Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow computer, possibly infected with Memwatch, erratic mouse, cannot install Microsoft Office 2003 Service Pack 3


  • This topic is locked This topic is locked
20 replies to this topic

#1 schroederdude

schroederdude

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 25 October 2009 - 07:20 PM

Not sure exactly why, but first my mouse started behaving erratically, then my computer slowed down and the memory usage of the following increased quite a bit according to my Windows task manager: Mozilla Firefox, Avast anti-virus, AshWebSv.exe, svchost.exe, and explorer.exe.
I also cannot install Microsoft Office 2003 service pack 3 even though it is downloaded to my computer ("installation failed" message appears).

DDS Scan report:

DDS (Ver_09-10-24.04) - NTFSx86
Run by DELL at 19:32:07.62 on Sun 10/25/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1158 [GMT -4:00]

AV: avast! antivirus 4.8.1351 [VPS 091025-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DELL\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244062428343
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dell\applic~1\mozilla\firefox\profiles\vvu8bi07.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.salon.com/?source=refresh
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

As per the instructions you would have received, kindly ensure any onboard
script blocking tools have been disabled for they shall interfere with DDS.

DDS is a non-invasive diagnostic tool.

- DDS makes no registry writes/changes

- DDS does not create any permanent files/folders.

This scan should not take longer than three minutes to complete.

When the scan is complete, a logfile/report shall pop open.

Post the contents of the logfile to the forum where it was requested

We only require it to run just once. Dispose after use.


:::::::::::::::::::::::::::::::::::::::

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-20 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-19 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-8 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-8 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1170768]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-7-21 88192]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2008-7-18 26505]

=============== Created Last 30 ================

2009-10-20 21:09:22 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-19 22:43:22 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-19 22:43:22 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-19 22:43:22 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-10-19 22:15:28 0 d-----w- c:\program files\common files\Windows Live
2009-10-19 22:05:11 0 d-----w- c:\program files\Uniblue
2009-10-19 22:03:36 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-10-09 17:11:21 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-10-09 17:11:20 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-10-09 17:11:20 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-09 17:11:19 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-10-25 23:21:32 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 12:55:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 19:32:54.37 ===============


I CANNOT SEE ANOTHER OPTION TO UPLOAD ROOTREPEAL LOG, SO HERE IT IS TOO:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/25 19:48
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA5D6000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA75CB000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xB9DFC000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\dell\local settings\application data\mozilla\firefox\profiles\vvu8bi07.default\cache\_cache_001_
Status: Size mismatch (API: 1848302, Raw: 1844449)

Path: c:\documents and settings\dell\local settings\application data\mozilla\firefox\profiles\vvu8bi07.default\cache\_cache_002_
Status: Size mismatch (API: 2840715, Raw: 2839445)

Path: c:\documents and settings\dell\local settings\application data\mozilla\firefox\profiles\vvu8bi07.default\cache\_cache_003_
Status: Size mismatch (API: 5111878, Raw: 5106586)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e6b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5afc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f57c80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e574

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5b580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f6f900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f6fb10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f73b10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5b670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f58210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f729f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3ea52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f6f280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f72f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f72f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f58070

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f71180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f70f40

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e76e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f736f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f73150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5abe0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e72e

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5b190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f58440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e8ae

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f70200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa8efb0b0

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f59e70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f59f20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f59fe0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f58d60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5a250

==EOF==

BC AdBot (Login to Remove)

 


#2 schroederdude

schroederdude
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 25 October 2009 - 07:27 PM

If it matters, here's another attempt at uploading all DDS and RootRepeal logs. I also included a HiJackThis! Log at the end of message and attached the zipped DDS file:

DDS (Ver_09-10-24.04) - NTFSx86
Run by DELL at 19:32:07.62 on Sun 10/25/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1158 [GMT -4:00]

AV: avast! antivirus 4.8.1351 [VPS 091025-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DELL\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244062428343
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dell\applic~1\mozilla\firefox\profiles\vvu8bi07.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.salon.com/?source=refresh
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

As per the instructions you would have received, kindly ensure any onboard
script blocking tools have been disabled for they shall interfere with DDS.

DDS is a non-invasive diagnostic tool.

- DDS makes no registry writes/changes

- DDS does not create any permanent files/folders.

This scan should not take longer than three minutes to complete.

When the scan is complete, a logfile/report shall pop open.

Post the contents of the logfile to the forum where it was requested

We only require it to run just once. Dispose after use.


:::::::::::::::::::::::::::::::::::::::

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-20 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-19 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-8 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-8 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1170768]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-7-21 88192]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2008-7-18 26505]

=============== Created Last 30 ================

2009-10-20 21:09:22 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-19 22:43:22 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-19 22:43:22 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-19 22:43:22 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-10-19 22:15:28 0 d-----w- c:\program files\common files\Windows Live
2009-10-19 22:05:11 0 d-----w- c:\program files\Uniblue
2009-10-19 22:03:36 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-10-09 17:11:21 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-10-09 17:11:20 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-10-09 17:11:20 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-09 17:11:19 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-10-25 23:21:32 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 12:55:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 19:32:54.37 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/25 19:48
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA5D6000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA75CB000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xB9DFC000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\dell\local settings\application data\mozilla\firefox\profiles\vvu8bi07.default\cache\_cache_001_
Status: Size mismatch (API: 1848302, Raw: 1844449)

Path: c:\documents and settings\dell\local settings\application data\mozilla\firefox\profiles\vvu8bi07.default\cache\_cache_002_
Status: Size mismatch (API: 2840715, Raw: 2839445)

Path: c:\documents and settings\dell\local settings\application data\mozilla\firefox\profiles\vvu8bi07.default\cache\_cache_003_
Status: Size mismatch (API: 5111878, Raw: 5106586)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e6b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5afc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f57c80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e574

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5b580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f6f900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f6fb10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f73b10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5b670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f58210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f729f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3ea52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f6f280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f72f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f72f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f58070

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f71180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f70f40

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e76e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f736f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f73150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5abe0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e72e

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5b190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f58440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa8e3e8ae

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f70200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa8efb0b0

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f59e70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f59f20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f59fe0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f58d60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa8f5a250

==EOF==


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:24 PM, on 10/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DELL\Desktop\RootRepeal.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1244062428343
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5668 bytes

Attached Files



#3 schroederdude

schroederdude
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 31 October 2009 - 04:42 PM

Please help soon. My computer gets worse (slower and more difficult to keep things from crashing, possibly to due processes taking up too much memory) everyday!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:04 AM

Posted 01 November 2009 - 04:24 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 schroederdude

schroederdude
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 01 November 2009 - 07:11 PM

Thank you so very much for your time, Elise!
My computer is still misbehaving in the ways I mentioned above.
Here is the info you requested:

DDS Report:

DDS (Ver_09-10-26.01) - NTFSx86
Run by DELL at 18:34:24.85 on Sun 11/01/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1237 [GMT -5:00]

AV: avast! antivirus 4.8.1351 [VPS 091101-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DELL\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244062428343
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dell\applic~1\mozilla\firefox\profiles\vvu8bi07.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.salon.com/?source=refresh
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-20 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-19 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-8 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-8 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-7-21 88192]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2008-7-18 26505]

=============== Created Last 30 ================

2009-10-27 21:25:35 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-20 21:09:22 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-19 22:43:22 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-19 22:43:22 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-19 22:43:22 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-10-19 22:15:28 0 d-----w- c:\program files\common files\Windows Live
2009-10-19 22:05:11 0 d-----w- c:\program files\Uniblue
2009-10-19 22:03:36 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-10-09 17:11:21 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-10-09 17:11:20 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-10-09 17:11:20 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-09 17:11:19 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-11-01 23:22:26 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 12:55:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 18:35:21.09 ===============


GMER Log:
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit quick scan 2009-11-01 18:51:29
Windows 5.1.2600 Service Pack 3
Running: xx6l5fdm.exe; Driver: C:\DOCUME~1\DELL\LOCALS~1\Temp\kfpyifow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA8E477AC]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:04 AM

Posted 02 November 2009 - 05:33 AM

First of all, turn off both SuperAntiSpyware and WinPatrol real time protection.

Both are real resource consuming and seriously slow down your computer. There really is no need to have extra antispyware protection running, since you have already Avast antivirus running.

Let me know how that went and if you see already some difference.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 schroederdude

schroederdude
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 02 November 2009 - 05:38 PM

I have removed SuperAntiSpyware and Winpatrol 2009 from my computer. I will let you know soon if it speeds things up any. One thing I did notice is that it seems like I started having trouble when I accidentally downloaded a BHO with one of my programs (I didn't read the EULA thoroughly and that is where I would have had to opted out of the toolbar). That is why I mentioned Memwatch before. Also, I did a Panda ActiveScan when I first encountered the problem (some time ago) and it said I had memwatch.
SVCHOST.EXE, Avast, and Firefox seem to take up the most memory according to my process task manager, but ALL my programs are running with lots of memory being taken up. Firefox uses 150,000K, but other programs use over 30,000k!
Anyway, I'll let you know soon (tonight) if your suggestion helped any. Thank you so very much!

#8 schroederdude

schroederdude
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 02 November 2009 - 10:23 PM

Hi Elise!
It has been a number of hours, and I've restarted my computer and all. Removing the WinPatrol and the other anti-spyware has not affected the speed of my machine at all; it's still very slow.
Thank you,
Jason

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:04 AM

Posted 03 November 2009 - 03:06 AM

Hello schroederdude,

There was no need to uninstall these problems. Just disabled was enough :( How long do you have ZoneAlarm firewall and how many RAM does your computer have?

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 schroederdude

schroederdude
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 03 November 2009 - 05:39 AM

Thanks Elise! My RAM is 1.99 GB and I've had ZoneAlarm since I got this computer, sometime around this past August/September. I uninstalled WinPatrol and SuperAntispyware because you said I didn't need them. If Avast Anti-virus covers what they do then they are redundant/useless, no?
I know this problem is mostly causing a speed issue, but please remember my mouse is erratic too, meaning that sometimes I'll be gliding it across the computer screen and it will disappear for a split second and reappear at the top of the screen.

I did as you said with ComboFix. Two concerns regarding that:
First, when I rebooted my computer had a completely black (blank?) screen for longer than normal.
Second, when I had to download the Microsoft Recovery Console it must have also downloaded Internet Explorer, because I had an IE icon on my desktop and my default was reset to IE when I rebooted. I reset it again to my preferred browser, Firefox Mozilla.

Again, thank you so much for your help!

Here's the ComboFix.txt log:

ComboFix 09-11-02.02 - DELL 11/03/2009 4:54.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1464 [GMT -5:00]
Running from: c:\documents and settings\DELL\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 091102-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AegisP.inf

.
((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-10-27 21:25 . 2009-10-27 21:25 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-20 21:09 . 2009-10-20 21:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-19 22:43 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-19 22:43 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-19 22:15 . 2009-10-19 22:15 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-19 22:05 . 2009-10-19 22:05 -------- d-----w- c:\program files\Uniblue
2009-10-19 22:03 . 2009-10-19 22:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-10-19 21:56 . 2009-10-19 21:59 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-09 17:11 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-10-09 17:11 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-10-09 17:11 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-09 17:11 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 09:32 . 2009-06-03 23:09 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-02 22:31 . 2009-06-11 21:40 -------- d-----w- c:\documents and settings\DELL\Application Data\SUPERAntiSpyware.com
2009-11-02 22:31 . 2009-06-11 21:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-02 00:16 . 2009-06-07 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-02 00:00 . 2009-06-08 00:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-31 10:26 . 2009-06-08 00:33 -------- d-----w- c:\program files\SpywareBlaster
2009-10-19 22:08 . 2009-06-06 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-19 21:51 . 2009-06-05 05:58 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-14 07:40 . 2009-06-06 23:27 -------- d-----w- c:\documents and settings\DELL\Application Data\Uniblue
2009-09-25 05:37 . 2004-08-03 22:56 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-03 22:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 12:55 . 2009-06-20 21:58 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-19 06:51 . 2009-09-19 06:51 -------- d-----w- c:\program files\Panda Security
2009-09-18 03:34 . 2009-06-05 05:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-15 01:14 . 2009-09-15 01:14 -------- d-----w- c:\program files\Trend Micro
2009-09-15 00:21 . 2009-06-08 05:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-11 14:18 . 2004-08-03 22:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-06-08 05:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-06-08 05:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-08-03 22:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 17:40 . 2009-06-05 04:43 64368 ----a-w- c:\documents and settings\DELL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 16:10 . 2009-06-08 20:20 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2009-06-08 20:20 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2009-06-08 20:20 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2009-06-08 20:20 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-06-08 20:20 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2009-06-08 20:21 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-06-08 20:21 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2009-06-08 20:21 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2009-06-08 20:21 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-06 23:24 . 2008-07-21 16:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2008-07-21 16:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2008-07-21 16:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2007-07-30 23:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2008-07-21 16:02 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-03 22:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2008-07-21 16:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-07-21 16:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-28 788368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/20/2009 4:58 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/19/2009 1:52 AM 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/8/2009 3:20 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/8/2009 3:20 PM 20560]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [7/21/2008 12:47 PM 88192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [7/18/2008 4:40 PM 26505]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:21]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\DELL\Application Data\Mozilla\Firefox\Profiles\vvu8bi07.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.salon.com/?source=refresh
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 05:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-03 5:04
ComboFix-quarantined-files.txt 2009-11-03 10:04

Pre-Run: 9,631,092,736 bytes free
Post-Run: 9,610,321,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0427A7F4153A16B1A598B6E798453B15

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:04 AM

Posted 03 November 2009 - 06:27 AM

Hello schroederdude,

Combofix did not install Internet Explorer, it only placed the icon on your desktop. This is normal. You can remove the icon if you wish by right-clicking on your desktop, selecting properties and on the Desktop tab clicking the Customize desktop button. You will there be able to uncheck the Internet Explorer icon.

SRENG
---------
We need to run a scan with System Repair Engineer
  • Download SREng from here: http://www.kztechs.com/sreng/sreng2.zip
  • Extract all content to your Desktop
  • From the sreng2 folder on your Desktop, double-click SREng.exe to run it
  • Select: Smart Scan
  • Then, click the Scan button. When finished, click on the Save Reports button. Save the log to your desktop. Please post the content of the SREnglLOG.log file in your next reply.
Note - When SREng is running, it will create an .EXE file with a random filename in the SREng folder. Some antivirus applications will give warning messages about this, please ignore these warnings.

In your next reply, please include the following:
  • SREng log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 schroederdude

schroederdude
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 03 November 2009 - 06:15 PM

Thanks Elise!
When I tried to copy/paste the SREngLOG file here this website gives me an error saying I've pasted too much. So, I'm attaching my SREngLOG file instead. I hope that works!

Attached Files



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:04 AM

Posted 04 November 2009 - 05:28 AM

Hello schroederdude,

Not many out of the ordinary there. Please start SRENG2 and click Repair. On the File Extensions tab, repair the extension that has "error" as status (.chm).

Please download HostsXpert 4.2
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Please download SINO by Artellos from here
  • Save SINO to a place you can remember and run SINO.exe.
  • Then please check the following checkboxes:
    System Info
    Services
    Boot Check
    Tasklist
    Startup Items
    Ipconfig
    Ping
    Netstat
    Hosts file
    Shares
    Routing Table
  • Once checked, hit the Run Scan! button and wait for the program to finish the scan.
  • A notepad file will pop up, Please copy and paste the content of the notepad into your next reply.
Note: If you try to interact with the program once it's started scanning it might appear to hang. The scan however will continue.

In your next reply, please include the following:
  • SINO log

Edited by elise025, 04 November 2009 - 05:28 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 schroederdude

schroederdude
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 04 November 2009 - 04:43 PM

Thanks Elise!
Had a problem with the HostsXpert.
I clicked "Restore MS Hosts File" and the clicked OK at the confirmation box. Then I got an error message that said "ERROR: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts" so I could not (and thus did not) click on anything that said "Make Read Only".

Here's the SINO log:


System Investigator by Olrik
Log Created On: 1638_04-11-2009
SINO Version: 2.4.9.9

Total RAM: 2039 MB | Free RAM: 1188 MB | Pagefile Size: 3932 MB
C: | 9238 MB out of 38146 MB Free | Local Fixed Disk
D: | None | CD-ROM Disc

<<<< System Information >>>>

Computer Name: DELL-9277DBC6D9
Username: DELL
Language Setting: ENU
Windows Directory: C:\WINDOWS
Windows Version: Windows XP Service Pack 3

<<<< Tasklist >>>>

[System Idle Process] - Process ID: 0
[System] - Process ID: 4
[C:\WINDOWS\System32\smss.exe] - Process ID: 800
[csrss.exe] - Process ID: 856
[C:\WINDOWS\system32\winlogon.exe] - Process ID: 880
[C:\WINDOWS\system32\services.exe] - Process ID: 924
[C:\WINDOWS\system32\lsass.exe] - Process ID: 936
[C:\WINDOWS\system32\svchost.exe] - Process ID: 1084
[svchost.exe] - Process ID: 1184
[C:\WINDOWS\System32\svchost.exe] - Process ID: 1240
[C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe] - Process ID: 1404
[svchost.exe] - Process ID: 1448
[svchost.exe] - Process ID: 1500
[C:\WINDOWS\system32\ZoneLabs\vsmon.exe] - Process ID: 1540
[C:\WINDOWS\Explorer.EXE] - Process ID: 640
[C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe] - Process ID: 1400
[C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe] - Process ID: 1472
[C:\Program Files\Alwil Software\Avast4\ashServ.exe] - Process ID: 1596
[C:\WINDOWS\system32\spoolsv.exe] - Process ID: 1920
[scardsvr.exe] - Process ID: 1896
[svchost.exe] - Process ID: 328
[C:\Program Files\Intel\Wireless\Bin\EvtEng.exe] - Process ID: 980
[C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE] - Process ID: 532
[C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe] - Process ID: 384
[C:\WINDOWS\system32\svchost.exe] - Process ID: 1348
[C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe] - Process ID: 1872
[unsecapp.exe] - Process ID: 2556
[C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe] - Process ID: 2564
[wmiprvse.exe] - Process ID: 2600
[C:\Program Files\Alwil Software\Avast4\ashWebSv.exe] - Process ID: 2644
[alg.exe] - Process ID: 3036
[C:\WINDOWS\system32\igfxsrvc.exe] - Process ID: 3496
[C:\WINDOWS\system32\hkcmd.exe] - Process ID: 3536
[C:\WINDOWS\system32\igfxpers.exe] - Process ID: 3556
[C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe] - Process ID: 3580
[C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe] - Process ID: 3616
[C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe] - Process ID: 3636
[C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe] - Process ID: 3652
[C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe] - Process ID: 3696
[C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe] - Process ID: 3728
[C:\WINDOWS\system32\ctfmon.exe] - Process ID: 3736
[C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe] - Process ID: 2820
[C:\WINDOWS\system32\wuauclt.exe] - Process ID: 140
[C:\Program Files\Mozilla Firefox\firefox.exe] - Process ID: 3400
[C:\WINDOWS\system32\notepad.exe] - Process ID: 432
[C:\DOCUME~1\DELL\LOCALS~1\Temp\SINO\SINO.exe] - Process ID: 3224
[wmiprvse.exe] - Process ID: 1092

<<<< Startup Items >>>>

[desktop] - <Startup> - desktop.ini
[desktop] - <Startup> - desktop.ini
[Advanced SystemCare 3] - <HKU\S-1-5-21-1004336348-861567501-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
[ctfmon.exe] - <HKU\S-1-5-21-1004336348-861567501-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - C:\WINDOWS\system32\ctfmon.exe
[desktop] - <Startup> - desktop.ini
[desktop] - <Common Startup> - desktop.ini
[IgfxTray] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - C:\WINDOWS\system32\igfxtray.exe
[HotKeysCmds] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - C:\WINDOWS\system32\hkcmd.exe
[Persistence] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - C:\WINDOWS\system32\igfxpers.exe
[IntelZeroConfig] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
[IntelWireless] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
[ZoneAlarm Client] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
[avast!] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[Ad-Watch] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
[Adobe Reader Speed Launcher] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
[Adobe ARM] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[RoxioDragToDisc] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - ; "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
[RoxioEngineUtility] - <HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> - ; "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

<<<< MS Services >>>>

Application Layer Gateway Service (ALG) - Running [Manual | Stoppable | Not_Pausable] - C:\WINDOWS\System32\alg.exe
Windows Audio (AudioSrv) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Background Intelligent Transfer Service (BITS) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Computer Browser (Browser) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
CryptSvc (CryptSvc) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
DCOM Server Process Launcher (DcomLaunch) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost -k DcomLaunch
DHCP Client (Dhcp) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
DNS Client (Dnscache) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k NetworkService
Event Log (Eventlog) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\services.exe
COM+ Event System (EventSystem) - Running [Manual | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Running [Manual | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support (helpsvc) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Server (lanmanserver) - Running [Auto | Stoppable | Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Workstation (lanmanworkstation) - Running [Auto | Stoppable | Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
TCP/IP NetBIOS Helper (LmHosts) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Machine Debug Manager (MDM) - Running [Auto | Stoppable | Not_Pausable] - "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
Network Connections (Netman) - Running [Manual | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA) (Nla) - Running [Manual | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Plug and Play (PlugPlay) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\services.exe
IPSEC Services (PolicyAgent) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\lsass.exe
Protected Storage (ProtectedStorage) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\lsass.exe
Remote Access Connection Manager (RasMan) - Running [Manual | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Remote Procedure Call (RPC) (RpcSs) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost -k rpcss
Security Accounts Manager (SamSs) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\lsass.exe
Smart Card (SCardSvr) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\SCardSvr.exe
Task Scheduler (Schedule) - Running [Auto | Stoppable | Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon (seclogon) - Running [Auto | Stoppable | Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification (SENS) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Shell Hardware Detection (ShellHWDetection) - Running [Auto | Stoppable | Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Print Spooler (Spooler) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\spoolsv.exe
System Restore Service (srservice) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
SSDP Discovery Service (SSDPSRV) - Running [Manual | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Windows Image Acquisition (WIA) (stisvc) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k imgsvc
Telephony (TapiSrv) - Running [Manual | Stoppable | Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Terminal Services (TermService) - Running [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost -k DComLaunch
Themes (Themes) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client (TrkWks) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Windows Time (W32Time) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
WebClient (WebClient) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Windows Management Instrumentation (winmgmt) - Running [Auto | Stoppable | Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Security Center (wscsvc) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates (wuauserv) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration (WZCSVC) - Running [Auto | Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Alerter (Alerter) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Application Management (AppMgmt) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
ASP.NET State Service (aspnet_state) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
Indexing Service (CiSvc) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\cisvc.exe
ClipBook (ClipSrv) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\clipsrv.exe
.NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
COM+ System Application (COMSysApp) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Logical Disk Manager Administrative Service (dmadmin) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\dmadmin.exe /com
Logical Disk Manager (dmserver) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Wired AutoConfig (Dot3svc) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k dot3svc
Extensible Authentication Protocol Service (EapHost) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k eapsvcs
Error Reporting Service (ERSvc) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Stopped [Manual | Not_Stoppable | Not_Pausable] - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
Human Interface Device Access (HidServ) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Health Key and Certificate Management Service (hkmsvc) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
HTTP SSL (HTTPFilter) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
Windows CardSpace (idsvc) - Stopped [Manual | Not_Stoppable | Not_Pausable] - "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
IMAPI CD-Burning COM Service (ImapiService) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\imapi.exe
Messenger (Messenger) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
NetMeeting Remote Desktop Sharing (mnmsrvc) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\mnmsrvc.exe
Distributed Transaction Coordinator (MSDTC) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\msdtc.exe
Windows Installer (MSIServer) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\msiexec.exe /V
Network Access Protection Agent (napagent) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Network DDE (NetDDE) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\netdde.exe
Network DDE DSDM (NetDDEdsdm) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\netdde.exe
Net Logon (Netlogon) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\lsass.exe
Net.Tcp Port Sharing Service (NetTcpPortSharing) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
NT LM Security Support Provider (NtLmSsp) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\lsass.exe
Removable Storage (NtmsSvc) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Office Source Engine (ose) - Stopped [Manual | Not_Stoppable | Not_Pausable] - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
Remote Access Auto Connection Manager (RasAuto) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Remote Desktop Help Session Manager (RDSessMgr) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\sessmgr.exe
Routing and Remote Access (RemoteAccess) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k netsvcs
Remote Registry (RemoteRegistry) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Remote Procedure Call (RPC) Locator (RpcLocator) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\locator.exe
QoS RSVP (RSVP) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\rsvp.exe
MS Software Shadow Copy Provider (SwPrv) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\dllhost.exe /Processid:{FD61866B-65BD-4856-A7D9-2BB0F2D0DD11}
Performance Logs and Alerts (SysmonLog) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\smlogsvc.exe
Telnet (TlntSvr) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\tlntsvr.exe
Universal Plug and Play Device Host (upnphost) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k LocalService
Uninterruptible Power Supply (UPS) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\ups.exe
Volume Shadow Copy (VSS) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\vssvc.exe
Portable Media Serial Number Service (WmdmPmSN) - Stopped [Disabled | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation Driver Extensions (Wmi) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs
WMI Performance Adapter (WmiApSrv) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\wbem\wmiapsrv.exe
Windows Media Player Network Sharing Service (WMPNetworkSvc) - Stopped [Manual | Not_Stoppable | Not_Pausable] - "C:\Program Files\Windows Media Player\WMPNetwk.exe"
Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
Network Provisioning Service (xmlprov) - Stopped [Manual | Not_Stoppable | Not_Pausable] - C:\WINDOWS\System32\svchost.exe -k netsvcs

<<<< Non-MS Services >>>>

avast! iAVS4 Control Service (aswUpdSv) - Running [Auto | Stoppable | Not_Pausable] - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus (avast! Antivirus) - Running [Auto | Stoppable | Not_Pausable] - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
avast! Mail Scanner (avast! Mail Scanner) - Running [Manual | Stoppable | Not_Pausable] - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
avast! Web Scanner (avast! Web Scanner) - Running [Manual | Stoppable | Not_Pausable] - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
Intel® PROSet/Wireless Event Log (EvtEng) - Running [Auto | Stoppable | Not_Pausable] - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
Lavasoft Ad-Aware Service (Lavasoft Ad-Aware Service) - Running [Auto | Stoppable | Not_Pausable] - "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"
Intel® PROSet/Wireless Registry Service (RegSrvc) - Running [Auto | Stoppable | Not_Pausable] - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
Intel® PROSet/Wireless Service (S24EventMonitor) - Running [Auto | Stoppable | Not_Pausable] - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
TrueVector Internet Monitor (vsmon) - Running [Auto | Not_Stoppable | Not_Pausable] - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Running [Auto | Stoppable | Not_Pausable] - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

<<<< Boot.ini >>>>

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

<<<< Ipconfig >>>>

Windows IP Configuration

Host Name . . . . . . . . . . . . : dell-9277dbc6d9
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ZoomTown.com

Ethernet adapter Local Area Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-14-22-CE-4C-49

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . : ZoomTown.com
Description . . . . . . . . . . . : Intel® PRO/Wireless 2200BG Network Connection
Physical Address. . . . . . . . . : 00-16-6F-00-1C-45
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.200.253
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.200.1
DHCP Server . . . . . . . . . . . : 192.168.200.1
DNS Servers . . . . . . . . . . . : 192.168.200.1
192.168.200.1
Lease Obtained. . . . . . . . . . : Wednesday, November 04, 2009 11:35:53 AM
Lease Expires . . . . . . . . . . : Thursday, November 05, 2009 11:35:53 AM


<<<< Pinging >>>>

OpenDNS Domain Test
Pinging to www.opendns.com [208.69.38.150]:

Response - 78ms
Response - 94ms
Response - 92ms
Response - 94ms

Packets: Sent = 4, Received = 4, Lost = 0
Minimum = 92ms - Maximum = 94ms

OpenDNS IP Test
Pinging to 208.67.222.222 [208.67.222.222]:

Response - 46ms
Response - 46ms
Response - 62ms
Response - 62ms

Packets: Sent = 4, Received = 4, Lost = 0
Minimum = 62ms - Maximum = 62ms

YouTube Domain Test
Pinging to www.youtube.com [209.85.225.101]:

Response - 30ms
Response - 47ms
Response - 62ms
Response - 46ms

Packets: Sent = 4, Received = 4, Lost = 0
Minimum = 46ms - Maximum = 62ms

YouTube IP Test
Pinging to 208.117.236.69 [208.117.236.69]:

Response - 108ms
Response - 125ms
Response - 109ms
Response - 125ms

Packets: Sent = 4, Received = 4, Lost = 0
Minimum = 109ms - Maximum = 125ms

localhost Test
Pinging to 127.0.0.1 [127.0.0.1]:

Response - 0ms
Response - 0ms
Response - 0ms
Response - 0ms

Packets: Sent = 4, Received = 4, Lost = 0
Minimum = 0ms - Maximum = 0ms


<<<< Netstat >>>>

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[System]

TCP 192.168.200.253:139 0.0.0.0:0 LISTENING 4
[System]

TCP 127.0.0.1:1067 127.0.0.1:1068 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1068 127.0.0.1:1067 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1071 127.0.0.1:1072 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1072 127.0.0.1:1071 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1860 127.0.0.1:12080 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1862 127.0.0.1:12080 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1866 127.0.0.1:12080 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1867 127.0.0.1:12080 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1904 127.0.0.1:12080 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1910 127.0.0.1:12080 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1911 127.0.0.1:12080 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1929 127.0.0.1:12080 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:1931 127.0.0.1:12080 ESTABLISHED 3400
[firefox.exe]

TCP 127.0.0.1:12080 127.0.0.1:1867 ESTABLISHED 2644
[ashWebSv.exe]

TCP 127.0.0.1:12080 127.0.0.1:1931 ESTABLISHED 2644
[ashWebSv.exe]

TCP 127.0.0.1:12080 127.0.0.1:1910 ESTABLISHED 2644
[ashWebSv.exe]

TCP 127.0.0.1:12080 127.0.0.1:1866 ESTABLISHED 2644
[ashWebSv.exe]

TCP 127.0.0.1:12080 127.0.0.1:1860 ESTABLISHED 2644
[ashWebSv.exe]

TCP 127.0.0.1:12080 127.0.0.1:1911 ESTABLISHED 2644
[ashWebSv.exe]

TCP 127.0.0.1:12080 127.0.0.1:1904 ESTABLISHED 2644
[ashWebSv.exe]

TCP 127.0.0.1:12080 127.0.0.1:1929 ESTABLISHED 2644
[ashWebSv.exe]

TCP 127.0.0.1:12080 127.0.0.1:1862 ESTABLISHED 2644
[ashWebSv.exe]

TCP 192.168.200.253:1861 209.85.225.17:80 ESTABLISHED 2644
[ashWebSv.exe]

TCP 192.168.200.253:1864 209.85.225.17:80 ESTABLISHED 2644
[ashWebSv.exe]

TCP 192.168.200.253:1869 209.85.225.17:80 ESTABLISHED 2644
[ashWebSv.exe]

TCP 192.168.200.253:1870 209.85.225.17:80 ESTABLISHED 2644
[ashWebSv.exe]

TCP 192.168.200.253:1912 216.68.54.48:80 ESTABLISHED 2644
[ashWebSv.exe]

TCP 192.168.200.253:1065 82.99.19.52:80 CLOSE_WAIT 1472
[AAWService.exe]

TCP 192.168.200.253:1066 82.99.19.52:80 CLOSE_WAIT 1472
[AAWService.exe]

TCP 192.168.200.253:1913 74.125.93.139:80 CLOSE_WAIT 2644
[ashWebSv.exe]

TCP 192.168.200.253:1930 216.68.119.70:80 CLOSE_WAIT 2644
[ashWebSv.exe]

TCP 192.168.200.253:1932 209.85.225.189:80 CLOSE_WAIT 2644
[ashWebSv.exe]

TCP 192.168.200.253:1935 216.137.39.7:80 CLOSE_WAIT 2644
[ashWebSv.exe]

TCP 192.168.200.253:1940 67.205.44.129:80 CLOSE_WAIT 3224
[SINO.exe]

TCP 127.0.0.1:12080 127.0.0.1:1938 TIME_WAIT 0
UDP 0.0.0.0:445 *:* 4
[System]

UDP 0.0.0.0:4500 *:* 936
[lsass.exe]

UDP 0.0.0.0:500 *:* 936
[lsass.exe]

UDP 127.0.0.1:123 *:* 1240
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 127.0.0.1:1900 *:* 1500
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 127.0.0.1:1036 *:* 3728
[AWC.exe]

UDP 192.168.200.253:123 *:* 1240
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 192.168.200.253:1900 *:* 1500
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 192.168.200.253:137 *:* 4
[System]

UDP 192.168.200.253:138 *:* 4
[System]


<<<< Routing Table >>>>

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 14 22 ce 4c 49 ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
0x3 ...00 16 6f 00 1c 45 ...... Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.200.1 192.168.200.253 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.200.0 255.255.255.0 192.168.200.253 192.168.200.253 25
192.168.200.253 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.200.255 255.255.255.255 192.168.200.253 192.168.200.253 25
224.0.0.0 240.0.0.0 192.168.200.253 192.168.200.253 25
255.255.255.255 255.255.255.255 192.168.200.253 192.168.200.253 1
255.255.255.255 255.255.255.255 192.168.200.253 2 1
Default Gateway: 192.168.200.1
===========================================================================
Persistent Routes:
None

Route Table

<<<< Hosts File >>>>

The HOSTS file is 348853 Bytes in size.




<<<< Active Shares >>>>

Share: IPC$ - Path:
Share: ADMIN$ - Path: C:\WINDOWS
Share: C$ - Path: C:\


END OF LOG FILE, Date of Completion: 1638_04-11-2009 ----------

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:04 AM

Posted 05 November 2009 - 04:25 AM

Did you immunize your system with Spybot S&D?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users