Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit--vsdatant


  • This topic is locked This topic is locked
15 replies to this topic

#1 dariushou

dariushou

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 19 November 2009 - 11:26 PM

Hi there,

Garmanma (moderator) has been helping me with indentifying a rootkit that i have on my system. The link to the post is:

Topic264842

He mentioned that i shuold run a DDS / HJT log as outlined in the preparation guide which i have done and is below. I've also attached the attach file. If it is any help i've also posted below the DDS log the log from RoogRepeal. Could anyone please help me remove this pest? I've never even heard of a rootkit..i guess you learn something new everyday. Thanks very much for your time.

Darius

HERE IS THE DDS LOG:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Darius at 22:11:12.79 on Thu 11/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.528 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darius\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mPolicies-explorer: =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://notes.nationstarmail.com/iNotes6W.cab
DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255563613812
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255564069578
DPF: {75aa409d-05f9-4f27-bd53-c7339d4b1d0a} - hxxps://notes.nationstarmail.com/dwa85W.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-14 64288]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-21 335240]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-21 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-21 297752]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link DGE-5xx Gigabit Ethernet Adapter;c:\windows\system32\drivers\m4cxw2k3.sys [2005-3-10 285952]
S0 xaouxn;xaouxn;c:\windows\system32\drivers\rkxuvoeg.sys --> c:\windows\system32\drivers\rkxuvoeg.sys [?]
S3 ADPTEHCD;Adaptec USB 2.0 Enhanced Host Controller Driver;c:\windows\system32\drivers\asusehcd.sys [2008-4-10 34288]
S3 ADPTHUBD;Adaptec USB 2.0 Hub Driver;c:\windows\system32\drivers\asus2hub.sys [2008-4-10 24432]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 AUSBD_FilterService;Adaptec USB 2.0 Port Enumeration Driver;c:\windows\system32\drivers\asususbd.sys [2008-4-10 22448]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1169232]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2009-11-11 01:34:37 0 d-----w- c:\documents and settings\darius\DoctorWeb

==================== Find3M ====================

2009-10-16 19:43:50 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-16 19:43:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-15 18:54:59 389120 ----a-w- c:\windows\system32\CF22312.exe
2009-10-11 13:10:09 236544 ----a-w- c:\windows\PEV.exe
2009-09-23 12:55:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 09:17:47 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-10-18 16:54:27 19882 ----a-w- c:\program files\common files\repi.pif
2009-04-21 22:23:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042120090422\index.dat

============= FINISH: 22:11:45.93 ===============

RootRepeal LOG

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/18 22:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3897000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BE1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8F02000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF749B000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\darius\local settings\temp\~dfef71.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\darius\local settings\temp\~dffd28.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3acbfc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ac8c80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae3170

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3acc580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae0900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae0b10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae4b10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3acc670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ac9210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae39f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae37a0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae0280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae3f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae3f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ac9070

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae2180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae1f40

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae46f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae4150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3acbbe0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae4540

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3acc190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ac9440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae34e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae1200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ae1080

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3acae70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3acaf20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3acafe0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3ac9d60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3acb250

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:59 AM

Posted 27 November 2009 - 10:23 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 dariushou

dariushou
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 30 November 2009 - 04:17 PM

Hi Elise,

Thanks for getting back to me. Below is a summary of what i've done to the computer since seeking help (i've done nothing since my last post) and then i post the logs that you requested--each log is separated by a bolded heading.

Programs that i have run in safemode and regular mode:

Dr. Web Cureit
Super Antispyware
Malwarebytes
Spybot
Lavasoft Adaware
AVG Anti-Virus
ATF Cleaner

Garmanma (moderator on this site in the “Am I Infected? What do I do section”), in addition to a few of the programs above had me run the following programs:

TFC
RootRepel

A link to that thread is here Topic 264842

After all of the above, I was told to paste a DDS / HJT log along with the attach file which I did above.

Below are the logs that you requested:

1) THIS IS THE DDS LOG (the attach file which is produced by running this program is attached)


DDS (Ver_09-11-29.01) - NTFSx86
Run by Darius at 12:59:41.40 on Mon 11/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.537 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darius\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mPolicies-explorer: =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://notes.nationstarmail.com/iNotes6W.cab
DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255563613812
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255564069578
DPF: {75aa409d-05f9-4f27-bd53-c7339d4b1d0a} - hxxps://notes.nationstarmail.com/dwa85W.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-14 64288]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-21 335240]
R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-21 27784]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-21 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-25 353672]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-21 297752]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link DGE-5xx Gigabit Ethernet Adapter;c:\windows\system32\drivers\m4cxw2k3.sys [2005-3-10 285952]
S0 xaouxn;xaouxn;c:\windows\system32\drivers\rkxuvoeg.sys --> c:\windows\system32\drivers\rkxuvoeg.sys [?]
S3 ADPTEHCD;Adaptec USB 2.0 Enhanced Host Controller Driver;c:\windows\system32\drivers\asusehcd.sys [2008-4-10 34288]
S3 ADPTHUBD;Adaptec USB 2.0 Hub Driver;c:\windows\system32\drivers\asus2hub.sys [2008-4-10 24432]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 AUSBD_FilterService;Adaptec USB 2.0 Port Enumeration Driver;c:\windows\system32\drivers\asususbd.sys [2008-4-10 22448]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1169232]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2009-11-11 01:34:37 0 d-----w- c:\documents and settings\darius\DoctorWeb

==================== Find3M ====================

2009-10-16 19:43:50 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-16 19:43:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-15 18:54:59 389120 ----a-w- c:\windows\system32\CF22312.exe
2009-10-11 13:10:09 236544 ----a-w- c:\windows\PEV.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 09:17:47 15688 ----a-w- c:\windows\system32\lsdelete.exe
2008-10-18 16:54:27 19882 ----a-w- c:\program files\common files\repi.pif
2009-04-21 22:23:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042120090422\index.dat

============= FINISH: 13:00:16.25 ===============


2) THIS IS THE GMER LOG:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 14:34:39
Windows 5.1.2600 Service Pack 3
Running: bmgso0u4.exe; Driver: C:\DOCUME~1\Darius\LOCALS~1\Temp\pfxiqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF3F87FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF3F84C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF3F9F170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF3F88580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF3F88670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF3F85210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF3F9F9F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF3F9F7A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF3F9FF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF3F9FF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF3F85070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF3FA06F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF3FA0150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF3F87BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF3FA0540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF3F85440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF3F9F4E0]

---- Kernel code sections - GMER 1.0.15 ----

? srescan.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF66C5360, 0x32DEFD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4028] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F3F8CB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F3F8C930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F3F8D260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F3F8AE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F3F8AE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F3F8CB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F3F8C930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F3F8D260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F3F8CB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F3F8AE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F3F8D260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F3F8C930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F3F8D260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F3F8C930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F3F8CB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F3F8AE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F3F8CB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F3F8C930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F3F8D260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F3F8D260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F3F8C930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F3F8AE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F3F8CB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F3FA5B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F3F8CB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F3F8AE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F3F8D260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F3F8C930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F3F858D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F3F85A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F3F855E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F3F85980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[4028] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@TDSSserv \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@TDSSl \systemroot\system32\TDSSoeqh.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssservers \systemroot\system32\TDSSosvn.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssmain \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssadw \systemroot\system32\TDSScfub.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssinit \systemroot\system32\TDSSfpmp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdsspanels \systemroot\system32\TDSSsbhc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssserf \systemroot\system32\TDSSthym.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules@TDSSserv \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules@TDSSl \systemroot\system32\TDSSoeqh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules@tdssservers \systemroot\system32\TDSSosvn.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules@tdssmain \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules@tdssadw \systemroot\system32\TDSScfub.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules@tdssinit \systemroot\system32\TDSSfpmp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules@tdsspanels \systemroot\system32\TDSSsbhc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv\modules@tdssserf \systemroot\system32\TDSSthym.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@TDSSserv \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@TDSSl \systemroot\system32\TDSSoeqh.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssservers \systemroot\system32\TDSSosvn.dat
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssmain \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssadw \systemroot\system32\TDSScfub.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssinit \systemroot\system32\TDSSfpmp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdsspanels \systemroot\system32\TDSSsbhc.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv\modules@tdssserf \systemroot\system32\TDSSthym.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----


That's it. Hope this helps and thank you so much for helping.

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:59 AM

Posted 30 November 2009 - 04:27 PM

Hello dariushou,

I don't see a whole lot wrong anymore here, vsdatant.sys is a ZoneAlarm firewall driver, nothing to worry about.

Please consider the following first...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


I see some evidence Combofix was run. Please post me the log you will find at c:\combofix.txt

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Both Combofix logs (the old one and a new one).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 dariushou

dariushou
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 30 November 2009 - 06:59 PM

yes, lets try to get rid of this thing. Here are the two logs::

OLD LOG:

ComboFix 09-10-15.01 - Administrator 10/15/2009 14:10:55.4.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.743 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\New Folder\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 17:38:00 . 2009-10-15 17:38:02 0 d-----w- C:\Rustbfix
2009-10-15 05:54:51 . 2009-02-19 18:38:14 10752 ----a-w- C:\WINDOWS\system32\m4x32coinst.dll
2009-10-15 04:42:39 . 2009-10-15 04:44:38 0 d-----w- C:\WINDOWS\NV27403412.TMP
2009-10-15 03:51:41 . 2009-10-15 03:56:35 0 d-----w- C:\WINDOWS\ie8updates
2009-10-15 03:10:31 . 2009-08-29 08:08:21 12800 -c----w- C:\WINDOWS\system32\dllcache\xpshims.dll
2009-10-15 03:10:29 . 2009-08-29 08:08:17 246272 -c----w- C:\WINDOWS\system32\dllcache\ieproxy.dll
2009-10-15 03:09:47 . 2009-06-21 21:44:50 153088 -c----w- C:\WINDOWS\system32\dllcache\triedit.dll
2009-10-15 03:08:39 . 2009-07-10 13:27:49 1315328 -c----w- C:\WINDOWS\system32\dllcache\msoe.dll
2009-10-15 03:05:38 . 2009-03-06 14:22:18 284160 -c----w- C:\WINDOWS\system32\dllcache\pdh.dll
2009-10-15 03:05:37 . 2009-02-09 12:10:48 473600 -c----w- C:\WINDOWS\system32\dllcache\fastprox.dll
2009-10-15 03:05:37 . 2009-02-09 12:10:48 401408 -c----w- C:\WINDOWS\system32\dllcache\rpcss.dll
2009-10-15 03:05:37 . 2009-02-06 11:11:05 110592 -c----w- C:\WINDOWS\system32\dllcache\services.exe
2009-10-15 03:05:36 . 2009-02-06 10:10:02 227840 -c----w- C:\WINDOWS\system32\dllcache\wmiprvse.exe
2009-10-15 03:05:35 . 2009-06-25 08:25:26 730112 -c----w- C:\WINDOWS\system32\dllcache\lsasrv.dll
2009-10-15 03:05:35 . 2009-02-09 12:10:48 617472 -c----w- C:\WINDOWS\system32\dllcache\advapi32.dll
2009-10-15 03:05:35 . 2009-02-09 12:10:48 453120 -c----w- C:\WINDOWS\system32\dllcache\wmiprvsd.dll
2009-10-15 03:05:34 . 2009-02-09 12:10:48 714752 -c----w- C:\WINDOWS\system32\dllcache\ntdll.dll
2009-10-15 03:05:23 . 2008-05-03 11:55:36 2560 ------w- C:\WINDOWS\system32\xpsp4res.dll
2009-10-15 03:05:22 . 2008-04-21 12:08:15 215552 -c----w- C:\WINDOWS\system32\dllcache\wordpad.exe
2009-10-15 03:04:03 . 2008-10-24 11:21:09 455296 -c----w- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2009-10-15 03:03:40 . 2008-09-04 17:15:04 1106944 -c----w- C:\WINDOWS\system32\dllcache\msxml3.dll
2009-10-15 03:03:30 . 2008-10-15 16:34:24 337408 -c----w- C:\WINDOWS\system32\dllcache\netapi32.dll
2009-10-15 02:54:49 . 2009-10-15 02:54:49 0 d-sh--w- C:\Documents and Settings\Administrator\PrivacIE
2009-10-15 01:01:38 . 2009-08-07 00:23:46 274288 ----a-w- C:\WINDOWS\system32\mucltui.dll
2009-10-15 00:22:37 . 2009-10-15 00:22:37 0 d-sh--w- C:\Documents and Settings\Administrator\IETldCache
2009-10-14 23:14:45 . 2009-10-14 23:14:45 0 d-sh--w- C:\Documents and Settings\Darius\PrivacIE
2009-10-14 23:13:56 . 2009-10-14 23:13:56 0 d-sh--w- C:\Documents and Settings\Darius\IETldCache
2009-10-14 23:09:13 . 2009-10-14 23:11:17 0 dc-h--w- C:\WINDOWS\ie8
2009-10-14 21:30:50 . 2009-09-03 09:17:47 15688 ----a-w- C:\WINDOWS\system32\lsdelete.exe
2009-10-14 18:36:52 . 2009-10-14 18:36:52 0 dc----w- C:\WINDOWS\system32\DRVSTORE
2009-10-14 18:36:52 . 2009-09-23 12:55:23 64288 ----a-w- C:\WINDOWS\system32\drivers\Lbd.sys
2009-10-14 18:35:12 . 2009-10-14 18:35:12 0 dc-h--w- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-14 18:22:49 . 2009-10-14 18:22:49 0 d-----w- C:\Documents and Settings\Darius\Application Data\uniblue
2009-10-14 18:18:17 . 2009-10-14 18:18:17 0 d-----w- C:\Program Files\Uniblue
2009-10-14 18:09:55 . 2009-10-14 18:10:38 0 d-----w- C:\2737646c32925a7d1c73a36a60d477c3
2009-10-14 18:09:36 . 2009-10-14 18:14:51 0 d-----w- C:\WINDOWS\SxsCaPendDel
2009-10-14 18:03:32 . 2009-10-14 18:03:32 0 d-----r- C:\AHCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 18:13:41 . 2009-02-07 20:16:17 0 d-----w- C:\Documents and Settings\Darius\Application Data\SUPERAntiSpyware.com
2009-10-15 18:13:40 . 2008-04-10 14:40:56 0 d-----w- C:\Program Files\Common Files\Wise Installation Wizard
2009-10-15 18:13:39 . 2009-02-07 20:16:17 0 d-----w- C:\Program Files\SUPERAntiSpyware
2009-10-15 17:45:54 . 2008-08-02 20:12:30 664 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2009-10-15 05:02:41 . 2008-04-10 10:56:28 70456 ----a-w- C:\Documents and Settings\Darius\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 04:28:47 . 2008-10-18 02:11:12 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-10-15 04:25:51 . 2008-10-18 02:15:33 0 d-----w- C:\Program Files\Microsoft Works
2009-10-15 01:58:08 . 2008-04-10 10:20:06 0 d--h--w- C:\Program Files\InstallShield Installation Information
2009-10-14 18:34:46 . 2008-04-10 16:22:44 0 d-----w- C:\Program Files\Lavasoft
2009-10-14 18:34:46 . 2008-04-10 16:22:44 0 d-----w- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-10-14 14:19:13 . 2008-04-10 17:33:48 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-10-14 13:56:02 . 2009-06-28 22:46:56 0 d-----w- C:\Program Files\WebPosition 4
2009-10-14 13:54:41 . 2009-07-11 22:50:49 0 d-----w- C:\Program Files\Common Files\AVSMedia
2009-10-14 13:54:41 . 2009-07-11 22:50:48 0 d-----w- C:\Program Files\AVS4YOU
2009-10-14 13:53:14 . 2008-04-10 16:20:26 0 d-----w- C:\Program Files\Spybot - Search & Destroy
2009-10-14 13:51:37 . 2008-10-19 00:31:34 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-09-11 14:18:39 . 2001-08-23 12:00:00 136192 ----a-w- C:\WINDOWS\system32\msv1_0.dll
2009-09-10 19:54:06 . 2008-10-19 00:31:35 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53:50 . 2008-10-19 00:31:38 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-09-04 21:03:36 . 2001-08-23 12:00:00 58880 ----a-w- C:\WINDOWS\system32\msasn1.dll
2009-08-29 08:08:21 . 2001-08-23 12:00:00 916480 ------w- C:\WINDOWS\system32\wininet.dll
2009-08-26 08:00:21 . 2001-08-23 12:00:00 247326 ----a-w- C:\WINDOWS\system32\strmdll.dll
2009-08-24 04:58:36 . 2009-06-18 03:11:09 0 d-----w- C:\Program Files\pup7
2009-08-18 04:33:52 . 2009-08-18 04:33:52 1193832 ----a-w- C:\WINDOWS\system32\FM20.DLL
2009-08-07 00:24:18 . 2008-04-10 10:28:05 327896 ----a-w- C:\WINDOWS\system32\wucltui.dll
2009-08-07 00:24:10 . 2008-04-10 10:28:06 44768 ----a-w- C:\WINDOWS\system32\wups2.dll
2009-08-07 00:24:10 . 2008-04-10 10:28:06 35552 ----a-w- C:\WINDOWS\system32\wups.dll
2009-08-07 00:24:06 . 2008-04-10 10:09:06 53472 ------w- C:\WINDOWS\system32\wuauclt.exe
2009-08-07 00:24:04 . 2001-08-23 12:00:00 96480 ----a-w- C:\WINDOWS\system32\cdm.dll
2009-08-07 00:23:54 . 2008-04-10 10:28:05 575704 ----a-w- C:\WINDOWS\system32\wuapi.dll
2009-08-07 00:23:46 . 2008-04-10 10:09:06 1929952 ----a-w- C:\WINDOWS\system32\wuaueng.dll
2009-08-07 00:23:28 . 2007-07-31 00:19:46 209624 ----a-w- C:\WINDOWS\system32\wuweb.dll
2009-08-07 00:23:26 . 2007-07-31 00:18:34 215904 ----a-w- C:\WINDOWS\system32\muweb.dll
2009-08-05 09:01:48 . 2008-04-10 10:38:28 204800 ----a-w- C:\WINDOWS\system32\mswebdvd.dll
2009-08-04 15:13:08 . 2001-08-23 12:00:00 2145280 ------w- C:\WINDOWS\system32\ntoskrnl.exe
2009-08-04 14:20:09 . 2001-08-17 13:48:10 2023936 ------w- C:\WINDOWS\system32\ntkrnlpa.exe
2009-07-29 04:37:01 . 2001-08-23 12:00:00 81920 ----a-w- C:\WINDOWS\system32\fontsub.dll
2009-07-29 04:37:01 . 2001-08-23 12:00:00 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll
2008-10-18 16:54:27 . 2008-10-18 16:54:27 19882 ----a-w- C:\Program Files\Common Files\repi.pif
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-05-05 16:24:28 1947928]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 05:10:22 981384]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 19:53:56 1312080]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-09-18 04:55:00 13574144]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-09-18 04:55:00 86016]
"nwiz"="nwiz.exe" - C:\WINDOWS\system32\nwiz.exe [2008-09-18 04:55:00 1657376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-05 16:24:38 11952 ----a-w- C:\WINDOWS\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [10/14/2009 1:36:52 PM 64288]
R1 avgtdix;AVG Free8 Network Redirector;C:\WINDOWS\system32\drivers\avgtdix.sys [4/21/2009 5:45:20 PM 108552]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link DGE-5xx Gigabit Ethernet Adapter;C:\WINDOWS\system32\drivers\m4cxw2k3.sys [3/10/2005 7:42:00 AM 285952]
S0 xaouxn;xaouxn;C:\WINDOWS\system32\drivers\rkxuvoeg.sys --> C:\WINDOWS\system32\drivers\rkxuvoeg.sys [?]
S1 avgldx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\drivers\avgldx86.sys [4/21/2009 5:45:13 PM 325896]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [4/21/2009 5:45:01 PM 298776]
S3 ADPTEHCD;Adaptec USB 2.0 Enhanced Host Controller Driver;C:\WINDOWS\system32\drivers\asusehcd.sys [4/10/2008 8:51:40 AM 34288]
S3 ADPTHUBD;Adaptec USB 2.0 Hub Driver;C:\WINDOWS\system32\drivers\asus2hub.sys [4/10/2008 8:51:40 AM 24432]
S3 ASUSHWIO;ASUSHWIO;\??\C:\WINDOWS\system32\drivers\ASUSHWIO.sys --> C:\WINDOWS\system32\drivers\ASUSHWIO.sys [?]
S3 AUSBD_FilterService;Adaptec USB 2.0 Port Enumeration Driver;C:\WINDOWS\system32\drivers\asususbd.sys [4/10/2008 8:51:40 AM 22448]
S3 ctgame;Game Port;C:\WINDOWS\system32\drivers\ctgame.sys [12/30/2002 10:53:36 AM 12160]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17:32 AM 1169232]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-14 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:06:13 . 2009-10-14 18:36:27]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://winsecurityupdates.com/?aid=444.568
DPF: {75aa409d-05f9-4f27-bd53-c7339d4b1d0a} - hxxps://notes.nationstarmail.com/dwa85W.cab
.


NEW LOG:

ComboFix 09-11-30.02 - Darius 11/30/2009 17:46.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.634 [GMT -6:00]
Running from: c:\documents and settings\Darius\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\mydll.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 18:52 . 2009-11-03 22:59 3513624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-30 18:52 . 2009-11-03 22:59 2028312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-11 01:34 . 2009-11-11 02:57 -------- d-----w- c:\documents and settings\Darius\DoctorWeb
2009-11-10 20:10 . 2009-11-10 20:10 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-10 20:01 . 2009-11-19 01:06 117760 ----a-w- c:\documents and settings\Darius\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-02 15:41 . 2009-11-10 00:17 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-11 17:07 . 2008-10-18 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 20:00 . 2009-02-07 20:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-10 20:00 . 2009-02-07 20:16 -------- d-----w- c:\documents and settings\Darius\Application Data\SUPERAntiSpyware.com
2009-11-10 20:00 . 2008-04-10 14:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-21 04:14 . 2008-04-10 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-21 04:08 . 2009-10-21 04:08 -------- d-----w- c:\program files\CCleaner
2009-10-20 20:10 . 2008-04-11 08:40 50 ----a-w- c:\windows\system32\m8840def.dat
2009-10-20 20:08 . 2008-04-11 08:36 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-10-16 19:43 . 2009-04-21 22:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-16 19:43 . 2009-04-21 22:45 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-16 19:43 . 2009-04-21 22:45 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-15 18:54 . 2009-10-15 18:55 389120 ----a-w- c:\windows\system32\CF22312.exe
2009-10-15 17:45 . 2008-08-02 20:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-15 05:02 . 2008-04-10 10:56 70456 ----a-w- c:\documents and settings\Darius\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 04:25 . 2008-10-18 02:15 -------- d-----w- c:\program files\Microsoft Works
2009-10-15 01:58 . 2008-04-10 10:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-14 18:35 . 2009-10-14 18:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-14 18:34 . 2008-04-10 16:22 -------- d-----w- c:\program files\Lavasoft
2009-10-14 18:34 . 2008-04-10 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-14 18:22 . 2009-10-14 18:22 -------- d-----w- c:\documents and settings\Darius\Application Data\uniblue
2009-10-14 18:18 . 2009-10-14 18:18 -------- d-----w- c:\program files\Uniblue
2009-10-14 14:19 . 2008-04-10 17:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-14 13:56 . 2009-06-28 22:46 -------- d-----w- c:\program files\WebPosition 4
2009-10-14 13:54 . 2009-07-11 22:50 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-14 13:54 . 2009-07-11 22:50 -------- d-----w- c:\program files\AVS4YOU
2009-10-14 13:53 . 2008-04-10 16:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-14 13:51 . 2008-10-19 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 13:51 . 2008-11-15 02:54 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-03 08:15 . 2009-10-14 18:35 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-09-23 12:55 . 2009-10-14 18:36 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-14 04:37 . 2009-02-08 01:34 9653830 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-10-19 00:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-10-19 00:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 09:17 . 2009-10-14 21:30 15688 ----a-w- c:\windows\system32\lsdelete.exe
2008-10-18 16:54 . 2008-10-18 16:54 19882 ----a-w- c:\program files\Common Files\repi.pif
.

((((((((((((((((((((((((((((( SnapShot@2009-10-15_18.03.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 12:00 . 2009-10-15 05:57 71904 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2009-11-02 14:36 71904 c:\windows\system32\perfc009.dat
- 2009-02-07 20:16 . 2009-02-07 20:16 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-11-10 20:00 . 2009-11-10 20:00 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2009-02-07 20:16 . 2009-02-07 20:16 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-11-10 20:00 . 2009-11-10 20:00 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 35088 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 35088 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 18704 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 18704 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 20240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 20240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-11-10 20:00 . 2009-11-10 20:00 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2001-08-23 12:00 . 2009-11-02 14:36 444028 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2009-10-15 05:57 444028 c:\windows\system32\perfh009.dat
+ 2008-04-10 05:03 . 2009-11-11 17:10 270984 c:\windows\system32\FNTCACHE.DAT
- 2008-04-10 05:03 . 2009-10-15 04:33 270984 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-18 02:17 . 2009-11-11 17:07 888080 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 888080 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 272648 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 272648 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 922384 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 922384 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2008-10-18 02:17 . 2009-10-15 04:27 845584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 845584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 217864 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 217864 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2008-10-18 02:17 . 2009-10-15 04:27 159504 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 159504 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-11-11 17:03 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-11 17:03 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2001-08-23 12:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2001-08-23 12:00 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2008-10-19 02:27 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2007-08-13 23:54 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-10-16 13:03 . 2009-10-16 13:03 5003776 c:\windows\Installer\604a1.msp
+ 2009-08-18 18:58 . 2009-08-18 18:58 8301056 c:\windows\Installer\6048d.msp
+ 2009-08-18 18:57 . 2009-08-18 18:57 9122304 c:\windows\Installer\60479.msp
+ 2009-11-10 20:00 . 2009-11-10 20:00 1583616 c:\windows\Installer\4a8b24.msi
- 2008-10-18 02:17 . 2009-10-15 04:27 1172240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 1172240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-10-18 02:17 . 2009-10-15 04:27 1165584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 1165584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-11-11 17:03 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2009-10-15 04:03 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-30 2029336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-16 19:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/14/2009 12:36 PM 64288]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/21/2009 4:45 PM 335240]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/21/2009 4:45 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/21/2009 4:45 PM 297752]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [12/30/2002 9:53 AM 12160]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link DGE-5xx Gigabit Ethernet Adapter;c:\windows\system32\drivers\m4cxw2k3.sys [3/10/2005 6:42 AM 285952]
S0 xaouxn;xaouxn;c:\windows\system32\drivers\rkxuvoeg.sys --> c:\windows\system32\drivers\rkxuvoeg.sys [?]
S3 ADPTEHCD;Adaptec USB 2.0 Enhanced Host Controller Driver;c:\windows\system32\drivers\asusehcd.sys [4/10/2008 7:51 AM 34288]
S3 ADPTHUBD;Adaptec USB 2.0 Hub Driver;c:\windows\system32\drivers\asus2hub.sys [4/10/2008 7:51 AM 24432]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 AUSBD_FilterService;Adaptec USB 2.0 Port Enumeration Driver;c:\windows\system32\drivers\asususbd.sys [4/10/2008 7:51 AM 22448]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1169232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: {75aa409d-05f9-4f27-bd53-c7339d4b1d0a} - hxxps://notes.nationstarmail.com/dwa85W.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 17:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-30 17:56
ComboFix-quarantined-files.txt 2009-11-30 23:56
ComboFix2.txt 2009-10-15 18:34
ComboFix3.txt 2009-10-15 18:06

Pre-Run: 93,706,215,424 bytes free
Post-Run: 93,663,121,408 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 202E2ED0C8854FB612591224437770EF

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:59 AM

Posted 01 December 2009 - 04:13 AM

Hello dariushou,

How are things running at this point? Please give me a clear description of the problems you are still having.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Driver::
xaouxn

File::
c:\windows\system32\drivers\rkxuvoeg.sys

DDS::
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 dariushou

dariushou
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 01 December 2009 - 03:26 PM

Hi Elise,

Below is the log. The issue with computer is as follows:

Very sluggish overall...sometimes it responds somewhat ok, but most of the time there is a delay to do anything. That did improve quite a bit after running all of the anti-spyware programs listed above, however still sluggish. The other issue and more noticeable is the internet speed. I have 3 computers in the same room and all are hooked up through the same router. My service is 100mb/s. The other two computers are always above 90mb/s. This computer is around 17mb/s. I've tried all combinations of hardware/ethernet cables and such and it is definately this machine. Also, when i'm in safe mode with networking i do get speeds around 60-70mb/s, but not while in normal windows--only in safe mode. That still isn't near the 90mb/s as the other machines, but much higher than what i'm getting when in normal windows mode. I hope this helps.

Thanks,
Darius

ComboFix 09-11-30.02 - Darius 12/01/2009 13:53.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.628 [GMT -6:00]
Running from: c:\documents and settings\Darius\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Darius\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\drivers\rkxuvoeg.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_xaouxn


((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-11-30 18:52 . 2009-11-03 22:59 3513624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-30 18:52 . 2009-11-03 22:59 2028312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-11 01:34 . 2009-11-11 02:57 -------- d-----w- c:\documents and settings\Darius\DoctorWeb
2009-11-10 20:10 . 2009-11-10 20:10 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-10 20:01 . 2009-11-19 01:06 117760 ----a-w- c:\documents and settings\Darius\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-02 15:41 . 2009-11-10 00:17 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-11 17:07 . 2008-10-18 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 20:00 . 2009-02-07 20:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-10 20:00 . 2009-02-07 20:16 -------- d-----w- c:\documents and settings\Darius\Application Data\SUPERAntiSpyware.com
2009-11-10 20:00 . 2008-04-10 14:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-21 04:14 . 2008-04-10 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-21 04:08 . 2009-10-21 04:08 -------- d-----w- c:\program files\CCleaner
2009-10-20 20:10 . 2008-04-11 08:40 50 ----a-w- c:\windows\system32\m8840def.dat
2009-10-20 20:08 . 2008-04-11 08:36 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-10-16 19:43 . 2009-04-21 22:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-16 19:43 . 2009-04-21 22:45 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-16 19:43 . 2009-04-21 22:45 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-15 18:54 . 2009-10-15 18:55 389120 ----a-w- c:\windows\system32\CF22312.exe
2009-10-15 17:45 . 2008-08-02 20:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-15 05:02 . 2008-04-10 10:56 70456 ----a-w- c:\documents and settings\Darius\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 04:25 . 2008-10-18 02:15 -------- d-----w- c:\program files\Microsoft Works
2009-10-15 01:58 . 2008-04-10 10:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-14 18:35 . 2009-10-14 18:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-14 18:34 . 2008-04-10 16:22 -------- d-----w- c:\program files\Lavasoft
2009-10-14 18:34 . 2008-04-10 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-14 18:22 . 2009-10-14 18:22 -------- d-----w- c:\documents and settings\Darius\Application Data\uniblue
2009-10-14 18:18 . 2009-10-14 18:18 -------- d-----w- c:\program files\Uniblue
2009-10-14 14:19 . 2008-04-10 17:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-14 13:56 . 2009-06-28 22:46 -------- d-----w- c:\program files\WebPosition 4
2009-10-14 13:54 . 2009-07-11 22:50 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-14 13:54 . 2009-07-11 22:50 -------- d-----w- c:\program files\AVS4YOU
2009-10-14 13:53 . 2008-04-10 16:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-14 13:51 . 2008-10-19 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 13:51 . 2008-11-15 02:54 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-03 08:15 . 2009-10-14 18:35 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-09-23 12:55 . 2009-10-14 18:36 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-14 04:37 . 2009-02-08 01:34 9653830 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-10-19 00:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-10-19 00:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 09:17 . 2009-10-14 21:30 15688 ----a-w- c:\windows\system32\lsdelete.exe
2008-10-18 16:54 . 2008-10-18 16:54 19882 ----a-w- c:\program files\Common Files\repi.pif
.

((((((((((((((((((((((((((((( SnapShot@2009-10-15_18.03.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 12:00 . 2009-10-15 05:57 71904 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2009-11-02 14:36 71904 c:\windows\system32\perfc009.dat
- 2009-02-07 20:16 . 2009-02-07 20:16 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-11-10 20:00 . 2009-11-10 20:00 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2009-02-07 20:16 . 2009-02-07 20:16 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-11-10 20:00 . 2009-11-10 20:00 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 35088 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 35088 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 18704 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 18704 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 20240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 20240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-11-10 20:00 . 2009-11-10 20:00 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2001-08-23 12:00 . 2009-11-02 14:36 444028 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2009-10-15 05:57 444028 c:\windows\system32\perfh009.dat
+ 2008-04-10 05:03 . 2009-11-11 17:10 270984 c:\windows\system32\FNTCACHE.DAT
- 2008-04-10 05:03 . 2009-10-15 04:33 270984 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-18 02:17 . 2009-11-11 17:07 888080 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 888080 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 272648 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 272648 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 922384 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 922384 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2008-10-18 02:17 . 2009-10-15 04:27 845584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 845584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 217864 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2008-10-18 02:17 . 2009-10-15 04:28 217864 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2008-10-18 02:17 . 2009-10-15 04:27 159504 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 159504 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-11-11 17:03 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-11 17:03 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2001-08-23 12:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2001-08-23 12:00 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2008-10-19 02:27 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2007-08-13 23:54 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-10-16 13:03 . 2009-10-16 13:03 5003776 c:\windows\Installer\604a1.msp
+ 2009-08-18 18:58 . 2009-08-18 18:58 8301056 c:\windows\Installer\6048d.msp
+ 2009-08-18 18:57 . 2009-08-18 18:57 9122304 c:\windows\Installer\60479.msp
+ 2009-11-10 20:00 . 2009-11-10 20:00 1583616 c:\windows\Installer\4a8b24.msi
- 2008-10-18 02:17 . 2009-10-15 04:27 1172240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 1172240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-10-18 02:17 . 2009-10-15 04:27 1165584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-10-18 02:17 . 2009-11-11 17:07 1165584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-11-11 17:03 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2009-10-15 04:03 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-30 2029336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-16 19:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/14/2009 12:36 PM 64288]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/21/2009 4:45 PM 335240]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/21/2009 4:45 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/21/2009 4:45 PM 297752]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [12/30/2002 9:53 AM 12160]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link DGE-5xx Gigabit Ethernet Adapter;c:\windows\system32\drivers\m4cxw2k3.sys [3/10/2005 6:42 AM 285952]
S3 ADPTEHCD;Adaptec USB 2.0 Enhanced Host Controller Driver;c:\windows\system32\drivers\asusehcd.sys [4/10/2008 7:51 AM 34288]
S3 ADPTHUBD;Adaptec USB 2.0 Hub Driver;c:\windows\system32\drivers\asus2hub.sys [4/10/2008 7:51 AM 24432]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 AUSBD_FilterService;Adaptec USB 2.0 Port Enumeration Driver;c:\windows\system32\drivers\asususbd.sys [4/10/2008 7:51 AM 22448]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1169232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {75aa409d-05f9-4f27-bd53-c7339d4b1d0a} - hxxps://notes.nationstarmail.com/dwa85W.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2372)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-01 14:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-01 20:07
ComboFix2.txt 2009-11-30 23:56
ComboFix3.txt 2009-10-15 18:34
ComboFix4.txt 2009-10-15 18:06

Pre-Run: 93,637,091,328 bytes free
Post-Run: 93,583,446,016 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - E76861FF593AFFBBC44E903ED916171B

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:59 AM

Posted 01 December 2009 - 04:13 PM

Lets focus on the connection issue first.

Click start > run, type inetcpl.cpl in the runbox and press enter. Internet Properties will open.

Click the Connections tab and click on the LAN settings button.

Make sure Use a proxy server... is unchecked and click OK. Click apply/OK to exit Internet Properties.

Note - even at 28 mbps you should not have any browsing delays (I am connected at 2 mbps and everything opens right when I click on it >_> )


Please start MBAM, update it first and run a full scan.

Post me the MBAM log and let me know how internet speed is now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 dariushou

dariushou
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 01 December 2009 - 04:36 PM

Elise,

That wasn't checked. MBAM and all of the other malware progarms don't find anything anymore. I ran MBAM a few times in safe mode and regular mode in the last couple of weeks and it finds nothing. The internet issue is associated with whatever rootkit, malware i have on this computer. It hits 17mb/s--yes that is fast for most things, but i'm getting 90mb/s on the computer right next to me. On this computer that i'm only getting 17mb/s, i get 60+mb/s in safe mode. That tells me that something is wrong--bugs, virus, rootkit or something. I've tried everyting other than doing a fresh reload of windows. I'm going to be doing that in about a year so i really didn't want to have to do it right now Any ideas. In the link i posted above, the moderator said i had a rootkit--could you take a look at the end of that posting--it's only a few posts. I'm not sure if vsdatant is the name of that rootkit--i probably mispoke.

Thanks,
Darius

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:59 AM

Posted 01 December 2009 - 04:45 PM

Sorry, I didn't imply its normal you have a way slower speed on this computer, because of course, its not :(

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 dariushou

dariushou
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 01 December 2009 - 04:53 PM

Ok, here are the two logs:

OTL LOG

OTL logfile created on: 12/1/2009 3:47:10 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\Darius\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.46 Mb Total Physical Memory | 569.33 Mb Available Physical Memory | 55.63% Memory free
3.91 Gb Paging File | 3.53 Gb Available in Paging File | 90.49% Paging File free
Paging file location(s): C:\pagefile.sys 3072 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 87.20 Gb Free Space | 68.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DARIUS-LYFFT7E4
Current User Name: Darius
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/01 15:46:44 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Darius\Desktop\OTL.exe
PRC - [2009/11/30 12:51:57 | 02,029,336 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/10/16 13:43:50 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/10/16 13:43:49 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/10/16 13:43:45 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/10/16 13:43:38 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/02/15 23:10:22 | 02,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/02/15 23:10:22 | 00,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/09/17 22:55:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2009/12/01 15:46:44 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Darius\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/10/16 13:43:38 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/10/14 12:36:26 | 01,169,232 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/02/15 23:10:22 | 02,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/09/17 22:55:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/11/15 14:23:44 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2000/06/26 06:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe -- (WMDM PMSP Service)
SRV - [1999/12/13 00:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access)


========== Driver Services (SafeList) ==========

DRV - [2009/10/16 13:43:50 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (avgldx86)
DRV - [2009/10/16 13:43:50 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (avgmfx86)
DRV - [2009/10/12 21:24:56 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/10/12 21:24:54 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/10/12 21:24:52 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/09/23 06:55:23 | 00,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/05/05 10:24:26 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (avgtdix)
DRV - [2009/02/19 12:38:18 | 00,285,952 | ---- | M] (Marvell) -- C:\WINDOWS\system32\drivers\m4cxw2k3.sys -- (m4cxw2k3)
DRV - [2009/02/15 23:10:26 | 00,353,672 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2008/12/23 12:20:27 | 00,022,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbsermpt.sys -- (usbsermpt)
DRV - [2008/11/17 01:24:00 | 00,051,688 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2008/09/17 22:55:00 | 06,132,576 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/13 12:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/12/06 08:51:00 | 00,285,952 | ---- | M] (Marvell) -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/11/29 01:17:56 | 00,036,368 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2007/11/29 01:17:48 | 00,035,088 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/05/16 10:20:32 | 00,043,008 | ---- | M] (D-Link ) -- C:\WINDOWS\system32\drivers\dlkfet5b.sys -- (FETNDISB)
DRV - [2007/01/18 14:28:02 | 00,005,275 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/08/11 13:56:36 | 00,008,192 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\PFModNT.sys -- (PfModNT)
DRV - [2006/08/11 13:45:40 | 00,007,168 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2006/08/11 13:45:38 | 00,499,584 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2006/08/11 13:45:28 | 00,180,224 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2006/08/11 13:45:26 | 00,766,976 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2006/08/11 13:45:26 | 00,154,112 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2006/08/11 13:45:24 | 00,116,224 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2006/08/11 13:45:18 | 00,143,872 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2006/08/11 13:45:18 | 00,078,336 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2006/08/11 13:45:14 | 00,502,272 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2005/11/10 16:06:04 | 00,340,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2002/12/30 09:53:36 | 00,012,160 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctgame.sys -- (ctgame)
DRV - [2002/05/23 10:13:14 | 00,022,448 | R--- | M] (Asustek Company Inc.) -- C:\WINDOWS\system32\drivers\asususbd.sys -- (AUSBD_FilterService)
DRV - [2002/05/23 10:13:02 | 00,024,432 | R--- | M] (Asustek Company Inc.) -- C:\WINDOWS\system32\drivers\asus2hub.sys -- (ADPTHUBD)
DRV - [2002/05/23 10:11:50 | 00,034,288 | R--- | M] (Asustek Company Inc.) -- C:\WINDOWS\system32\drivers\asusehcd.sys -- (ADPTEHCD)
DRV - [2001/08/23 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 12:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-507921405-1343024091-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-507921405-1343024091-725345543-1003\S-1-5-21-507921405-1343024091-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-507921405-1343024091-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-507921405-1343024091-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-507921405-1343024091-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-507921405-1343024091-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-507921405-1343024091-725345543-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-507921405-1343024091-725345543-1003\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab (Reg Error: Key error.)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://notes.nationstarmail.com/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1255563613812 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1255564069578 (MUWebControl Class)
O16 - DPF: {75aa409d-05f9-4f27-bd53-c7339d4b1d0a} https://notes.nationstarmail.com/dwa85W.cab (IBM Lotus iNotes 8.5 Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/10 04:12:05 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/01 15:46:44 | 00,535,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Darius\Desktop\OTL.exe
[2009/12/01 15:46:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Darius\Desktop\New Folder
[2009/12/01 14:08:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/12/01 13:50:27 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/11/30 16:31:25 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/11/30 16:27:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Darius\Desktop\old combo fix
[2009/11/30 12:58:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Darius\Desktop\newfixco
[2009/11/18 22:31:24 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Darius\Desktop\RootRepeal.exe
[2009/11/10 19:34:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Darius\DoctorWeb
[2009/11/10 13:56:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Darius\Desktop\computer test
[2009/11/09 22:36:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Darius\Desktop\STUFF to MOVE
[2006/08/11 13:56:28 | 00,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/01 15:46:44 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Darius\Desktop\OTL.exe
[2009/12/01 14:18:36 | 00,195,845 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/12/01 14:18:14 | 00,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/01 14:18:09 | 00,350,192 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/12/01 14:17:53 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/01 14:17:48 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/01 14:17:45 | 10,732,54400 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/01 14:16:54 | 07,864,320 | -H-- | M] () -- C:\Documents and Settings\Darius\NTUSER.DAT
[2009/12/01 14:16:54 | 00,031,812 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-0000000D-00001102-00000004-10021102}.rfx
[2009/12/01 14:16:54 | 00,031,812 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-0000000D-00001102-00000004-10021102}.rfx
[2009/12/01 14:16:54 | 00,031,440 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-0000000D-00001102-00000004-10021102}.rfx
[2009/12/01 14:16:54 | 00,031,440 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-0000000D-00001102-00000004-10021102}.rfx
[2009/12/01 14:16:54 | 00,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-0000000D-00001102-00000004-10021102}.rfx
[2009/12/01 14:16:54 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/12/01 14:16:54 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/12/01 14:04:01 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/01 14:03:11 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/01 13:05:37 | 45,983,486 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/30 22:06:07 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Darius\ntuser.ini
[2009/11/30 17:45:36 | 00,106,272 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/30 16:31:35 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/11/30 16:28:41 | 03,573,401 | R--- | M] () -- C:\Documents and Settings\Darius\Desktop\ComboFix.exe
[2009/11/30 13:01:32 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\Darius\Desktop\bmgso0u4.exe
[2009/11/30 12:59:19 | 00,524,800 | ---- | M] () -- C:\Documents and Settings\Darius\Desktop\dds.scr
[2009/11/24 15:23:28 | 04,849,830 | -H-- | M] () -- C:\Documents and Settings\Darius\Local Settings\Application Data\IconCache.db
[2009/11/18 22:32:52 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\Darius\Desktop\settings.dat
[2009/11/18 22:31:05 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Darius\Desktop\RootRepeal.exe
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/11 11:10:45 | 00,270,984 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/11 11:03:38 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/10 14:00:40 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/11/02 08:36:05 | 00,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/02 08:36:05 | 00,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/02 08:36:05 | 00,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/30 16:31:35 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/11/30 16:31:32 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/30 16:30:28 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/30 16:28:15 | 03,573,401 | R--- | C] () -- C:\Documents and Settings\Darius\Desktop\ComboFix.exe
[2009/11/30 13:01:24 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\Darius\Desktop\bmgso0u4.exe
[2009/11/30 12:59:13 | 00,524,800 | ---- | C] () -- C:\Documents and Settings\Darius\Desktop\dds.scr
[2009/11/18 22:31:56 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\Darius\Desktop\settings.dat
[2009/11/18 22:27:36 | 10,732,54400 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/11 11:03:36 | 00,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/11/10 14:00:40 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/07/11 19:07:18 | 00,000,734 | ---- | C] () -- C:\Documents and Settings\Darius\Application Data\AVSDVDPlayer.m3u
[2009/07/11 16:50:49 | 00,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/07/11 16:50:49 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/06/15 19:11:32 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2009/06/15 19:11:31 | 00,000,149 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2008/10/18 11:04:41 | 00,000,004 | ---- | C] () -- C:\Documents and Settings\Darius\Application Data\iexplore.iss
[2008/10/18 10:54:28 | 00,019,913 | ---- | C] () -- C:\Documents and Settings\Darius\Local Settings\Application Data\ozuvyj.ban
[2008/10/18 10:54:28 | 00,019,354 | ---- | C] () -- C:\Documents and Settings\Darius\Local Settings\Application Data\xymiqy.ban
[2008/10/18 10:54:28 | 00,015,608 | ---- | C] () -- C:\Documents and Settings\Darius\Application Data\yfizixan.db
[2008/10/18 10:54:28 | 00,013,164 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\habylu.db
[2008/10/18 10:54:28 | 00,011,861 | ---- | C] () -- C:\Documents and Settings\Darius\Application Data\efiwa.db
[2008/10/18 10:54:28 | 00,010,678 | ---- | C] () -- C:\Documents and Settings\Darius\Local Settings\Application Data\jymubup.ban
[2008/10/18 10:54:27 | 00,019,882 | ---- | C] () -- C:\Program Files\Common Files\repi.pif
[2008/10/18 10:54:27 | 00,019,485 | ---- | C] () -- C:\Documents and Settings\Darius\Local Settings\Application Data\nedopynydy._sy
[2008/10/18 10:54:27 | 00,016,894 | ---- | C] () -- C:\Documents and Settings\Darius\Local Settings\Application Data\imulekygiz.exe
[2008/10/18 10:54:27 | 00,012,568 | ---- | C] () -- C:\Documents and Settings\Darius\Application Data\pewico._dl
[2008/05/16 13:01:00 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/16 13:01:00 | 01,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/16 13:01:00 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/16 13:01:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/16 13:01:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/05/10 12:03:45 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Darius\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/25 18:56:01 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/04/21 22:30:16 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/04/11 09:41:27 | 00,000,058 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2008/04/11 02:40:08 | 00,000,236 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2008/04/11 02:40:08 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2008/04/11 02:40:08 | 00,000,052 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2008/04/11 02:40:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2008/04/11 02:39:33 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2008/04/11 02:36:56 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/04/10 17:33:08 | 00,000,397 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/04/10 08:53:25 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/04/10 08:12:40 | 00,003,266 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/04/10 05:38:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\500A121a.INI
[2008/04/10 05:35:35 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2008/04/10 05:34:00 | 00,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2008/04/10 05:24:15 | 00,086,446 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/04/10 05:24:15 | 00,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2008/04/10 05:24:15 | 00,000,191 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/04/10 04:38:28 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2006/08/11 13:57:18 | 00,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2006/05/23 11:40:34 | 00,000,269 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2005/06/16 17:17:16 | 00,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL
[2004/09/17 16:37:42 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2002/08/22 07:52:14 | 00,000,236 | ---- | C] () -- C:\WINDOWS\System32\BELKIN.ini
[2002/03/04 09:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[1998/07/12 00:13:00 | 00,053,760 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 48 bytes -> C:\Documents and Settings\All Users\DRM:الهريرة
@Alternate Data Stream - 177 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2F2F703
< End of report >

Extras LOG

OTL Extras logfile created on: 12/1/2009 3:47:11 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\Darius\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.46 Mb Total Physical Memory | 569.33 Mb Available Physical Memory | 55.63% Memory free
3.91 Gb Paging File | 3.53 Gb Available in Paging File | 90.49% Paging File free
Paging file location(s): C:\pagefile.sys 3072 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 87.20 Gb Free Space | 68.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DARIUS-LYFFT7E4
Current User Name: Darius
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\TurboTax\Premier 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Premier 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Premier 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Premier 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02e89efc-7b07-4d5a-aa03-9ec0902914ee}" = VC 9.0 Runtime
"{3294DF7D-9A5B-443E-85D3-A00486AA0A92}" = DGE-530T
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{66FF4C48-0083-4E60-8556-B883AB200092}" = Heroes of Might and Magic V - Tribes of the East
"{71FD03B5-E653-4CB8-9B56-A466ABC9FCA9}" = Brother MFL-Pro Suite
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7dd9a065-2c86-4a9f-a5ff-796ec1b99dca}" = AnswerWorks 4.0 Runtime - English
"{7F2F3F8B-2D57-48A3-99D0-1AC23D594C89}" = LightScribe 1.4.56.1
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9521BC04-0879-11D7-8FD2-0000E254D6CE}" = Belkin F5U248 Driver and Icon
"{9F05B89E-2873-11D5-9E9D-0050DA1EA555}" = Myst III: Exile
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A17EABB6-D0C6-44E5-820C-72DC7F495064}" = PaperPort
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C71A1FD7-EB23-45AA-A9AA-8DFEC0881875}" = 530TX+
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D311E019-6246-11D4-80BE-009027548212}" = IntexDesktop
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E82BF103-904F-49C0-B77F-6EC110B71E87}" = Sound Blaster Audigy 2
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"adobe flash player activex" = Adobe Flash Player 10 ActiveX
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"avg8uninstall" = AVG 8.5
"CCleaner" = CCleaner (remove only)
"CDRW Drive Update" = Creative CD Burner Drive Update
"Excel Knowledge Base" = Excel Knowledge Base
"Holy Macro! It's 2,200 Excel VBA Examples" = Holy Macro! It's 2,200 Excel VBA Examples
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{3294DF7D-9A5B-443E-85D3-A00486AA0A92}" = DGE-530T
"InstallShield_{C71A1FD7-EB23-45AA-A9AA-8DFEC0881875}" = 530TX+
"malwarebytes' anti-malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC Wizard 2008_is1" = PC Wizard 2008.1.82
"PROPLUS" = Microsoft Office Professional Plus 2007
"turbotax premier 2007" = TurboTax Premier 2007
"VBA & Macros for Excel Project Files" = VBA & Macros for Excel Project Files
"VN_VUIns_Rhine_D-Link" = D-Link PCI Fast Ethernet Adapter
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"windows live onecare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"zonealarm" = ZoneAlarm

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/27/2008 4:06:15 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 10 | ID = 1000
Description =

[ OSession Events ]
Error - 8/16/2009 3:47:03 AM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6324.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 16571
seconds with 2580 seconds of active time. This session ended with a crash.

Error - 8/17/2009 12:27:47 AM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6324.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 2730
seconds with 240 seconds of active time. This session ended with a crash.

Error - 8/18/2009 11:42:41 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6324.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 2730
seconds with 540 seconds of active time. This session ended with a crash.

Error - 8/21/2009 2:18:58 AM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6324.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 2676
seconds with 1020 seconds of active time. This session ended with a crash.

Error - 8/21/2009 3:38:53 AM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6324.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 4689
seconds with 2760 seconds of active time. This session ended with a crash.

Error - 8/23/2009 2:01:44 AM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6324.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 8968
seconds with 3840 seconds of active time. This session ended with a crash.

Error - 8/26/2009 9:21:53 AM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6324.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 36285
seconds with 4320 seconds of active time. This session ended with a crash.

Error - 8/28/2009 3:20:33 AM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6324.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 9494
seconds with 960 seconds of active time. This session ended with a crash.

Error - 9/3/2009 1:00:05 AM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6324.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 7450
seconds with 120 seconds of active time. This session ended with a crash.

Error - 9/6/2009 5:58:51 AM | Computer Name = DARIUS-LYFFT7E4 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6324.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 30462
seconds with 360 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 11/24/2009 5:11:02 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 11/30/2009 2:50:46 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 11/30/2009 4:36:39 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 11/30/2009 6:24:42 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 11/30/2009 7:36:59 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 12/1/2009 3:03:26 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 12/1/2009 4:02:29 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 12/1/2009 4:06:45 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Service Control Manager | ID = 7034
Description = The TrueVector Internet Monitor service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/1/2009 4:13:08 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 12/1/2009 4:17:57 PM | Computer Name = DARIUS-LYFFT7E4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep


< End of report >

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:59 AM

Posted 02 December 2009 - 02:22 PM

Did you try to re-install your wireless card drivers?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 dariushou

dariushou
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 03 December 2009 - 12:17 AM

To be honest, i can't remember if i had tried that before. I likely did, but can't say for sure. would you like me to do that?

Thanks,
Darius

Also, if it were just a driver issue then does it make sense that the speed is much faster in safe mode?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:59 AM

Posted 03 December 2009 - 06:05 AM

Also, if it were just a driver issue then does it make sense that the speed is much faster in safe mode?

Thats impossible to say, In your case I don't see any evidence of malware causing this problem. That means we just have to get about this starting from one point or another. Starting with the drivers is the most logical thing to do then.

Please let me know if you are able to re-install your drivers or if you need help with that :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:59 AM

Posted 09 December 2009 - 04:17 PM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users