Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Back Door Trojan? Some web pages freeze. XP

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » February 20th, 2010, 12:25 pm

Hi, and thanks for checking this. I have a problem with certain web pages freezing up and was told I could be infected? Any help would be greatly appreciated. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:58 AM, on 2/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21183)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Documents and Settings\All Users\common\dll\netdr\msdtc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime] C:\Documents and Settings\All Users\common\dll\netdr\msdtc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 5160479062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8295481718
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4618 bytes

µTorrent
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Apple Application Support
Apple Software Update
Audacity 1.2.6
AVG 8.5
CCleaner
Diablo II
Hero Editor V0.96
HijackThis 2.0.2
Hotfix for Windows XP (KB976098-v2)
Java(TM) 6 Update 18
Java(TM) 6 Update 7
LAME v3.98.2 for Audacity
Logitech Vid
Logitech Webcam Software
Logitech Webcam Software Driver Package
Microsoft Office PowerPoint Viewer 2007 (English)
Mozilla Firefox (3.5.8)
MSN
MSXML 4.0 SP2 (KB973688)
NVIDIA Windows 2000/XP Display Drivers
OGA Notifier 2.0.0048.0
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Skype web features
Skype™ 4.1
Spybot - Search & Destroy
Switch Sound File Converter
Update for Windows XP (KB955759)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Windows XP Service Pack 3
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm
Advertisement
Register to Remove

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby MWR 3 day Mod » February 24th, 2010, 4:15 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » February 27th, 2010, 12:02 pm

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please DO NOT run any other tools or scans whilst I am helping you.
  5. It is important that you reply to this thread. Do not start a new topic.
  6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  7. Absence of symptoms does not mean that everything is clear.


Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Backing up: What, how, where



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


========================================================


IMPORTANT: With reference to Malware Removal's P2P Programs Policy, please uninstall the following programs before we continue

µTorrent

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
We see no purpose in cleaning your machine if you use P2P programmes, as it is pretty much certain that if you continue to use them then you will get infected again.


  • Click on Start > Control Panel and double click on Add/Remove Programs.
  • Locate µTorrent and click on the Change/Remove button to uninstall it.
  • Close Add/Remove Programs and Control Panel when done.


=========================================================


random's system information tool (RSIT)

  • Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized)
  • Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)



Gmer

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.



In your next reply:
  1. RSIT log.txt
  2. RSIT info.txt
  3. GMER log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » February 27th, 2010, 9:23 pm

Hi, I only have the 2 RSIT logs for you, because when I try to run the GMER tool I get a blue screen error. The error talks about checking on any new hardware or software I've installed. I haven't really installed anything lately that I can think of. I also uninstalled the P2P program like you asked. I will try running GMER again but I got the blue screen of death 3 times using it.

info.txt logfile of random's system information tool 1.06 2010-02-27 18:27:40

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->msiexec /qb /x {6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Acrobat.com-->MsiExec.exe /I{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Diablo II-->C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
Hero Editor V0.96-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\Hero Editor\ST6UNST.LOG"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Java(TM) 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
LAME v3.98.2 for Audacity-->"C:\Program Files\Lame for Audacity\unins000.exe"
Logitech Vid-->MsiExec.exe /I{4FBCEA31-5D18-4212-9231-DE7CF1BE7DBB}
Logitech Webcam Software Driver Package-->"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\12.0.1278\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\" -enumdelay=200 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"lvdrivers_12.0" /clone_wait /hide_progress
Logitech Webcam Software-->MsiExec.exe /I{AC96671C-2001-432C-9826-5266D84EF1DC}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Mozilla Firefox (3.5.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
OpenOffice.org 3.2-->MsiExec.exe /I{6ADD0603-16EF-400D-9F9E-486432835002}
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB978207)-->"C:\WINDOWS\ie7updates\KB978207-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB978506)-->"C:\WINDOWS\ie8updates\KB978506-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: DAN
Event Code: 20
Message: Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.

Record Number: 2050
Source Name: Windows Update Agent
Time Written: 20100206094601.000000-360
Event Type: error
User:

Computer Name: DAN
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 2049
Source Name: W32Time
Time Written: 20100205165728.000000-360
Event Type: warning
User:

Computer Name: DAN
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 2022
Source Name: Tcpip
Time Written: 20100204203311.000000-360
Event Type: warning
User:

Computer Name: DAN
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 2021
Source Name: W32Time
Time Written: 20100204121710.000000-360
Event Type: warning
User:

Computer Name: DAN
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 1991
Source Name: W32Time
Time Written: 20100203100221.000000-360
Event Type: warning
User:

=====Application event log=====

Computer Name: DAN
Event Code: 1041
Message: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 1956
Source Name: Userenv
Time Written: 20100213233731.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: DAN
Event Code: 1041
Message: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 1955
Source Name: Userenv
Time Written: 20100213231931.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: DAN
Event Code: 1041
Message: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 1954
Source Name: Userenv
Time Written: 20100213231931.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: DAN
Event Code: 1041
Message: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 1953
Source Name: Userenv
Time Written: 20100213215131.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: DAN
Event Code: 1041
Message: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Record Number: 1952
Source Name: Userenv
Time Written: 20100213215131.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0204
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Logfile of random's system information tool 1.06 (written by random/random)
Run by dad at 2010-02-27 18:27:26
Microsoft Windows XP Professional Service Pack 3
System drive C: has 39 GB (68%) free of 57 GB
Total RAM: 511 MB (27% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:37 PM, on 2/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\All Users\common\dll\netdr\msdtc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\dad\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\dad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime] C:\Documents and Settings\All Users\common\dll\netdr\msdtc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 5160479062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8295481718
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4793 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1060284298-682003330-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1060284298-682003330-1003UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-02-27 1484056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2010-02-20 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-20 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-02-20 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
Locked

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"QuickTime"=C:\Documents and Settings\All Users\common\dll\netdr\msdtc.exe [2007-12-27 466944]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe []
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-02-27 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-09 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
C:\Program Files\Logitech\Logitech Vid\vid.exe [2009-06-02 5451536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2009-05-08 2780432]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime]
C:\Documents and Settings\All Users\common\dll\netdr\msdtc.exe [2007-12-27 466944]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe [2009-07-16 25604904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dad^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
C:\Program Files\Logitech\QuickCam\eReg.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2010-02-27 12464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2007-06-24 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
scecli
scecli

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"HideFastUserSwitching"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\Diablo II\Game.exe"="C:\Program Files\Diablo II\Game.exe:*:Enabled:Diablo II"
"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-02-27 18:27:26 ----D---- C:\rsit
2010-02-27 17:54:01 ----HD---- C:\$AVG
2010-02-27 17:53:22 ----D---- C:\Documents and Settings\All Users\Application Data\avg9
2010-02-24 03:00:16 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-21 19:59:34 ----D---- C:\Program Files\JRE
2010-02-21 03:01:06 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2010-02-21 03:00:58 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-02-20 16:27:22 ----A---- C:\WINDOWS\system32\javaws.exe
2010-02-20 16:27:22 ----A---- C:\WINDOWS\system32\javaw.exe
2010-02-20 16:27:22 ----A---- C:\WINDOWS\system32\java.exe
2010-02-20 16:03:57 ----D---- C:\WINDOWS\Prefetch
2010-02-20 16:01:53 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2010-02-20 15:53:01 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2010-02-20 15:51:54 ----AT---- C:\WINDOWS\001126_.tmp
2010-02-20 15:37:24 ----N---- C:\WINDOWS\system32\ieencode.dll
2010-02-20 14:59:49 ----HDC---- C:\WINDOWS\$NtUninstallKB884020$
2010-02-20 14:56:25 ----D---- C:\WINDOWS\system32\NtmsData
2010-02-20 14:15:50 ----HDC---- C:\WINDOWS\ie8
2010-02-20 13:53:13 ----D---- C:\WINDOWS\system32\msmq
2010-02-20 13:04:30 ----A---- C:\WINDOWS\system32\resetlog.txt
2010-02-16 09:47:56 ----D---- C:\WINDOWS\Minidump
2010-02-10 03:03:46 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-10 03:03:36 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-10 03:01:26 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-10 03:01:19 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-10 03:01:12 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-10 03:01:05 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-10 03:00:54 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-10 03:00:39 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-02-10 03:00:23 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-05 03:00:26 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2010-02-03 21:14:47 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-02-02 20:23:16 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2010-02-02 19:38:43 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-02-02 19:38:27 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-02-02 19:38:19 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-02-02 19:38:12 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-02-02 19:38:05 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-02-02 19:37:58 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2010-02-02 19:37:51 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2010-02-02 19:37:43 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2010-02-02 19:37:29 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\zh-TW
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\zh-HK
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\tr-TR
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\sv-SE
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\pt-BR
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\nl-NL
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\nb-NO
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\ko-KR
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\it-IT
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\he-IL
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\fr-FR
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\fi-FI
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\es-ES
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\el-GR
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\de-DE
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\da-DK
2010-02-02 19:37:18 ----D---- C:\WINDOWS\system32\ar-SA
2010-02-02 15:32:11 ----D---- C:\Program Files\Trend Micro
2010-02-02 13:25:14 ----D---- C:\Program Files\QuickTime
2010-02-02 13:25:13 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2010-02-02 13:24:59 ----D---- C:\Program Files\Common Files\Apple
2010-02-02 13:24:34 ----D---- C:\Program Files\Apple Software Update
2010-02-02 13:24:34 ----D---- C:\Documents and Settings\All Users\Application Data\Apple

======List of files/folders modified in the last 1 months======

2010-02-27 18:22:18 ----D---- C:\Program Files\Mozilla Firefox
2010-02-27 17:59:33 ----D---- C:\WINDOWS\Temp
2010-02-27 17:57:51 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-27 17:56:41 ----D---- C:\WINDOWS\system32
2010-02-27 17:55:45 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-27 17:53:58 ----D---- C:\WINDOWS\system32\drivers
2010-02-27 17:53:37 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2010-02-27 17:53:22 ----D---- C:\Program Files\AVG
2010-02-27 17:53:02 ----SHD---- C:\WINDOWS\Installer
2010-02-27 17:53:01 ----D---- C:\WINDOWS\WinSxS
2010-02-27 17:50:41 ----SD---- C:\Documents and Settings\dad\Application Data\Microsoft
2010-02-27 17:50:40 ----D---- C:\WINDOWS
2010-02-25 18:40:47 ----D---- C:\WINDOWS\Debug
2010-02-24 03:00:43 ----HD---- C:\WINDOWS\inf
2010-02-24 03:00:42 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-02-24 03:00:40 ----D---- C:\WINDOWS\ie8updates
2010-02-24 03:00:35 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-21 19:59:52 ----RSD---- C:\WINDOWS\Fonts
2010-02-21 19:59:34 ----RD---- C:\Program Files
2010-02-21 19:59:33 ----D---- C:\Program Files\OpenOffice.org 3
2010-02-21 03:17:50 ----D---- C:\WINDOWS\AppPatch
2010-02-21 03:01:15 ----D---- C:\WINDOWS\system32\CatRoot
2010-02-21 03:01:07 ----D---- C:\Program Files\Messenger
2010-02-20 18:36:25 ----D---- C:\Program Files\Java
2010-02-20 18:36:25 ----D---- C:\Program Files\Common Files\Java
2010-02-20 16:27:09 ----A---- C:\WINDOWS\system32\deploytk.dll
2010-02-20 16:02:48 ----D---- C:\WINDOWS\security
2010-02-20 15:57:21 ----D---- C:\WINDOWS\Help
2010-02-20 15:57:13 ----D---- C:\WINDOWS\system32\oobe
2010-02-20 15:55:25 ----D---- C:\WINDOWS\system32\ReinstallBackups
2010-02-20 15:52:59 ----D---- C:\WINDOWS\ehome
2010-02-20 15:51:00 ----AT---- C:\WINDOWS\system32\spdwnwxp.exe
2010-02-20 14:28:28 ----D---- C:\WINDOWS\system32\en-us
2010-02-20 14:28:28 ----D---- C:\WINDOWS\Media
2010-02-20 14:28:28 ----D---- C:\Program Files\Internet Explorer
2010-02-20 13:53:36 ----D---- C:\WINDOWS\system32\inetsrv
2010-02-20 13:53:34 ----D---- C:\Program Files\Windows NT
2010-02-20 13:41:18 ----SD---- C:\WINDOWS\Tasks
2010-02-06 13:56:31 ----A---- C:\WINDOWS\WORDPAD.INI
2010-02-02 20:25:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-02-02 19:28:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-02-02 17:28:21 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-02 16:31:47 ----D---- C:\Program Files\ordrumbox
2010-02-02 13:24:59 ----D---- C:\Program Files\Common Files
2010-02-01 15:24:09 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-02-01 13:26:20 ----A---- C:\WINDOWS\system32\MRT.exe
2010-02-01 11:01:50 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2010-02-01 10:49:38 ----D---- C:\Documents and Settings

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-02-27 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-02-27 28424]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-02-27 360584]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2007-06-24 62336]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 LVPr2Mon;LVPr2Mon Driver; C:\WINDOWS\system32\Drivers\LVPr2Mon.sys [2009-04-30 25624]
R3 LVRS;Logitech RightSound Filter Driver; C:\WINDOWS\system32\DRIVERS\lvrs.sys [2009-04-30 265496]
R3 LVUVC;Logitech QuickCam E3500(UVC); C:\WINDOWS\system32\DRIVERS\lvuvc.sys [2009-04-30 6754712]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 FilterService;UVC Filter Service; C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys [2009-04-30 23832]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-13 121984]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2007-06-24 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2007-06-24 82944]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-02-27 285392]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-02-20 153376]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-04-30 154136]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2003-07-28 77824]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » February 28th, 2010, 5:47 am

Hi Gramps.

Thanks.
I will try running GMER again but I got the blue screen of death 3 times using it.

Ignore running GMER for now and try this instead.



SysProt AntiRootkit©

Please download SysProt AntiRootkit© by swatkat and save it to your desktop.

  • Scroll down to the bottom of the page and click on SysProt.zip under the Attachments section to save the file.
  • Unzip it into a folder on your desktop and enter it, then double click on SysProt.exe to start the program.
  • Go to the Log tab and check (tick) all items listed in the Write to log box.
  • Check Hidden Objects Only at the bottom of the window too.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear. Select Scan root drive only and click Start.
  • When completed, you will be prompted showing the location of SysProtLog.txt, which is the same folder SysProt.exe was extracted to.
  • Post the contents of the log in your reply.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » February 28th, 2010, 7:14 pm

Sorry for the delay, had to work today. Here's the log. Thanks for your time.

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 4
Hidden: Yes
Window Visible: No

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F216D000
Module End: F2185000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8CB9000
Module End: F8CBB000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\drivers\ACPI.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 82360F40
Hooking Module: _unknown_

******************************************************************************************
******************************************************************************************
Ports:
Local Address: DAN.DOMAIN.INVALID:4086
Remote Address: CASEY:NETBIOS-SSN
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.DOMAIN.INVALID:4085
Remote Address: CASEY:NETBIOS-SSN
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.DOMAIN.INVALID:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: DAN:5152
Remote Address: LOCALHOST:4076
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: DAN:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: DAN:4079
Remote Address: LOCALHOST:4078
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: DAN:4078
Remote Address: LOCALHOST:4079
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: DAN:4075
Remote Address: LOCALHOST:4074
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: DAN:4074
Remote Address: LOCALHOST:4075
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: DAN:1028
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: DAN:65533
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\services.exe
State: LISTENING

Local Address: DAN:3389
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: DAN:3383
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\services.exe
State: LISTENING

Local Address: DAN:2479
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\services.exe
State: LISTENING

Local Address: DAN:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: DAN:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: DAN.DOMAIN.INVALID:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAN.DOMAIN.INVALID:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: DAN.DOMAIN.INVALID:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: DAN.DOMAIN.INVALID:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAN:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAN:1034
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAN:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAN:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: DAN:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: DAN:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » March 1st, 2010, 1:44 pm

Gramps wrote:Sorry for the delay, had to work today. Here's the log. Thanks for your time.


You're welcome and no problem - I have a day job too!



SystemLook

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield (Do not include Code:) :
    Code: Select all
    :filefind
    *acpi*
    :file
    C:\WINDOWS\system32\drivers\ACPI.sys
     

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



MBR Rootkit Detector

Please download MBR.exe by GMER
Be sure to download it to the root of your drive, e.g. C:\MBR.exe


Once the download has finished, click Start > Run. Copy and paste the contents of the codebox below into the run box (Do Not include Code:), then click OK :
Code: Select all
\mbr

A log will be generated called MBR.txt. Post it in your next reply.



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Select Perform Quick scan, then click on Scan
  • When the scan is complete, click OK. If Items are found, then click Show Results to view the results.
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.


In your next reply:
  1. MBAM log
  2. SystemLook.txt
  3. MBR.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » March 1st, 2010, 2:53 pm

I ran them all. Here are the 3 logs. Thanks again for your time, I really appreciate it. Gramps

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:09 on 01/03/2010 by dad (Administrator - Elevation successful)

========== filefind ==========

Searching for "*acpi*"
C:\WINDOWS\inf\acpi.inf --a--- 4727 bytes [21:05 03/08/2004] [21:05 03/08/2004] 51FE7D176D893D40FE7A4036B2D9C982
C:\WINDOWS\inf\acpi.PNF --a--- 12512 bytes [21:20 10/04/2009] [07:10 11/04/2009] 37AF1C0EB117E02663F23E94683F7860
C:\WINDOWS\ServicePackFiles\i386\acpi.inf ------ 4727 bytes [07:32 11/04/2009] [21:05 03/08/2004] 51FE7D176D893D40FE7A4036B2D9C982
C:\WINDOWS\ServicePackFiles\i386\acpi.sys ------ 187776 bytes [07:32 11/04/2009] [18:36 13/04/2008] 8FD99680A539792A30E97944FDAECF17
C:\WINDOWS\ServicePackFiles\i386\halaacpi.dll ------ 131840 bytes [07:32 11/04/2009] [18:31 13/04/2008] 6F61D3287A6A15A08A9433222C09D17F
C:\WINDOWS\ServicePackFiles\i386\halacpi.dll ------ 81152 bytes [07:32 11/04/2009] [18:31 13/04/2008] C4BA879B581BE34536FE01F79AC28631
C:\WINDOWS\ServicePackFiles\i386\halmacpi.dll ------ 134400 bytes [07:32 11/04/2009] [18:31 13/04/2008] 4329EE7D502C9113EBA0F9570392F5EE
C:\WINDOWS\ServicePackFiles\i386\wmiacpi.sys ------ 8832 bytes [07:33 11/04/2009] [18:36 13/04/2008] C42584FD66CE9E17403AEBCA199F7BDB
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\acpi.sys --a--- 187776 bytes [21:37 20/02/2010] [18:36 13/04/2008] 8FD99680A539792A30E97944FDAECF17
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\halaacpi.dll --a--- 131840 bytes [21:37 20/02/2010] [18:31 13/04/2008] 6F61D3287A6A15A08A9433222C09D17F
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\halacpi.dll --a--- 81152 bytes [21:37 20/02/2010] [18:31 13/04/2008] C4BA879B581BE34536FE01F79AC28631
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\halmacpi.dll --a--- 134400 bytes [21:37 20/02/2010] [18:31 13/04/2008] 4329EE7D502C9113EBA0F9570392F5EE
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wmiacpi.sys --a--- 8832 bytes [21:38 20/02/2010] [18:36 13/04/2008] C42584FD66CE9E17403AEBCA199F7BDB
C:\WINDOWS\system32\drivers\acpi.sys --a--- 187776 bytes [22:07 03/08/2004] [18:36 13/04/2008] 8FD99680A539792A30E97944FDAECF17
C:\WINDOWS\system32\drivers\acpiec.sys --a--- 11648 bytes [12:00 23/08/2001] [12:00 23/08/2001] 9859C0F6936E723E4892D7141B1327D5

========== file ==========

C:\WINDOWS\system32\drivers\ACPI.sys - File found and opened.
MD5: 8FD99680A539792A30E97944FDAECF17
Created at 22:07 on 03/08/2004
Modified at 18:36 on 13/04/2008
Size: 187776 bytes
Attributes: --a---
FileDescription: ACPI Driver for NT
FileVersion: 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion: 5.1.2600.5512
OriginalFilename: ACPI.sys
InternalName: ACPI.sys
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

-=End Of File=-

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x82360f40
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x82485330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x06FC7C80
malicious code @ sector 0x06FC7C83 !
PE file found in sector at 0x06FC7C99 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Malwarebytes' Anti-Malware 1.44
Database version: 3809
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/1/2010 12:42:20 PM
mbam-log-2010-03-01 (12-42-20).txt

Scan type: Quick Scan
Objects scanned: 115704
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » March 1st, 2010, 6:02 pm

Hi Gramps


RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
      Drivers
      Files
      Processes
      SSDT
      Stealth Objects
      Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File then Exit to close the program



Run a batch file

  • Open NOTEPAD and copy/paste the text in the codebox below into it (Do not include Code:)
Code: Select all
net user HelpAssistant>%temp%\temp0
start notepad %temp%\temp0
exit
cls

  • Save this as Helpass.bat Choose to "Save type as - All Files" and save it to your desktop.
  • It should look like this:Image
  • Double click the Helpass.bat and post the log it produces.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » March 1st, 2010, 6:32 pm

RootRepeal gave me an error message.
17:00:21: DeviceIoControl Error! Error Code = 0xc000009a
17:00:21: Could not read system registry! Please contact the author!
I posted what it gave me.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/01 16:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF11DC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8C95000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0D63000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\Documents and Settings\dad\Local Settings\Temp\plugtmp
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82361228 Size: 141

==EOF==


User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 3/1/2010 12:32 PM
Password expires Never
Password changeable 3/1/2010 12:32 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/1/2010 12:32 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
Last edited by Gramps on March 1st, 2010, 7:15 pm, edited 1 time in total.
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » March 1st, 2010, 7:14 pm

Hi Gramps

No need to run RootRepeal again - I've seen what I needed to see.

Let me check something and I'll get back to you.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » March 1st, 2010, 7:33 pm

Hi gramps


Profiles

Please download Profiles.exe by Noahdfear and save it to your desktop.

  • Double click Profiles.exe to run the tool
  • Notead will open - Post the contents in your next reply.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » March 1st, 2010, 7:49 pm

Here ya go


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1220945662-1060284298-682003330-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1220945662-1060284298-682003330-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\dad

SystemRoot REG_SZ C:\WINDOWS
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » March 2nd, 2010, 3:41 am

Hi Gramps


Your doing great, read through the instructions below carefully. Any questions - Just ask.



HelpAsst mebroot fix

Download HelpAsst_mebroot_fix.exe by noahdfear and save it to your desktop.

  • Double click HelpAsst_mebroot_fix.exe to run the tool.
  • When the tool completes it will inform you HelpAssistant was successfully removed, or it may require a reboot

Whether the tool requires a reboot or not go to Start > Run and copy/paste the following into the run box (Do Not include code: ) If the tool does need a reboot, do this before rebooting
Code: Select all
\MBR -f


Reboot


After Reboot run the following batch files.


MBR Look

  • Open NOTEPAD and copy/paste the text in the codebox below into it (Do not include Code:)
Code: Select all
@echo off
Ren C:\mbr.log mbrold.log
\mbr.exe -t 
start mbr.log
del %0

  • Save this as MBRlook.bat Choose to "Save type as - All Files" and save it to your desktop.
  • It should look like this:Image
  • Double click the MBRlook.bat and post the log it produces.


Also:


Re-Run Helpass.bat (you should still have this on your desktop), and post the log it produces.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » March 2nd, 2010, 1:22 pm

Here are the logs. Thanks again and have a great day.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC7C80
malicious code @ sector 0x06FC7C83 !
PE file found in sector at 0x06FC7C99 !

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 3/1/2010 12:32 PM
Password expires Never
Password changeable 3/1/2010 12:32 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/1/2010 12:32 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware