky scan: here it is...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3, v.3311 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 28, 2008 01:12:08
Records in database: 1522402
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
C:\Documents and Settings\cholley.MEDIACTR-010120\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 91484
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:02:42

No malware has been detected. The scan area is clean.

The selected area was scanned.

#3 RefinedFire

RefinedFire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 06 January 2009 - 12:19 PM

After 7 days it is still generating weird System Event errors such as "Rtvscan.exe - Bad Image: the application or DLL is not a valid Windows image" and "Insufficient System resources exist to complete the requested service". Programs can't open, Icons dissappear, and only a reboot will return things to normal, for about a half day. I am worried...

Edited by RefinedFire, 06 January 2009 - 05:05 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 07 January 2009 - 11:59 AM

Hello RefinedFire.

Doesn't sound like a malware infection to me. Seem like your computer is just being overloaded.

Could you please tell me how much RAM you have installed?

Also post a fresh DDS log.

With Regards,
The Panda

#5 RefinedFire

RefinedFire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 07 January 2009 - 01:03 PM

I am stuck at work, so I will have to get you the DDS log this afternoon. I have 2 gig total system memory. I hope you are right regarding the issue not being virus / malware caused, but I still have some doubts. The gradual increase of i/o activity seems to correspond with the weird Event Id: 26, 59 and program lock ups. I have plenty of RAM free when I check (over 1 gig). Additionally I have terminiated all but the minimum programs / services, and it still occurs.

#6 RefinedFire

RefinedFire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 07 January 2009 - 06:14 PM

Ok, here is the latest DDS log.

DDS (Ver_09-01-07.01) - NTFSx86
Run by cholley at 17:10:05.62 on Wed 01/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.968 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Promixis\Girder\girder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SageTV\SageTV\SageTV.exe
C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\cholley.MEDIACTR-010120\Desktop\Scanners\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Girder4] c:\program files\promixis\girder\girder.exe -startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [SageTV] "c:\program files\sagetv\sagetv\SageTV.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cholle~1.med\applic~1\mozilla\firefox\profiles\i946kh66.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

============= SERVICES / DRIVERS ===============

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [2007-6-1 215856]
R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2008-11-26 96384]
R1 cwmtdi;cwmtdi;c:\windows\system32\drivers\cwmtdi.sys [2007-5-14 48640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-14 353680]
R3 CX88VID;FusionHDTV 88x AvStream Video Capture;c:\windows\system32\drivers\zl88avs.sys [2007-5-7 375040]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-28 99376]
R3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-12-15 34639]
R3 havabus;HAVA Bus Enumerator;c:\windows\system32\drivers\havabus.sys [2007-7-16 37376]
R3 havanet;HAVA NDIS Protocol Driver;c:\windows\system32\drivers\havanet.sys [2007-7-16 20480]
R3 HAVATV;Hava Video Device;c:\windows\system32\drivers\HavaTV.sys [2007-7-16 324224]
R3 HavaTV_10;Hava Remote Video Device;c:\windows\system32\drivers\HavaTV_10.sys [2007-7-16 324224]
R3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\drivers\hcwhdpvr.sys [2008-11-18 155648]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090106.004\naveng.sys [2009-1-7 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090106.004\navex15.sys [2009-1-7 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
R4 havasvc;HAVA Service;c:\program files\monsoon multimedia\hava\common\havasvc.exe [2008-11-27 145920]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 BoosterKey;Hava key Service;c:\windows\system32\drivers\havakey.sys --> c:\windows\system32\drivers\havakey.sys [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S3 CXAVSAUD;FusionHDTV 880, WDM Audio Capture;c:\windows\system32\drivers\zl88aud.sys --> c:\windows\system32\drivers\zl88aud.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-1-2 17149]
S3 SageTV;SageTV;c:\program files\sagetv\sagetv\SageTVService.exe [2008-12-22 1089536]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-6-13 362944]
S3 Zulu88Ts;FusionHDTV 88x, BDA Receiver(ATSC-A);c:\windows\system32\drivers\zl88tcap.sys --> c:\windows\system32\drivers\zl88tcap.sys [?]
S4 cx88xbar;FusionHDTV 88x, WDM Crossbar;c:\windows\system32\drivers\zl88xbar.sys --> c:\windows\system32\drivers\zl88xbar.sys [?]
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-11-28 29744]
S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-2-19 106496]
S4 Zulu88Vid;FusionHDTV 88x, WDM Video Capture;c:\windows\system32\drivers\zl88vcap.sys --> c:\windows\system32\drivers\zl88vcap.sys [?]

=============== Created Last 30 ================

2009-01-06 14:16 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-06 14:12 <DIR> --d----- c:\windows\ERUNT
2009-01-06 14:06 <DIR> --d----- C:\SDFix
2009-01-06 11:33 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-01-06 11:33 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-06 11:33 <DIR> --d----- c:\docume~1\cholle~1.med\applic~1\SUPERAntiSpyware.com
2008-12-30 10:54 161,792 a------- c:\windows\SWREG.exe
2008-12-30 10:54 98,816 a------- c:\windows\sed.exe
2008-12-28 08:49 108,168 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-28 08:49 87,768 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-27 19:39 <DIR> --d----- c:\program files\Trend Micro
2008-12-26 19:30 2,577 a------- c:\windows\config.nt
2008-12-26 19:30 1,688 a------- c:\windows\autoexec.nt
2008-12-26 19:30 2,577 a------- c:\windows\system32\config.bak
2008-12-26 19:30 1,688 a------- c:\windows\system32\autoexec.bak
2008-12-26 09:13 375 a------- c:\windows\{62EA6D8F-76CA-402D-A24E-29E6869B39B7}_WiseFW.ini
2008-12-22 13:21 <DIR> --d----- c:\docume~1\cholle~1.med\applic~1\Malwarebytes
2008-12-22 13:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-22 13:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 13:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 13:21 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2008-12-21 13:40 <DIR> --d----- c:\program files\CoreCodec
2008-12-18 13:52 179,200 a------- c:\windows\system32\xvidvfw.dll
2008-12-18 13:51 629,760 a------- c:\windows\system32\xvidcore.dll
2008-12-17 08:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-17 08:22 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2008-12-16 14:27 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-16 14:27 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-14 08:46 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-14 08:26 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-14 08:23 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-14 08:22 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-12-14 08:22 348,371 a------- c:\windows\system32\vsconfig.xml
2008-12-13 23:43 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Avg8
2008-12-13 23:15 <DIR> a-dshr-- C:\cmdcons
2008-12-13 22:59 <DIR> --d----- C:\fixwareout
2008-12-13 22:08 <DIR> --d----- c:\program files\CCleaner
2008-12-13 14:01 77,824 a------- c:\windows\system32\xvid.ax
2008-12-13 08:51 <DIR> --d----- c:\documents and settings\cholley.mediactr-010120\.housecall6.6
2008-12-10 22:50 <DIR> --d----- c:\docume~1\cholle~1.med\applic~1\Red Kawa
2008-12-10 22:50 <DIR> --d----- c:\program files\Red Kawa
2008-12-10 22:49 <DIR> --d----- C:\OpenCandy
2008-12-10 21:21 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-10 07:58 <DIR> --d----- c:\program files\AVG

==================== Find3M ====================

2009-01-07 08:00 2,606 a------- c:\windows\bthservsdp.dat
2008-12-27 16:31 44,256 a------- c:\windows\system32\xvid-uninstall.exe
2008-12-26 21:03 4,464,720 a------- c:\windows\system32\drivers\hcwhdpvr.rom
2008-12-26 21:03 155,648 a------- c:\windows\system32\drivers\hcwhdpvr.sys
2008-12-04 11:34 27,784 a------- c:\windows\system32\drivers\point32.sys
2008-11-24 15:32 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-12 11:39 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-12 11:39 22,328 a------- c:\docume~1\cholle~1.med\applic~1\PnkBstrK.sys
2008-11-12 11:39 103,736 a------- c:\windows\system32\PnkBstrB.exe
2008-11-12 11:39 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 16:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 16:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 16:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-05-08 14:45 20,536 a------- c:\docume~1\cholle~1.med\applic~1\GDIPFONTCACHEV1.DAT
2008-04-23 16:34 0 a------- c:\program files\temp01
2007-12-30 21:59 47,360 a------- c:\docume~1\cholle~1.med\applic~1\pcouffin.sys
2004-07-30 08:56 90,112 a------- c:\program files\common files\PCSBclean.exe
2004-07-26 14:30 291,840 a------- c:\program files\common files\PCSBoff.exe
2007-03-01 18:32 56 ---shr-- c:\windows\system32\76F1F2EF91.sys
2007-08-04 12:49 14,912 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:10:50.04 ===============

Attached Files



#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 07 January 2009 - 07:53 PM

Hello RefinedFire.

Looks like some services are having troubles.

A device attached to the system is not functioning.


Let's see if we can identify that.

Click on your Start Menu, then Run. Type:
devmgmt.msc

In the device manager, expand all the categories by clicking the "+". Take not of any devices marked with a warning sign.

With Regards,
The Panda

#8 RefinedFire

RefinedFire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 07 January 2009 - 09:04 PM

These two devices are the old drivers for a Fusion HDTV capture card. These drivers were updated to a new driver called Unified Stream that invalidated the two old drivers by combining the two into one. I would like to remove those from the services and devices entries, but haven't looked into that yet. I have had this for the last year, and only in the last few weeks has this issue come about. Another topic on this forum suggested a bad pagefile could be failing to release reasources until they are used up. The link is here: http://www.bleepingcomputer.com/forums/t/124658/insufficient-system-resources-to-complete-task/

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 08 January 2009 - 08:16 AM

Hello.

Okay, let's check the page file.

Refering to this guide, make sure you pagefile size is 1.5 that of your RAM.

With Regards,
The Panda

#10 RefinedFire

RefinedFire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 08 January 2009 - 03:10 PM

I did this on the next drive letter E: rather than the C: drive. I am hoping this will fix the issues. I'll let you know. Thanks for the help.

#11 RefinedFire

RefinedFire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 08 January 2009 - 06:44 PM

Well that did not help. Same errors after 18 hours of operation. "Not enough process memory to complete request" pop-ups. Several services were shut down. Intellipoint service shut down. Major i/o activity on the drive, Spybot message poped up for a toolbar install. Event log service terminated. AVG alert that system was not protected. As an example of the cryptic nature of the events generated is this entry:

Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 1/8/2009
Time: 5:16:00 PM
User: N/A
Computer: MEDIASERVER
Description:
Application popup: mmc.exe - Application Error
The application failed to initialize properly (0xc0000142). Click on OK to terminate the application.

:
The other thing I noticed is when this happens any program running will consume 50% cpu even if in apparent standby. Such was the case for Sagetv, which was in standby but consuming 50% cpu. Since Sage is a Java based application could there be a vunerability in Java?

I am more convinced than ever that this is an insidious rogue program flying under the radar. I need bigtime help.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 09 January 2009 - 08:23 AM

Hello.

Okay, let's dig deeper.

Submit File to Online Scanner
There is an unidentified file that I would like you to check out for me using Jotti/VirusTotal.
  • Open Jotti Online Scanner, or VirusTotal Online Scanner. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\system32\drivers\hcwhdpvr.sys
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

Let's get a fresh DDS log too.

With Regards,
The Panda

#13 RefinedFire

RefinedFire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 09 January 2009 - 08:55 AM

Pasting results of file scan first:

Scan taken on 09 Jan 2009 13:50:43 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Proceeding to next step.

#14 RefinedFire

RefinedFire
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 09 January 2009 - 09:27 AM

GMER Sac results:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-09 08:25:25
Windows 5.1.2600 Service Pack 3, v.3311


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB4B7F8D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB4B7C6E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB4B89490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB4B7FE90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB4B86C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB4B86E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB4B8AD50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB4B7FF80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB4B7CC70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB4B89D10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB4B89AC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB4B86600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB4B8A230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB4B8A2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB4B7CAD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB4B884F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB4B882B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB4B8A970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB4B8A3D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB4B7F4F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB4B8A7C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB4B7FAA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB4B7CEA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB4B89800]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB4B87580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB4B87400]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504508 12 Bytes [ 90, FE, B7, B4, 80, 6C, B8, ... ]
? srescan.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B4B84410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B4B84220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B4B84B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B4B82780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B4B82780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B4B84410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B4B84220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B4B84B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B4B84410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B4B82780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B4B84B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B4B84220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B4B84B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B4B84220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B4B84410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B4B84B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B4B84220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B4B82780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B4B84410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [B4B82780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [B4B84B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [B4B84220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [B4B84410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B4B84410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B4B82780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B4B84B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B4B84220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Promixis\Girder\girder.exe[2380] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateThread] [0044EEAC] C:\Program Files\Promixis\Girder\girder.exe (Girder/Promixis)
IAT C:\Program Files\Promixis\Girder\girder.exe[2380] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [0044EEAC] C:\Program Files\Promixis\Girder\girder.exe (Girder/Promixis)
IAT C:\Program Files\Promixis\Girder\girder.exe[2380] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [0044EEAC] C:\Program Files\Promixis\Girder\girder.exe (Girder/Promixis)
IAT C:\Program Files\Promixis\Girder\girder.exe[2380] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0044EEAC] C:\Program Files\Promixis\Girder\girder.exe (Girder/Promixis)
IAT C:\Program Files\Promixis\Girder\girder.exe[2380] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread] [0044EEAC] C:\Program Files\Promixis\Girder\girder.exe (Girder/Promixis)
IAT C:\Program Files\Promixis\Girder\girder.exe[2380] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [0044EEAC] C:\Program Files\Promixis\Girder\girder.exe (Girder/Promixis)
IAT C:\Program Files\Promixis\Girder\girder.exe[2380] @ C:\WINDOWS\system32\ws2_32.dll [KERNEL32.dll!CreateThread] [0044EEAC] C:\Program Files\Promixis\Girder\girder.exe (Girder/Promixis)
IAT C:\Program Files\Promixis\Girder\girder.exe[2380] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [0044EEAC] C:\Program Files\Promixis\Girder\girder.exe (Girder/Promixis)
IAT C:\Program Files\Promixis\Girder\girder.exe[2380] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateThread] [0044EEAC] C:\Program Files\Promixis\Girder\girder.exe (Girder/Promixis)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\BTHUSB \Device\0000009e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000a0 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp cwmtdi.sys

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000d3aa8208d
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000d3aa8208d

---- EOF - GMER 1.0.14 ----



DDS Log:


DDS (Ver_09-01-07.01) - NTFSx86
Run by cholley at 8:26:11.45 on Fri 01/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1402 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Promixis\Girder\girder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\cholley.MEDIACTR-010120\Desktop\Scanners\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Girder4] c:\program files\promixis\girder\girder.exe -startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [SageTV] "c:\program files\sagetv\sagetv\SageTV.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cholle~1.med\applic~1\mozilla\firefox\profiles\i946kh66.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

============= SERVICES / DRIVERS ===============

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [2007-6-1 215856]
R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2008-11-26 96384]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-7 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-7 26824]
R1 cwmtdi;cwmtdi;c:\windows\system32\drivers\cwmtdi.sys [2007-5-14 48640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-14 353680]
R3 CX88VID;FusionHDTV 88x AvStream Video Capture;c:\windows\system32\drivers\zl88avs.sys [2007-5-7 375040]
R3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-12-15 34639]
R3 havabus;HAVA Bus Enumerator;c:\windows\system32\drivers\havabus.sys [2007-7-16 37376]
R3 havanet;HAVA NDIS Protocol Driver;c:\windows\system32\drivers\havanet.sys [2007-7-16 20480]
R3 HAVATV;Hava Video Device;c:\windows\system32\drivers\HavaTV.sys [2007-7-16 324224]
R3 HavaTV_10;Hava Remote Video Device;c:\windows\system32\drivers\HavaTV_10.sys [2007-7-16 324224]
R3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\drivers\hcwhdpvr.sys [2008-11-18 155648]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-7 231704]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
R4 havasvc;HAVA Service;c:\program files\monsoon multimedia\hava\common\havasvc.exe [2008-11-27 145920]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 BoosterKey;Hava key Service;c:\windows\system32\drivers\havakey.sys --> c:\windows\system32\drivers\havakey.sys [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S3 CXAVSAUD;FusionHDTV 880, WDM Audio Capture;c:\windows\system32\drivers\zl88aud.sys --> c:\windows\system32\drivers\zl88aud.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-1-2 17149]
S3 SageTV;SageTV;c:\program files\sagetv\sagetv\SageTVService.exe [2009-1-2 1089536]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-6-13 362944]
S3 Zulu88Ts;FusionHDTV 88x, BDA Receiver(ATSC-A);c:\windows\system32\drivers\zl88tcap.sys --> c:\windows\system32\drivers\zl88tcap.sys [?]
S4 cx88xbar;FusionHDTV 88x, WDM Crossbar;c:\windows\system32\drivers\zl88xbar.sys --> c:\windows\system32\drivers\zl88xbar.sys [?]
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-11-28 29744]
S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-2-19 106496]
S4 Zulu88Vid;FusionHDTV 88x, WDM Video Capture;c:\windows\system32\drivers\zl88vcap.sys --> c:\windows\system32\drivers\zl88vcap.sys [?]

=============== Created Last 30 ================

2009-01-09 07:57 345 a------- c:\windows\gmer.ini
2009-01-08 18:07 375 a------- c:\windows\{F6D74187-FCF9-4124-A180-094DC8ACBAA1}_WiseFW.ini
2009-01-07 21:27 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-07 21:27 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-07 21:27 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-06 14:16 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-06 14:12 <DIR> --d----- c:\windows\ERUNT
2009-01-06 14:06 <DIR> --d----- C:\SDFix
2009-01-06 11:33 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-01-06 11:33 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-06 11:33 <DIR> --d----- c:\docume~1\cholle~1.med\applic~1\SUPERAntiSpyware.com
2008-12-30 10:54 161,792 a------- c:\windows\SWREG.exe
2008-12-30 10:54 98,816 a------- c:\windows\sed.exe
2008-12-27 19:39 <DIR> --d----- c:\program files\Trend Micro
2008-12-26 19:30 2,577 a------- c:\windows\config.nt
2008-12-26 19:30 1,688 a------- c:\windows\autoexec.nt
2008-12-26 19:30 2,577 a------- c:\windows\system32\config.bak
2008-12-26 19:30 1,688 a------- c:\windows\system32\autoexec.bak
2008-12-22 13:21 <DIR> --d----- c:\docume~1\cholle~1.med\applic~1\Malwarebytes
2008-12-22 13:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-22 13:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 13:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 13:21 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2008-12-21 13:40 <DIR> --d----- c:\program files\CoreCodec
2008-12-18 13:52 179,200 a------- c:\windows\system32\xvidvfw.dll
2008-12-18 13:51 629,760 a------- c:\windows\system32\xvidcore.dll
2008-12-17 08:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-17 08:22 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2008-12-16 14:27 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-16 14:27 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-14 08:46 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-14 08:26 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-14 08:23 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-14 08:22 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-12-14 08:22 348,371 a------- c:\windows\system32\vsconfig.xml
2008-12-13 23:43 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Avg8
2008-12-13 23:15 <DIR> a-dshr-- C:\cmdcons
2008-12-13 22:59 <DIR> --d----- C:\fixwareout
2008-12-13 22:08 <DIR> --d----- c:\program files\CCleaner
2008-12-13 14:01 77,824 a------- c:\windows\system32\xvid.ax
2008-12-13 08:51 <DIR> --d----- c:\documents and settings\cholley.mediactr-010120\.housecall6.6
2008-12-10 22:50 <DIR> --d----- c:\docume~1\cholle~1.med\applic~1\Red Kawa
2008-12-10 22:50 <DIR> --d----- c:\program files\Red Kawa
2008-12-10 22:49 <DIR> --d----- C:\OpenCandy
2008-12-10 21:21 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2009-01-09 08:00 2,606 a------- c:\windows\bthservsdp.dat
2008-12-27 16:31 44,256 a------- c:\windows\system32\xvid-uninstall.exe
2008-12-26 21:03 4,464,720 a------- c:\windows\system32\drivers\hcwhdpvr.rom
2008-12-26 21:03 155,648 a------- c:\windows\system32\drivers\hcwhdpvr.sys
2008-12-04 11:34 27,784 a------- c:\windows\system32\drivers\point32.sys
2008-11-24 15:32 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-12 11:39 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-12 11:39 22,328 a------- c:\docume~1\cholle~1.med\applic~1\PnkBstrK.sys
2008-11-12 11:39 103,736 a------- c:\windows\system32\PnkBstrB.exe
2008-11-12 11:39 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 16:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 16:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 16:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-05-08 14:45 20,536 a------- c:\docume~1\cholle~1.med\applic~1\GDIPFONTCACHEV1.DAT
2008-04-23 16:34 0 a------- c:\program files\temp01
2007-12-30 21:59 47,360 a------- c:\docume~1\cholle~1.med\applic~1\pcouffin.sys
2004-07-30 08:56 90,112 a------- c:\program files\common files\PCSBclean.exe
2004-07-26 14:30 291,840 a------- c:\program files\common files\PCSBoff.exe
2007-03-01 18:32 56 ---shr-- c:\windows\system32\76F1F2EF91.sys
2007-08-04 12:49 14,912 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 8:26:23.96 ===============

Edited by RefinedFire, 09 January 2009 - 09:30 AM.


#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 09 January 2009 - 04:23 PM

Hello RefinedFire.

I do not see any signs of infection in your logs.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users