Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

suspecting Vundo or other infection still lurking


  • This topic is locked This topic is locked
2 replies to this topic

#1 pckaput

pckaput

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 04 January 2010 - 06:14 PM

I am doing this first time so I'm not sure if this is done correct way, please correct me.
The real Motherboard is ECS L4VXA2, but shows here as Motherboard: P4X400-8235 after HD was cloned.
Please check and tell me what boxes to check mark after I run HiJackThis next time.
Please tell me if HiJackThis should be run in safe mode or in normal mode.
Should Avast be Terminated or Paused before running HiJackThis?
Which file I should not have send?
Does Upload mean Send?
----------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:49 AM, on 1/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\USER\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: (no name) - {99FF598D-2D8B-4963-89C3-5D0469D6ECC9} - (no file)
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqromll - rqromll.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

--
End of file - 4784 bytes
-----------------------------------------

DDS (Ver_09-12-01.01) - FAT32x86
Run by USER at 13:31:13.50 on Mon 01/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.233 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 100104-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\USER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydial/*http://www.yahoo.com
uSearch Bar = hxxp://home.peoplepc.com/search
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydial/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
mSearchAssistant = hxxp://home.peoplepc.com/search
BHO: ElnkBhoGuard Class: {00000000-0000-0000-0000-000000000002} - c:\program files\peoplepc\toolbar\ScamGrd.dll
BHO: ElnkScamBHO Class: {15f4d456-5baa-4076-8486-eecb38cd3e57} - c:\program files\peoplepc\toolbar\ScamGrd.dll
BHO: PPCScamBHO Class: {7e3659a6-4bc5-4d93-b3fd-8b5acc2feded} - c:\program files\peoplepc\toolbar\ScamGrd.dll
BHO: {99FF598D-2D8B-4963-89C3-5D0469D6ECC9} - No File
BHO: {DC192567-65F9-4AB6-ADB7-E13575F81726} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunServices: [mysvcig38] mysvcc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso4.cab
DPF: Win32 Classes
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: rqromll - rqromll.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkhge
Hosts: 195.245.119.131 browser-security.microsoft.com

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-24 114768]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2009-2-23 6656]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-26 138680]
R2 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2009-2-24 28672]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-26 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-26 352920]

=============== Created Last 30 ================

2010-01-03 22:02:21 35262 ----a-w- c:\windows\USER.acl
2010-01-03 21:59:19 0 d-----w- c:\windows\SendTo
2010-01-03 21:59:12 0 d-----w- c:\program files\common files\ODBC
2010-01-03 21:59:11 6209 ----a-w- c:\windows\system32\mapisvc.inf
2010-01-03 21:59:11 22 ----a-w- c:\windows\exchng.ini
2010-01-03 21:59:06 69632 ----a-w- c:\windows\system32\system.mdw
2010-01-03 21:58:14 0 d-----w- c:\windows\forms
2010-01-03 21:58:12 0 d-----w- c:\program files\Windows Messaging
2010-01-03 20:11:14 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-01-03 20:11:13 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-01-03 20:11:13 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-01-03 20:11:13 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-01-03 20:11:12 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-01-03 20:11:00 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-01-03 20:09:59 11520 ----a-w- c:\windows\system32\dllcache\twotrack.sys
2010-01-03 20:08:59 50432 ----a-w- c:\windows\system32\dllcache\sisv.sys
2010-01-03 20:07:58 68608 ----a-w- c:\windows\system32\dllcache\plugin.ocx
2010-01-03 20:06:57 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-01-03 20:05:57 8704 ----a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-01-03 20:04:44 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-01-03 20:03:58 45568 ----a-w- c:\windows\system32\dllcache\esunib.dll
2010-01-03 20:02:59 96256 ----a-w- c:\windows\system32\dllcache\ctlsb16.sys
2010-01-03 20:01:59 66082 ----a-w- c:\windows\system32\dllcache\c_10021.nls
2010-01-03 20:00:56 101888 ----a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-01-02 23:19:00 0 d-----w- C:\CAP78
2010-01-02 06:40:45 0 d-----w- c:\program files\VIA
2010-01-02 05:02:15 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2010-01-02 05:02:15 0 d-----w- c:\program files\Belarc
2010-01-02 00:36:16 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-01-02 00:36:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-02 00:36:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 00:36:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 00:36:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-11-15 21:19:08 1421080 ----a-w- c:\windows\system32\AutoPartNt.exe
2009-10-29 21:10:20 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2005-07-08 11:56:22 271 --sh--w- c:\program files\desktop.ini
2005-07-08 11:56:22 23357 ---h--w- c:\program files\folder.htt
2009-02-24 09:44:22 2808 --sha-w- c:\windows\system32\eghkj.ini2

============= FINISH: 13:31:31.15 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/13/2005 3:54:05 PM
System Uptime: 1/4/2010 9:36:28 AM (4 hours ago)

Motherboard: | | P4X400-8235
Processor: Intel® Pentium® 4 CPU 2.40GHz | Socket 478 | 2393/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 19 GiB total, 7.972 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: ATI WDM Specialized PCD Codec (Microsoft Corporation)
Device ID: DISPLAY\NTATIVPD31\5&37F3748&0&8000000C&01&00
Manufacturer: ATI
Name: ATI WDM Specialized PCD Codec (Microsoft Corporation)
PNP Device ID: DISPLAY\NTATIVPD31\5&37F3748&0&8000000C&01&00
Service: PCDCODEC

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: ATI WDM Specialized MVD Codec (Microsoft Corporation)
Device ID: DISPLAY\NTATIVMD31\5&37F3748&0&80000007&01&00
Manufacturer: ATI
Name: ATI WDM Specialized MVD Codec (Microsoft Corporation)
PNP Device ID: DISPLAY\NTATIVMD31\5&37F3748&0&80000007&01&00
Service: MVDCODEC

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: ATI WDM TV Audio (Microsoft Corporation) Crossbar (Microsoft Corporation)
Device ID: DISPLAY\NTATIVXS31\5&37F3748&0&80000005&01&00
Manufacturer: ATI
Name: ATI WDM TV Audio (Microsoft Corporation) Crossbar (Microsoft Corporation)
PNP Device ID: DISPLAY\NTATIVXS31\5&37F3748&0&80000005&01&00
Service: ATIXSAudio

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: ATI WDM Rage Theater Audio (Microsoft Corporation)
Device ID: DISPLAY\NTATIVRA31\5&37F3748&0&80000009&01&00
Manufacturer: ATI
Name: ATI WDM Rage Theater Audio (Microsoft Corporation)
PNP Device ID: DISPLAY\NTATIVRA31\5&37F3748&0&80000009&01&00
Service: ativraxx

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: ATI WDM Rage Theater Video (Microsoft Corporation)
Device ID: DISPLAY\NTATIVRV31\5&37F3748&0&80000008&01&00
Manufacturer: ATI
Name: ATI WDM Rage Theater Video (Microsoft Corporation)
PNP Device ID: DISPLAY\NTATIVRV31\5&37F3748&0&80000008&01&00
Service: atinrvxx

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: ATI WDM TV Tuner (Microsoft Corporation)
Device ID: DISPLAY\NTATIVTU31\5&37F3748&0&80000003&01&00
Manufacturer: ATI
Name: ATI WDM TV Tuner (Microsoft Corporation)
PNP Device ID: DISPLAY\NTATIVTU31\5&37F3748&0&80000003&01&00
Service: ATITUNEP

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Beep
Device ID: ROOT\LEGACY_BEEP\0000
Manufacturer:
Name: Beep
PNP Device ID: ROOT\LEGACY_BEEP\0000
Service: Beep

==== System Restore Points ===================

RP98: 10/29/2009 1:53:49 PM - Installed DirectX
RP99: 11/2/2009 1:38:56 PM - Installed Acronis Migrate Easy
RP100: 11/5/2009 6:05:16 PM - System Checkpoint
RP101: 11/5/2009 9:17:40 PM - Installed Windows Media Player 9 Series
RP102: 11/5/2009 10:48:15 PM - Installed Windows XP Service Pack 2.
RP103: 11/5/2009 11:21:17 PM - Installed Windows Internet Explorer 8.
RP104: 11/9/2009 1:46:07 PM - Installed Windows Media Format 9 Series Runtime Setup
RP105: 11/9/2009 1:46:54 PM - Installed Roxio Easy Media Creator 7 Basic DVD Edition
RP106: 11/10/2009 2:20:58 PM - System Checkpoint
RP107: 11/11/2009 5:48:26 PM - System Checkpoint
RP108: 11/14/2009 9:15:05 PM - System Checkpoint
RP109: 1/1/2010 6:14:25 PM - System Checkpoint
RP110: 1/1/2010 10:40:43 PM - Installed Platform
RP111: 1/2/2010 8:08:04 PM - Installed Google Earth.
RP112: 1/3/2010 1:22:54 PM - Removed Microsoft Office XP Media Content
RP113: 1/3/2010 1:41:24 PM - Removed Microsoft Office XP Professional

==== Installed Programs ======================

Acronis Migrate Easy
Ad-Aware 2007
Adobe Acrobat 4.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements
Adobe SVG Viewer
avast! Antivirus
Belarc Advisor 6.1
CCleaner (remove only)
Combined Community Codec Pack 2007-07-22
Dell ResourceCD
Google Earth
HijackThis 2.0.2
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Malwarebytes' Anti-Malware
Microsoft IntelliType Pro
Microsoft Office 97, Professional Edition
Modem Test
Modem User Guide
PhoneTools
Platform
PowerDVD
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
Roxio Easy Media Creator 7 Basic DVD Edition
Skype 3.0
Skype Plugin Manager
Smart Keyboard
SoftV92 Data Fax Modem with SmartCP
Sound Blaster Live! Value
Update for Windows XP (KB898461)
VIA Platform Device Manager
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows XP Service Pack 2
Windows XP Uninstall
WinZip

==== Event Viewer Messages From Past Week ========

1/3/2010 12:11:15 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
1/3/2010 11:50:59 AM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
1/2/2010 11:24:56 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ACLAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{540F3A3F-4DC1-4DA8-. The master browser is stopping or an election is being forced.
1/1/2010 5:08:52 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 IntelIde PCIIde
1/1/2010 2:43:54 PM, error: Dhcp [1002] - The IP address lease 192.168.0.10 for the Network Card with network address 000D878E36C8 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/04 13:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB244D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B8F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB174B000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb250d6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb250d574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb250da52

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "IPVNMon.sys" at address 0xf84db803

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb250d14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb250d64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb250d08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb250d0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb250d76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb250d72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb250d8ae

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:41 PM

Posted 12 January 2010 - 08:31 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:41 PM

Posted 17 January 2010 - 02:12 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users