Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

aaw7boot windows command script infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 KelThuzad0398

KelThuzad0398

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 02 February 2009 - 06:56 PM

A file called aaw7boot, which is a windows command script type file, appeared in my C drive. I am not sure what this is, or how to remove it, and neither Spyware Doctor or Adaware is locating this. I found it when I got home at about 4:00 or 4:30. Adaware was already on my computer, fully updated to their Anniversary edition. I recently installed the free version of Spyware Doctor to try to get rid of that virus. The internet has been running at a slower speed than usual. This computer also wirelessly connects to two other computers, one a desktop, and one a laptop. It used to also connect to my sister's laptop, until she was affected with a virus that will not let her go on the internet; she is blocked off by an ad for antivirus 360, and we know it's a rogue antivirus program. We plan to have that fixed later.
This may have something to do with my updating Adaware, though that doesn't explain why the internet is working so slowly.
Of course, this may be me being paranoid. If so, I am very sorry for wasting your time. My sister can't even use her computer anymore, and with my computer slowing down, and the problem where google said that the / key was related to malware...
Thanks for your time, whatever the results are.

DDS (Ver_09-02-01.01) - NTFSx86
Run by User Name at 18:43:01.12 on Mon 02/02/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1107 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\User Name\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://iss.k12.nc.us/schools/earlycollege/
uWindow Title = Internet Explorer provided by Dell
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.911.3380\GoogleToolbarNotifier.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-1 64160]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-7-24 5504]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-7-24 29744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-5-21 34576]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-2 356920]

=============== Created Last 30 ================

2009-02-02 17:40 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-02 17:40 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-02 17:40 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-02 17:40 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-02 17:40 <DIR> --d----- c:\users\userna~1\appdata\roaming\PC Tools
2009-02-02 17:40 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-01 20:39 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-01 20:39 274 a---h--- C:\aaw7boot.cmd
2009-02-01 20:26 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-01 20:24 <DIR> -cd-h--- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-01 20:24 <DIR> -cd-h--- c:\progra~2\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-01 20:24 <DIR> --d----- c:\program files\Lavasoft
2009-02-01 16:27 <DIR> --d----- c:\program files\Activision
2009-02-01 05:01 <DIR> --d----- c:\program files\D-Day Coop
2009-02-01 01:22 <DIR> --d----- c:\programdata\DAEMON Tools Lite
2009-02-01 01:22 <DIR> --d----- c:\progra~2\DAEMON Tools Lite
2009-02-01 01:22 <DIR> --d----- c:\users\userna~1\appdata\roaming\DAEMON Tools Lite
2009-01-31 20:53 <DIR> --d----- c:\users\userna~1\appdata\roaming\BitTorrent
2009-01-31 12:36 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-01-31 12:36 97,800 a------- c:\windows\system32\infocardapi.dll
2009-01-31 12:36 622,080 a------- c:\windows\system32\icardagt.exe
2009-01-31 12:36 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-01-31 12:36 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-01-31 12:36 11,264 a------- c:\windows\system32\icardres.dll
2009-01-31 12:36 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-01-31 12:36 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-01-31 12:31 96,760 a------- c:\windows\system32\dfshim.dll
2009-01-31 12:31 282,112 a------- c:\windows\system32\mscoree.dll
2009-01-31 12:31 41,984 a------- c:\windows\system32\netfxperf.dll
2009-01-31 12:31 158,720 a------- c:\windows\system32\mscorier.dll
2009-01-31 12:31 83,968 a------- c:\windows\system32\mscories.dll
2009-01-20 19:43 <DIR> --d----- c:\windows\system32\xlive
2009-01-20 19:43 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-01-20 19:42 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-20 19:42 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-20 19:42 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-01-20 19:42 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2009-01-20 19:42 467,984 a------- c:\windows\system32\d3dx10_39.dll
2009-01-20 19:42 238,088 a------- c:\windows\system32\xactengine3_2.dll
2009-01-18 09:24 <DIR> a-d----- c:\programdata\TEMP
2009-01-13 19:26 <DIR> --d----- c:\program files\common files\Steam
2009-01-13 19:26 <DIR> --d----- c:\program files\Steam
2009-01-13 17:50 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-12 18:29 145,408 a------- c:\windows\system32\Ivfsb01b.rra
2009-01-12 18:29 745,984 a------- c:\windows\system32\ir50aeb4.rra
2009-01-12 18:29 192,000 a------- c:\windows\system32\iac2ae66.rra

==================== Find3M ====================

2009-01-11 01:01 6,152 a------- c:\users\userna~1\appdata\roaming\wklnhst.dat
2009-01-01 16:41 1,067 a------- c:\program files\INSTALL.LOG
2008-12-11 23:04 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-11 23:04 51,200 a------- c:\windows\inf\infpub.dat
2008-12-11 23:04 86,016 a------- c:\windows\inf\infstor.dat
2008-12-03 18:45 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-12 17:17 2,118 a------- c:\windows\eReg.dat
2008-10-12 02:23 174 a--sh--- c:\program files\desktop.ini
2008-10-12 02:15 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2003-12-18 11:33 20,102 a------- c:\program files\Readme.txt
2003-09-03 07:46 10,960 a------- c:\program files\EULA.txt
2008-09-01 21:33 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-01 21:33 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-01 21:33 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 18:43:17.25 ===============

Attached Files


Edited by KelThuzad0398, 02 February 2009 - 10:02 PM.


BC AdBot (Login to Remove)

 


#2 KelThuzad0398

KelThuzad0398
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 03 February 2009 - 06:30 PM

Computer seems to be running even slower today. I hope nothing bad's on this computer.

Edited by KelThuzad0398, 03 February 2009 - 11:32 PM.


#3 KelThuzad0398

KelThuzad0398
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 03 February 2009 - 11:10 PM

Just ran Malwarebyte's Anti-Malware. It found exactly... 0. Does that mean my computer is alright? I did a quick scan and then, to make sure, I did a full scan and let it run for an hour and 30 minutes.

EDIT: No, there must be something. I was looking at what programs are set to start up upon launch of Windows, and there's a file called N/A. This is what is says:

File Name: EULALauncher.exe
Display Name:
Description: Not Available
Publisher:
Digitally Signed By: NOT SIGNED
File Type: Application
Startup Value: c:\dell\E-Center\EULALauncher.exe
File Path: c:\dell\E-Center\EULALauncher.exe
File Size: 17920
File Version: 1.0.2489.24404
Date Installed: 7/24/2007 7:57:28 PM
Startup Type: Registry: Local Machine
Location: Software\Microsoft\Windows\CurrentVersion\Run
Classification: Not yet classified
Ships with Operating System: No
SpyNet Voting: In Progress

EDIT: Also ran SUPERantispyware, and that found nothing in a quick scan.

EDIT: I would also like to mention that, upon reboot of my system, my default search engine on IE defaults to Roadrunner, instead of Google. If I change it to google, it continues to use google until the next reboot.

Edited by KelThuzad0398, 04 February 2009 - 07:20 PM.


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:52 AM

Posted 15 February 2009 - 10:24 AM

Hello KelThuzad0398

Welcome to BleepingComputer :thumbup2:
========================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 KelThuzad0398

KelThuzad0398
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 17 February 2009 - 10:36 AM

Just responding to let you know that I will follow your instructions as soon as I get home today.

EDIT: Just ran the tool, attach is attached, DDS is shown below:


DDS (Ver_09-02-01.01) - NTFSx86
Run by User Name at 16:27:29.28 on Tue 02/17/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1184 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\User Name\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://iss.k12.nc.us/schools/earlycollege/
uWindow Title = Internet Explorer provided by Dell
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.911.3380\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-7-24 5504]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-7-24 29744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-5-21 34576]

=============== Created Last 30 ================

2009-02-14 22:04 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-14 22:04 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-14 22:04 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-14 22:04 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-14 22:04 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-10 19:45 827,392 a------- c:\windows\system32\wininet.dll
2009-02-10 19:45 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-02-04 12:19 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-02-04 12:19 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-02-04 12:19 <DIR> --d----- c:\users\userna~1\appdata\roaming\SUPERAntiSpyware.com
2009-02-04 12:19 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-03 21:32 <DIR> --d----- c:\users\userna~1\appdata\roaming\Malwarebytes
2009-02-03 21:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-03 21:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-03 21:32 <DIR> --d----- c:\programdata\Malwarebytes
2009-02-03 21:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-03 21:32 <DIR> --d----- c:\progra~2\Malwarebytes
2009-02-01 20:24 <DIR> --d----- c:\program files\Lavasoft
2009-02-01 05:01 <DIR> --d----- c:\program files\D-Day Coop
2009-02-01 01:22 <DIR> --d----- c:\programdata\DAEMON Tools Lite
2009-02-01 01:22 <DIR> --d----- c:\progra~2\DAEMON Tools Lite
2009-02-01 01:22 <DIR> --d----- c:\users\userna~1\appdata\roaming\DAEMON Tools Lite
2009-01-31 12:36 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-01-31 12:36 97,800 a------- c:\windows\system32\infocardapi.dll
2009-01-31 12:36 622,080 a------- c:\windows\system32\icardagt.exe
2009-01-31 12:36 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-01-31 12:36 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-01-31 12:36 11,264 a------- c:\windows\system32\icardres.dll
2009-01-31 12:36 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-01-31 12:36 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-01-31 12:31 96,760 a------- c:\windows\system32\dfshim.dll
2009-01-31 12:31 282,112 a------- c:\windows\system32\mscoree.dll
2009-01-31 12:31 41,984 a------- c:\windows\system32\netfxperf.dll
2009-01-31 12:31 158,720 a------- c:\windows\system32\mscorier.dll
2009-01-31 12:31 83,968 a------- c:\windows\system32\mscories.dll
2009-01-20 19:43 <DIR> --d----- c:\windows\system32\xlive
2009-01-20 19:43 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-01-20 19:42 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-20 19:42 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-20 19:42 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-01-20 19:42 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2009-01-20 19:42 467,984 a------- c:\windows\system32\d3dx10_39.dll
2009-01-20 19:42 238,088 a------- c:\windows\system32\xactengine3_2.dll

==================== Find3M ====================

2009-01-11 01:01 6,152 a------- c:\users\userna~1\appdata\roaming\wklnhst.dat
2009-01-01 16:41 1,067 a------- c:\program files\INSTALL.LOG
2008-12-11 23:04 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-11 23:04 51,200 a------- c:\windows\inf\infpub.dat
2008-12-11 23:04 86,016 a------- c:\windows\inf\infstor.dat
2008-12-03 18:45 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-12 02:23 174 a--sh--- c:\program files\desktop.ini
2008-10-12 02:15 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2003-12-18 11:33 20,102 a------- c:\program files\Readme.txt
2003-09-03 07:46 10,960 a------- c:\program files\EULA.txt
2008-09-01 21:33 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-01 21:33 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-01 21:33 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 16:27:50.16 ===============

I'll run the GMER scanner right now.

EDIT: GMER Scanner had no rootkit entries, but here it is.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-17 17:05:35
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8ECBDF20]

INT 0x51 ? 8665EBF8
INT 0x61 ? 84C16BF8
INT 0x71 ? 8665EBF8
INT 0x71 ? 8665EBF8
INT 0x92 ? 8665EBF8
INT 0xA2 ? 8665EBF8
INT 0xB2 ? 8665EBF8

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!KeSetTimerEx + 854 81CF8E18 4 Bytes [ 20, DF, CB, 8E ]
? System32\Drivers\spgf.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload 87DAF46F 5 Bytes JMP 8665E1D8

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 84C171F8
Device \FileSystem\fastfat \FatCdrom 8792C1F8
Device \FileSystem\udfs \UdfsCdRom 865621F8
Device \FileSystem\udfs \UdfsDisk 865621F8
Device \Driver\volmgr \Device\VolMgrControl 842841F8
Device \Driver\usbuhci \Device\USBPDO-0 865941F8
Device \Driver\usbuhci \Device\USBPDO-1 865941F8
Device \Driver\usbehci \Device\USBPDO-2 865951F8
Device \Driver\USBSTOR \Device\00000060 865791F8
Device \Driver\usbuhci \Device\USBPDO-3 865941F8
Device \Driver\netbt \Device\NetBT_Tcpip_{64D341FD-F941-4C6C-8277-1AC8B1C5744B} 870A6500
Device \Driver\USBSTOR \Device\00000061 865791F8
Device \Driver\usbuhci \Device\USBPDO-4 865941F8
Device \Driver\usbuhci \Device\USBPDO-5 865941F8
Device \Driver\usbehci \Device\USBPDO-6 865951F8
Device \Driver\volmgr \Device\HarddiskVolume1 842841F8
Device \Driver\volmgr \Device\HarddiskVolume2 842841F8
Device \Driver\cdrom \Device\CdRom0 865AA1F8
Device \Driver\volmgr \Device\HarddiskVolume3 842841F8
Device \Driver\cdrom \Device\CdRom1 865AA1F8
Device \Driver\volmgr \Device\HarddiskVolume4 842841F8
Device \Driver\volmgr \Device\HarddiskVolume5 842841F8
Device \Driver\volmgr \Device\HarddiskVolume6 842841F8
Device \Driver\volmgr \Device\HarddiskVolume7 842841F8
Device \Driver\netbt \Device\NetBt_Wins_Export 870A6500
Device \Driver\Smb \Device\NetbiosSmb 870D11F8
Device \Driver\iScsiPrt \Device\RaidPort0 86730500
Device \Driver\USBSTOR \Device\0000005d 865791F8
Device \Driver\USBSTOR \Device\0000005e 865791F8
Device \Driver\USBSTOR \Device\0000005f 865791F8
Device \Driver\usbuhci \Device\USBFDO-0 865941F8
Device \Driver\usbuhci \Device\USBFDO-1 865941F8
Device \Driver\usbehci \Device\USBFDO-2 865951F8
Device \Driver\usbuhci \Device\USBFDO-3 865941F8
Device \Driver\usbuhci \Device\USBFDO-4 865941F8
Device \Driver\usbuhci \Device\USBFDO-5 865941F8
Device \Driver\usbehci \Device\USBFDO-6 865951F8
Device \FileSystem\fastfat \Fat 8792C1F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 865392A0

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x71 0x81 0x20 0xEF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x71 0x81 0x20 0xEF ...
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Program Files\Electronic Arts\SimCity\x2122 Societies\PackageInstaller.exe 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Program Files\Electronic Arts\The Lord of the Rings - Conquest\x2122\Support\The Lord of the Rings - Conquest_uninst.exe 1

---- EOF - GMER 1.0.14 ----

Attached Files


Edited by KelThuzad0398, 17 February 2009 - 05:07 PM.


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:52 AM

Posted 17 February 2009 - 08:26 PM

Hi your system appears clean the file that you are referring to is a file placed on your c:\ drive by Ad-Aware.
aaw7boot is the Ad-Aware boot cleaning utility.

See this link:
http://www.greatis.com/appdata/a/l/lsdelete.exe.htm

Are you having any other issues?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 KelThuzad0398

KelThuzad0398
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 17 February 2009 - 08:32 PM

Well, that's a relief. Thanks for the assistance.

I suppose it was just paranoia. It felt like the computer was working a little slower, but it's probably just me.

Again, thanks for the help.

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:52 AM

Posted 17 February 2009 - 08:34 PM

No problem you can delete everything we used.
==========
After that your log is clean. :thumbup2:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 KelThuzad0398

KelThuzad0398
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 17 February 2009 - 08:53 PM

Hmm...

I just performed the disk cleanup, overall it was about 30 mb.

Uninstalled a game, 4 gb.

Removed a few folders, 300 kb.

Purged the system restore. No idea how much that was.

Now it says that I have 235 GB open when I had 197 GB open before.

Is that normal? Did I maybe read something wrong?

Anyway, the computer seems to be working faster now.

Edited by KelThuzad0398, 17 February 2009 - 09:03 PM.


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:52 AM

Posted 17 February 2009 - 09:11 PM

Not sure.
If it is running fine that is good, if you don't have any further questions I will close this thread.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 KelThuzad0398

KelThuzad0398
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 17 February 2009 - 09:13 PM

Go ahead. Thanks for the help.

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:52 AM

Posted 17 February 2009 - 09:18 PM

You are welcome :thumbup2:


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users