Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Pentagon Data Breach Exposes up to 30,000 Travel Records

Featured Deal: Get 97% off The Complete Learn to Code Masterclass Bundle Deal

Hidden infections Windows XP

Started by sh4rkbyt3 , Oct 08 2009 01:38 PM

This topic is locked

2 replies to this topic

#1 sh4rkbyt3

Members
419 posts
OFFLINE

Gender:Male
Local time:12:27 PM

Posted 08 October 2009 - 01:38 PM

Having some issues with Windows XP that are not showing up through various scans. Hoping to resolve issues. The Attach.txt file is zipped and included as per instructions

DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 14:11:46.40 on Thu 10/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.592 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [F5D9050] c:\program files\belkin\f5d9050\Belkinwcui.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9bv6kktb.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-9-28 22360]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-29 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-29 27784]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-9-28 45416]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-29 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-29 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-29 297752]
R3 BKNDIS5;BKNDIS5 NDIS Protocol Driver;c:\progra~1\belkin\f5d9050\BKNDIS5.SYS [2009-9-15 15872]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys --> c:\windows\system32\drivers\ss.sys [?]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S4 AntiVirService;Avira AntiVir Guard;"c:\program files\avira\antivir desktop\avguard.exe" --> c:\program files\avira\antivir desktop\avguard.exe [?]

=============== Created Last 30 ================

2009-10-07 15:35 132,096 -c------ c:\windows\system32\dllcache\wkssvc.dll
2009-10-07 15:33 119,808 -c------ c:\windows\system32\dllcache\t2embed.dll
2009-10-07 15:33 81,920 -c------ c:\windows\system32\dllcache\fontsub.dll
2009-10-07 15:16 585,216 -c------ c:\windows\system32\dllcache\rpcrt4.dll
2009-10-07 15:02 56,832 -c------ c:\windows\system32\dllcache\secur32.dll
2009-10-07 15:02 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll
2009-10-07 14:57 354,304 -c------ c:\windows\system32\dllcache\winhttp.dll
2009-10-07 14:52 956,928 -c------ c:\windows\system32\dllcache\msdtctm.dll
2009-10-07 14:52 161,792 -c------ c:\windows\system32\dllcache\msdtcuiu.dll
2009-10-07 14:52 91,648 -c------ c:\windows\system32\dllcache\mtxoci.dll
2009-10-07 14:52 66,560 -c------ c:\windows\system32\dllcache\mtxclu.dll
2009-10-07 14:52 58,880 -c------ c:\windows\system32\dllcache\msdtclog.dll
2009-10-07 14:43 144,896 -c------ c:\windows\system32\dllcache\schannel.dll
2009-10-07 14:14 286,720 -c------ c:\windows\system32\dllcache\gdi32.dll
2009-10-07 14:09 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-10-07 14:04 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-10-07 14:00 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-07 14:00 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-07 14:00 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-10-07 14:00 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-07 13:55 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-10-07 13:49 1,847,168 -c------ c:\windows\system32\dllcache\win32k.sys
2009-10-07 13:47 1,291,264 -c------ c:\windows\system32\dllcache\quartz.dll
2009-10-07 13:42 138,496 -c------ c:\windows\system32\dllcache\afd.sys
2009-10-07 11:40 <DIR> --d----- c:\windows\pss
2009-09-30 14:53 253,952 -c------ c:\windows\system32\dllcache\es.dll
2009-09-30 14:48 74,240 -c------ c:\windows\system32\dllcache\mscms.dll
2009-09-30 13:59 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-09-30 13:19 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-09-30 13:15 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-09-30 13:09 <DIR> -cd-h--- c:\windows\ie8
2009-09-29 17:10 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-29 17:10 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-29 17:10 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-29 17:10 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-29 17:09 <DIR> --d----- c:\program files\AVG
2009-09-29 17:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-29 16:59 221,184 a------- c:\windows\system32\wmpns.dll
2009-09-29 16:59 316,640 a------- c:\windows\WMSysPr9.prx
2009-09-29 16:57 <DIR> --d----- c:\windows\system32\wbem\AutoRecover
2009-09-29 16:51 <DIR> --d----- c:\program files\Messenger
2009-09-29 16:49 <DIR> --d----- c:\windows\ServicePackFiles
2009-09-29 16:43 19,569 a------- c:\windows\002631_.tmp
2009-09-29 16:39 <DIR> --d----- c:\windows\EHome
2009-09-29 16:12 24,576 a------- c:\windows\system32\xpsp1hfm.exe
2009-09-29 14:59 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-29 14:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-29 12:18 <DIR> a-dshr-- C:\cmdcons
2009-09-29 12:18 229,888 a------- c:\windows\PEV.exe
2009-09-29 12:18 161,792 a------- c:\windows\SWREG.exe
2009-09-29 12:18 98,816 a------- c:\windows\sed.exe
2009-09-29 12:17 <DIR> --d----- C:\ComboFix
2009-09-29 11:49 <DIR> --d----- c:\docume~1\owner\applic~1\AVG8
2009-09-28 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-28 20:13 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-28 20:13 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-09-28 20:12 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-28 19:46 <DIR> --dsh--- c:\documents and settings\owner\UserData
2009-09-28 18:30 <DIR> --d----- c:\program files\Trend Micro
2009-09-28 17:46 <DIR> --d----- c:\docume~1\owner\applic~1\GlarySoft
2009-09-28 16:45 <DIR> --d----- c:\docume~1\owner\applic~1\Auslogics
2009-09-28 16:45 <DIR> --d----- c:\program files\Auslogics
2009-09-28 16:10 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-09-28 16:10 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-28 16:10 18,520 a------- c:\windows\system32\drivers\mbam.sys
2009-09-28 16:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-28 16:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-28 16:02 <DIR> --d----- c:\program files\CCleaner
2009-09-15 11:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-15 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-15 10:15 1,082,368 a------- c:\windows\system32\esent.dll
2009-09-15 10:10 <DIR> --d----- c:\windows\system32\bits
2009-09-15 10:09 <DIR> --d----- c:\windows\system32\PreInstall
2009-09-15 10:09 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-09-15 10:09 <DIR> --d-h--- c:\windows\$hf_mig$
2009-09-15 09:56 18,944 a------- c:\windows\system32\qmgrprxy.dll
2009-09-15 09:56 8,192 -------- c:\windows\system32\bitsprx2.dll
2009-09-15 09:56 7,168 -------- c:\windows\system32\bitsprx3.dll
2009-09-15 09:56 354,304 a------- c:\windows\system32\winhttp.dll
2009-09-15 09:53 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-09-15 09:50 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-09-15 09:50 183,296 a------- c:\windows\system32\wuaueng1.dll
2009-09-15 09:50 165,888 a------- c:\windows\system32\wuauclt1.exe
2009-09-15 09:36 20,747 a------- c:\windows\system32\drivers\AegisP.sys
2009-09-15 09:36 245,248 a------- c:\windows\system32\drivers\rt73.sys
2009-09-15 09:36 40,960 a------- c:\windows\system32\F5D9050.dll
2009-09-15 09:36 36,864 a------- c:\windows\system32\ss.dll
2009-09-15 09:36 <DIR> --d----- c:\program files\Belkin
2009-09-15 09:34 43,136 a----r-- c:\windows\system32\drivers\bcm4sbxp.sys
2009-09-15 09:34 <DIR> --d----- c:\program files\Broadcom
2009-09-15 09:21 151,552 a------- c:\windows\system32\igfxres.dll
2009-09-15 09:20 266,240 -------- c:\windows\system32\shpshftr.dll
2009-09-15 09:17 24,960 a------- c:\windows\system32\drivers\pciidex.sys
2009-09-15 09:17 3,328 ac------ c:\windows\system32\dllcache\pciide.sys
2009-09-15 09:17 96,512 a------- c:\windows\system32\drivers\atapi.sys
2009-09-15 09:17 3,328 a------- c:\windows\system32\drivers\pciide.sys
2009-09-15 09:17 143,872 a------- c:\windows\system32\drivers\usbport.sys
2009-09-15 09:17 74,240 a------- c:\windows\system32\usbui.dll
2009-09-15 09:17 59,520 a------- c:\windows\system32\drivers\usbhub.sys
2009-09-15 09:17 20,608 a------- c:\windows\system32\drivers\usbuhci.sys
2009-09-15 09:17 37,248 a------- c:\windows\system32\drivers\isapnp.sys
2009-09-15 09:17 68,224 a------- c:\windows\system32\drivers\pci.sys
2009-09-15 09:17 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-09-15 09:14 <DIR> --d----- c:\program files\Analog Devices
2009-09-15 09:12 446,464 a----r-- c:\windows\system32\hhactivex.dll
2009-09-15 09:12 1,064,456 a------- c:\windows\system32\MSCOMCTL.OCX
2009-09-15 09:12 645,616 a------- c:\windows\system32\MSCOMCT2.OCX
2009-09-15 09:12 414,944 a------- c:\windows\system32\COMCT332.OCX
2009-09-15 09:12 176,128 a------- c:\windows\system32\RcdScan.dll
2009-09-15 09:12 328,480 a------- c:\windows\system32\ssa3d30.ocx
2009-09-15 09:12 171,967 a------- c:\windows\system32\Odbcjet.hlp
2009-09-15 09:12 7,348 a------- c:\windows\system32\Odbcjet.cnt
2009-09-15 09:12 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-09-15 09:12 13,632 -------- c:\windows\system32\drivers\omci.sys
2009-09-15 00:34 <DIR> --ds---- c:\windows\system32\Microsoft
2009-09-15 00:33 <DIR> --dsh--- c:\windows\Installer
2009-09-15 00:32 <DIR> --d----- c:\documents and settings\Owner
2009-09-15 00:30 156,672 ac------ c:\windows\system32\dllcache\winzm.ime
2009-09-15 00:30 156,672 ac------ c:\windows\system32\dllcache\winsp.ime
2009-09-15 00:30 156,672 ac------ c:\windows\system32\dllcache\winpy.ime
2009-09-15 00:30 65,536 ac------ c:\windows\system32\dllcache\winime.ime
2009-09-15 00:30 72,704 ac------ c:\windows\system32\dllcache\wingb.ime
2009-09-15 00:30 79,360 ac------ c:\windows\system32\dllcache\winar30.ime
2009-09-15 00:30 31,232 ac------ c:\windows\system32\dllcache\weitekp9.sys
2009-09-15 00:30 41,600 ac------ c:\windows\system32\dllcache\weitekp9.dll
2009-09-15 00:30 48,256 ac------ c:\windows\system32\dllcache\w32.dll
2009-09-15 00:30 426,041 ac------ c:\windows\system32\dllcache\voicepad.dll
2009-09-15 00:30 86,073 ac------ c:\windows\system32\dllcache\voicesub.dll
2009-09-15 00:28 131,584 ac------ c:\windows\system32\dllcache\pmxviceo.dll
2009-09-15 00:27 9,216 ac------ c:\windows\system32\dllcache\kbdnecat.dll
2009-09-15 00:26 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-09-15 00:25 78,848 ac------ c:\windows\system32\dllcache\dayi.ime
2009-09-15 00:24 <DIR> --d----- c:\windows\system32\xircom
2009-09-15 00:24 <DIR> --d----- c:\windows\system32\wbem\snmp
2009-09-15 00:24 <DIR> --d----- C:\DELL
2009-09-15 00:24 2,577 a------- c:\windows\system32\CONFIG.NT
2009-09-15 00:24 0 a------- c:\windows\control.ini
2009-09-15 00:24 25,065 a------- c:\windows\system32\wmpscheme.xml
2009-09-15 00:24 23,392 a------- c:\windows\system32\nscompat.tlb
2009-09-15 00:24 16,832 a------- c:\windows\system32\amcompat.tlb
2009-09-15 00:24 299,552 a------- c:\windows\WMSysPrx.prx
2009-09-15 00:22 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-09-15 00:21 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-09-15 00:21 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-09-15 00:21 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-09-15 00:21 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-09-15 00:21 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-09-15 00:21 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-09-15 00:21 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-09-15 00:21 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-09-15 00:21 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-09-15 00:21 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-09-15 00:21 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-09-15 00:21 <DIR> --d----- c:\windows\system32\DirectX
2009-09-15 00:20 <DIR> --d----- c:\program files\common files\MSSoap
2009-09-15 00:18 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-09-15 00:18 <DIR> --d----- c:\program files\Online Services
2009-09-15 00:18 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-09-15 00:17 <DIR> --d----- c:\program files\Windows NT
2009-09-14 19:42 <DIR> --d----- c:\program files\common files\ODBC
2009-09-14 19:42 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-09-14 19:42 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-09-29 16:53 71,627 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-09-15 00:23 2,678 a------- c:\windows\java\packages\data\CGW2CPVH.DAT
2009-09-15 00:23 558,142 a------- c:\windows\java\packages\WRR7L7XR.ZIP
2009-09-15 00:23 155,995 a------- c:\windows\java\packages\Q57R9ZNN.ZIP
2009-09-15 00:23 2,678 a------- c:\windows\java\packages\data\ZZL3LBR7.DAT
2009-09-15 00:23 2,678 a------- c:\windows\java\packages\data\ZRLF1VB5.DAT
2009-09-15 00:23 2,678 a------- c:\windows\java\packages\data\O9JV5NHV.DAT
2009-09-15 00:23 2,678 a------- c:\windows\java\packages\data\8ESQ5VZ7.DAT
2009-09-15 00:19 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-07-29 00:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:37 81,920 a------- c:\windows\system32\fontsub.dll

============= FINISH: 14:12:36.85 ===============

And my RootRepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/08 14:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE932000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B31000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal3.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal3.sys
Address: 0xEDBA3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgldr.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7cfecee

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7cfece4

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7cfecf3

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7cfecfd

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7cfed02

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7cfecd0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7cfecd5

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7cfed0c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7cfed07

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7cfecf8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7cfecdf

==EOF==

Attached Files

Attach.zip 1.66KB 12 downloads

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:05:27 PM

Posted 24 October 2009 - 01:10 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

ComboFix should not be run unless requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Post the contents of C:\ComboFix.txt in your next reply.

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Then please post back here with the following:

Combofix.txt
log.txt
info.txt

Thanks

Back to top

#3 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:05:27 PM

Posted 29 October 2009 - 10:57 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.