Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annual hijackthis scan


  • This topic is locked This topic is locked
18 replies to this topic

#1 thefourkingdoms

thefourkingdoms

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:06:10 AM

Posted 26 February 2009 - 07:23 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:15 PM, on 2/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Cursors\lsass.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Hcontrol.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ATKOSD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\REALTEK\RTL8187 Wireless LAN Utility\RtWLan.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fmz.qiwa.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.asus.com.tw
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program

Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -

C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\Hcontrol.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = C:\Program

Files\REALTEK\RTL8187 Wireless LAN Utility\RtWLan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother

Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -

C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program

Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner -

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. -

C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company -

C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 6645 bytes





DDS (Ver_09-02-01.01) - FAT32x86
Run by Ivy Reside at 20:05:04.82 on Thu 02/26/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.224.28 [GMT 8:00]

AV: avast! antivirus 4.8.1335 [VPS 090221-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Hcontrol.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ATKOSD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\REALTEK\RTL8187 Wireless LAN Utility\RtWLan.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Ivy Reside\My Documents\Jimbo's Files\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://fmz.qiwa.com
mDefault_Page_URL = hxxp://www.asus.com.tw
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [Hcontrol] c:\windows\Hcontrol.exe
mRun: [SiS Tray] c:\windows\system32\sistray.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04b\BrStDvPt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek\rtl8187 wireless lan utility\RtWLan.exe
mPolicies-explorer: Run = 1 (0x1)
mPolicies-explorer: NoRun = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ivyres~1\applic~1\mozilla\firefox\profiles\rkjtdypp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 4

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-3 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-22 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-3 138680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-2-1 38144]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-3 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-3 352920]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [2009-2-1 332928]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2003-3-5 814277]
S3 AEIWL;Actiontec Wireless LAN Driver;c:\windows\system32\drivers\AEIWLNDS.sys [2003-3-5 629760]
S3 GT680xNT;ColorPage-Vivid 1200XE;c:\windows\system32\drivers\Gt680x.sys [2004-12-18 17376]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\packet.sys [2005-9-3 13299]

============== File Associations ===============

inifile="%1" %*

=============== Created Last 30 ================

2009-02-26 13:26 159,443 a------- c:\windows\system32\x
2009-02-26 08:04 69 a------- c:\windows\NeroDigital.ini
2009-02-25 16:08 <DIR> --d----- c:\program files\Nero
2009-02-25 16:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-02-25 10:39 <DIR> --d----- C:\downloads
2009-02-25 10:39 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\FMZilla
2009-02-25 10:39 <DIR> --d----- c:\program files\Free Music Zilla
2009-02-13 00:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-13 00:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-12 09:32 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\AVS4YOU
2009-02-12 09:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-02-12 09:27 <DIR> --d----- c:\program files\common files\AVSMedia
2009-02-12 09:27 24,576 a------- c:\windows\system32\msxml3a.dll
2009-02-12 09:27 <DIR> --d----- c:\program files\AVS4YOU
2009-02-12 07:41 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\Any Video Converter
2009-02-12 07:41 <DIR> --d----- c:\program files\Any Video Converter
2009-02-11 15:22 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\Canneverbe_Limited
2009-02-11 10:11 <DIR> --d----- c:\program files\FormatFactory
2009-02-10 18:16 <DIR> --d----- c:\windows\ServicePackFiles
2009-02-10 18:09 19,569 a------- c:\windows\002604_.tmp
2009-02-10 18:03 <DIR> --d----- c:\windows\EHome
2009-02-10 13:42 <DIR> --d----- c:\program files\INSYDE
2009-02-06 07:46 129,784 -------- c:\windows\system32\pxafs.dll
2009-02-06 07:46 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-02-06 07:46 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-02-06 07:46 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-02-06 07:46 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-02-05 12:17 <DIR> --d----- c:\program files\Defraggler
2009-02-04 11:16 <DIR> --d----- c:\program files\Yahoo!
2009-02-02 11:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-02 11:10 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-02 11:10 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\SUPERAntiSpyware.com
2009-02-02 08:44 50 a------- c:\windows\MegaManager.INI
2009-02-02 07:08 <DIR> --d----- c:\program files\uTorrent
2009-02-02 07:08 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\uTorrent
2009-02-02 07:00 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\Megaupload
2009-02-02 06:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Megaupload
2009-02-02 06:59 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\EmailNotifier
2009-02-02 06:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EmailNotifier
2009-02-02 06:58 <DIR> --d----- c:\program files\Megaupload
2009-02-02 00:23 338,432 a------- c:\windows\system32\zipfldr.dll
2009-02-02 00:22 239,104 a------- c:\windows\system32\srrstr.dll
2009-02-02 00:22 152,064 a------- c:\windows\system32\shmedia.dll
2009-02-02 00:22 152,064 a------- c:\windows\system32\dllcache\shmedia.dll
2009-02-02 00:21 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-02 00:21 584,704 a------- c:\windows\system32\rpcrt4.dll
2009-02-02 00:21 215,552 a------- c:\windows\system32\osk.exe
2009-02-02 00:21 1,287,168 a------- c:\windows\system32\ole32.dll
2009-02-02 00:20 247,808 a------- c:\windows\system32\newdev.dll
2009-02-02 00:20 53,760 a------- c:\windows\system32\narrator.exe
2009-02-02 00:20 155,136 a------- c:\windows\system32\itircl.dll
2009-02-02 00:20 138,240 a------- c:\windows\system32\itss.dll
2009-02-02 00:20 75,264 a------- c:\windows\system32\locator.exe
2009-02-02 00:20 72,704 a------- c:\windows\system32\magnify.exe
2009-02-02 00:20 41,472 a------- c:\windows\system32\hhsetup.dll
2009-02-02 00:20 545,280 a------- c:\windows\system32\hhctrl.ocx
2009-02-02 00:20 10,752 a------- c:\windows\hh.exe
2009-02-02 00:20 62,464 a------- c:\windows\system32\cryptsvc.dll
2009-02-02 00:20 599,040 a------- c:\windows\system32\crypt32.dll
2009-02-02 00:20 184,320 a------- c:\windows\system32\accwiz.exe
2009-02-02 00:14 219,936 a------- c:\windows\system32\msltus40.dll
2009-02-02 00:14 46,352 a------- c:\windows\setdebug.exe
2009-02-02 00:14 171,280 a------- c:\windows\system32\jit.dll
2009-02-02 00:14 7,315 a------- c:\windows\system32\javasup.vxd
2009-02-02 00:14 139,536 a------- c:\windows\system32\javaee.dll
2009-02-02 00:14 6,550 a------- c:\windows\jautoexp.dat
2009-02-02 00:00 33,792 a------- c:\windows\system32\msgsvc.dll
2009-02-01 23:47 274,944 a------- c:\windows\system32\mstask.dll
2009-02-01 23:47 192,512 a------- c:\windows\system32\schedsvc.dll
2009-02-01 23:47 2,897,920 -------- c:\windows\system32\xpsp2res.dll
2009-02-01 23:47 12,288 a------- c:\windows\system32\mstinit.exe
2009-02-01 23:12 316,640 a------- c:\windows\WMSysPr9.prx
2009-02-01 23:05 26,112 a------- c:\windows\system32\xpsp1hfm.exe
2009-02-01 23:05 316,040 a------- c:\windows\system32\mp43dmod.dll
2009-02-01 23:05 384,512 a------- c:\windows\system32\mp4sdmod.dll
2009-02-01 23:05 240,640 a------- c:\windows\system32\mpg4dmod.dll
2009-02-01 23:05 240,640 a------- c:\windows\system32\dllcache\mpg4dmod.dll
2009-02-01 23:05 871,160 a------- c:\windows\system32\dllcache\wmvdmod.dll
2009-02-01 23:05 773,368 a------- c:\windows\system32\dllcache\wmsdmod.dll
2009-02-01 23:05 380,144 a------- c:\windows\system32\dllcache\wmadmod.dll
2009-02-01 22:05 <DIR> --d----- c:\windows\system32\PreInstall
2009-02-01 22:05 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-02-01 22:05 <DIR> --d-h--- c:\windows\$hf_mig$
2009-02-01 22:02 <DIR> --d----- c:\windows\system32\bits
2009-02-01 22:00 438,784 -------- c:\windows\system32\xpob2res.dll
2009-02-01 22:00 8,192 -------- c:\windows\system32\bitsprx2.dll
2009-02-01 22:00 7,168 -------- c:\windows\system32\bitsprx3.dll
2009-02-01 22:00 354,304 a------- c:\windows\system32\winhttp.dll
2009-02-01 22:00 18,944 a------- c:\windows\system32\qmgrprxy.dll
2009-02-01 21:56 <DIR> --ds---- c:\documents and settings\ivy reside\UserData
2009-02-01 21:31 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-01 21:28 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-02-01 21:28 183,296 a------- c:\windows\system32\wuaueng1.dll
2009-02-01 21:28 165,888 a------- c:\windows\system32\wuauclt1.exe
2009-02-01 21:13 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2009-02-01 21:13 332,928 -----r-- c:\windows\system32\drivers\rtl8187.sys
2009-02-01 21:13 <DIR> --d----- c:\windows\OPTIONS
2009-02-01 21:13 332,928 -----r-- c:\windows\system\rtl8187.sys
2009-02-01 21:12 38,144 a------- c:\windows\system32\drivers\EAPPkt.sys
2009-02-01 21:12 <DIR> --d----- c:\windows\system32\REALTEK RTL8187 Wireless LAN Driver and Utility
2009-02-01 21:12 <DIR> --d----- c:\program files\REALTEK
2009-01-28 22:17 <DIR> --d----- c:\program files\Investintech.com Inc

==================== Find3M ====================

2009-02-25 15:41 724,993 a---h--- c:\windows\cursors\lsass.exe
2009-02-10 18:23 73,051 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-02 00:14 2,678 a------- c:\windows\java\packages\data\7B9RHNJJ.DAT
2009-02-02 00:14 2,678 a------- c:\windows\java\packages\data\P7BBX7ZD.DAT
2009-02-02 00:13 2,678 a------- c:\windows\java\packages\data\Y8LJRR13.DAT
2009-02-02 00:13 2,678 a------- c:\windows\java\packages\data\W5JBR7FD.DAT
2009-02-02 00:13 2,678 a------- c:\windows\java\packages\data\F37VNVBR.DAT
2008-12-11 08:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-11 08:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-09 10:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-09 10:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-09 10:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-09 10:28 57,344 a------- c:\windows\system32\dpv11.dll
2007-07-22 11:55 70,328 a------- c:\docume~1\ivyres~1\applic~1\GDIPFONTCACHEV1.DAT
2006-06-04 00:55 3,200 a------- c:\program files\uninstal.log

============= FINISH: 20:06:04.03 ===============



These are what things you guys need, right? I hope you guys can help me. I'm not sure if my laptop is clean that's why I do this every year to make sure.

Thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 10 March 2009 - 04:20 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Looks good at a quick glance.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the DDS logs
-the F-Secure scan log

Please give me an update on the symptoms. Also tell me of any changes you have made to this computer.

With Regards,
The Panda

#3 thefourkingdoms

thefourkingdoms
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:06:10 AM

Posted 10 March 2009 - 11:40 PM

DDS (Ver_09-02-01.01) - FAT32x86
Run by Ivy Reside at 12:35:56.96 on Wed 03/11/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.224.27 [GMT 8:00]

AV: avast! antivirus 4.8.1335 [VPS 090225-1] *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK\RTL8187 Wireless LAN Utility\RtWLan.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ivy Reside\My Documents\Jimbo's Files\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://fmz.qiwa.com
mDefault_Page_URL = hxxp://www.asus.com.tw
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04b\BrStDvPt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SiS Tray] c:\windows\system32\sistray.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek\rtl8187 wireless lan utility\RtWLan.exe
mPolicies-explorer: Run = 1 (0x1)
mPolicies-explorer: NoRun = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ivyres~1\applic~1\mozilla\firefox\profiles\rkjtdypp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 4

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-26 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-26 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-2-1 38144]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [2009-2-1 332928]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2003-3-5 814277]
S3 AEIWL;Actiontec Wireless LAN Driver;c:\windows\system32\drivers\AEIWLNDS.sys [2003-3-5 629760]
S3 GT680xNT;ColorPage-Vivid 1200XE;c:\windows\system32\drivers\Gt680x.sys [2004-12-18 17376]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\packet.sys [2005-9-3 13299]

============== File Associations ===============

inifile="%1" %*

=============== Created Last 30 ================

2009-03-11 10:36 162,155 a------- c:\windows\system32\x
2009-03-06 10:52 1,409 a------- c:\windows\QTFont.for
2009-03-06 10:52 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-06 10:38 <DIR> --dsh--- C:\FOUND.000
2009-02-26 08:04 69 a------- c:\windows\NeroDigital.ini
2009-02-25 16:08 <DIR> --d----- c:\program files\Nero
2009-02-25 16:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-02-25 10:39 <DIR> --d----- C:\downloads
2009-02-25 10:39 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\FMZilla
2009-02-25 10:39 <DIR> --d----- c:\program files\Free Music Zilla
2009-02-13 00:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-13 00:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-12 09:32 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\AVS4YOU
2009-02-12 09:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-02-12 09:27 <DIR> --d----- c:\program files\common files\AVSMedia
2009-02-12 09:27 24,576 a------- c:\windows\system32\msxml3a.dll
2009-02-12 09:27 <DIR> --d----- c:\program files\AVS4YOU
2009-02-12 07:41 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\Any Video Converter
2009-02-12 07:41 <DIR> --d----- c:\program files\Any Video Converter
2009-02-11 15:22 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\Canneverbe_Limited
2009-02-11 10:11 <DIR> --d----- c:\program files\FormatFactory
2009-02-10 18:16 <DIR> --d----- c:\windows\ServicePackFiles
2009-02-10 18:09 19,569 a------- c:\windows\002604_.tmp
2009-02-10 18:03 <DIR> --d----- c:\windows\EHome
2009-02-10 13:42 <DIR> --d----- c:\program files\INSYDE

==================== Find3M ====================

2009-02-28 10:02 71,104 a------- c:\docume~1\ivyres~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-25 15:41 724,993 a---h--- c:\windows\cursors\lsass.exe
2009-02-10 18:23 73,051 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-02 00:14 2,678 a------- c:\windows\java\packages\data\7B9RHNJJ.DAT
2009-02-02 00:14 2,678 a------- c:\windows\java\packages\data\P7BBX7ZD.DAT
2009-02-02 00:13 2,678 a------- c:\windows\java\packages\data\Y8LJRR13.DAT
2009-02-02 00:13 2,678 a------- c:\windows\java\packages\data\W5JBR7FD.DAT
2009-02-02 00:13 2,678 a------- c:\windows\java\packages\data\F37VNVBR.DAT
2009-02-01 21:13 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2006-06-04 00:55 3,200 a------- c:\program files\uninstal.log

============= FINISH: 12:36:55.41 ===============

Attached Files



#4 thefourkingdoms

thefourkingdoms
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:06:10 AM

Posted 11 March 2009 - 04:16 AM

Can I use an alternative online scanner? I can't seem to download the necessary things it needs to work.

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 11 March 2009 - 07:18 AM

Hello.

Please skip the online scan for now.

I see signs of infection, and want to check for rootkits.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply
With Regards,
The Panda

#6 thefourkingdoms

thefourkingdoms
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:06:10 AM

Posted 11 March 2009 - 09:25 PM

GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-12 10:23:09
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF694C6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF694C574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF694CA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF694C14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF694C64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF694C08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF694C0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF694C76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF694C72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF694C8AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1000] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[1000] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 12 March 2009 - 07:16 AM

Hello.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :reg
    [HKEY_USERS\.DEFAULT\software\microsoft\windows\currentversion\policies\explorer]
    "DisableTaskMgr"=-
    "DisableRegistryTools"=-
    
    :files
    c:\windows\system32\x
    c:\windows\cursors\lsass.exe
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Also take a new DDS.txt log please.

With Regards,
The Panda

#8 thefourkingdoms

thefourkingdoms
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:06:10 AM

Posted 12 March 2009 - 03:04 PM

By the way, I forgot to thank you Propaganda Panda for helping me out.

Here's my OTMoveit log.

========== REGISTRY ==========
Registry value HKEY_USERS\.DEFAULT\software\microsoft\windows\currentversion\policies\explorer\\DisableTaskMgr not found.
Registry value HKEY_USERS\.DEFAULT\software\microsoft\windows\currentversion\policies\explorer\\DisableRegistryTools not found.
========== FILES ==========
File/Folder c:\windows\system32\x not found.
File/Folder c:\windows\cursors\lsass.exe not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_710.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_d4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03132009_035739

Files moved on Reboot...
File C:\DOCUME~1\IVYRES~1\LOCALS~1\Temp\etilqs_JRhg0jfxTPHAlNRPnyAG not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_710.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_d4.dat scheduled to be moved on reboot.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 12 March 2009 - 03:07 PM

Glad I could help.

Continue with the Kaspersky scan when ready please.

With Regards,
The Panda

#10 thefourkingdoms

thefourkingdoms
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:06:10 AM

Posted 13 March 2009 - 08:55 AM

Kaspersky log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 13, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 13, 2009 12:11:17
Records in database: 1895525
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 52923
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:50:02


File name / Threat name / Threats count
C:\_OTMoveIt\MovedFiles\03132009_035616\windows\system32\x Infected: Net-Worm.Win32.Kido.ih 1
C:\_OTMoveIt\MovedFiles\03132009_035616\windows\cursors\lsass.exe Infected: Trojan-Downloader.Win32.Agent.biva 1

The selected area was scanned.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 13 March 2009 - 10:40 AM

Looks good.

Let's have a fresh DDS log for a final check.

Any issues at the moment?

With Regards,
The Panda

#12 thefourkingdoms

thefourkingdoms
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:06:10 AM

Posted 13 March 2009 - 05:27 PM

No issues yet.

Here's a new DDS log


DDS (Ver_09-02-01.01) - FAT32x86
Run by Ivy Reside at 6:24:39.04 on Sat 03/14/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.224.19 [GMT 8:00]

AV: avast! antivirus 4.8.1335 [VPS 090225-1] *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK\RTL8187 Wireless LAN Utility\RtWLan.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ivy Reside\My Documents\Jimbo's Files\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.asus.com.tw
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04b\BrStDvPt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SiS Tray] c:\windows\system32\sistray.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek\rtl8187 wireless lan utility\RtWLan.exe
mPolicies-explorer: Run = 1 (0x1)
mPolicies-explorer: NoRun = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ivyres~1\applic~1\mozilla\firefox\profiles\rkjtdypp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 4

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-26 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-26 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-26 138680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-2-1 38144]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-26 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-26 352920]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [2009-2-1 332928]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2003-3-5 814277]
S3 AEIWL;Actiontec Wireless LAN Driver;c:\windows\system32\drivers\AEIWLNDS.sys [2003-3-5 629760]
S3 GT680xNT;ColorPage-Vivid 1200XE;c:\windows\system32\drivers\Gt680x.sys [2004-12-18 17376]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\packet.sys [2005-9-3 13299]

============== File Associations ===============

inifile="%1" %*

=============== Created Last 30 ================

2009-03-13 03:56 <DIR> --d----- C:\_OTMoveIt
2009-03-11 12:49 <DIR> --d----- C:\fsaua.data
2009-03-06 10:52 1,409 a------- c:\windows\QTFont.for
2009-03-06 10:52 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-06 10:38 <DIR> --dsh--- C:\FOUND.000
2009-02-26 08:04 69 a------- c:\windows\NeroDigital.ini
2009-02-25 16:08 <DIR> --d----- c:\program files\Nero
2009-02-25 16:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-02-25 10:39 <DIR> --d----- C:\downloads
2009-02-25 10:39 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\FMZilla
2009-02-25 10:39 <DIR> --d----- c:\program files\Free Music Zilla
2009-02-13 00:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-13 00:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-12 09:32 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\AVS4YOU
2009-02-12 09:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-02-12 09:27 <DIR> --d----- c:\program files\common files\AVSMedia
2009-02-12 09:27 24,576 a------- c:\windows\system32\msxml3a.dll
2009-02-12 09:27 <DIR> --d----- c:\program files\AVS4YOU
2009-02-12 07:41 <DIR> --d----- c:\docume~1\ivyres~1\applic~1\Any Video Converter
2009-02-12 07:41 <DIR> --d----- c:\program files\Any Video Converter

==================== Find3M ====================

2009-02-28 10:02 71,104 a------- c:\docume~1\ivyres~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-10 18:23 73,051 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-02 00:14 2,678 a------- c:\windows\java\packages\data\7B9RHNJJ.DAT
2009-02-02 00:14 2,678 a------- c:\windows\java\packages\data\P7BBX7ZD.DAT
2009-02-02 00:13 2,678 a------- c:\windows\java\packages\data\Y8LJRR13.DAT
2009-02-02 00:13 2,678 a------- c:\windows\java\packages\data\W5JBR7FD.DAT
2009-02-02 00:13 2,678 a------- c:\windows\java\packages\data\F37VNVBR.DAT
2009-02-01 21:13 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2006-06-04 00:55 3,200 a------- c:\program files\uninstal.log

============= FINISH: 6:25:25.70 ===============

Attached Files



#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 13 March 2009 - 06:49 PM

Hello.

Looks clean. Unless there are any issues at the moment, we can wrap up.

Run Cleanup! with OTMoveIt
Let's clear out the tools we've used.
  • Double click the OTMoveIt2.exe icon on your desktop to start the program.
  • Click Posted Image.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#14 thefourkingdoms

thefourkingdoms
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:06:10 AM

Posted 13 March 2009 - 09:59 PM

I have one concern. I'm concerned about flash disks that are plugged into my laptop. Is there any program that will protect my flash disks from getting infected when I plug them in other computers?

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 14 March 2009 - 08:54 AM

Hello.

Yes, there is a tool just for that.

FlashDisinfector be creating a dummy folder that is difficult to delete on the root of all your drives, autorun.inf. While this is present, the autorun.inf file that is used by worms to spread cannot be created. It isn't perfect, but will stop most worms.

You may also want to disable autoplay on your computers. If your computer doesn't automatically start files on the removable drives, it won't matter if there are infected files on them (unless you manually click them).

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users