Hello km2357,
Here is the information as requested. I should also note that gmer utility had only C: checked so I just scanned C drive. But in case it is important, I have the drive partitioned and when I ran a previous malware scanner, before coming here, it found something on the F: drive. Again, I just wanted to bring it up in case it is important. The gmer log below contains only C: scan.
Thanks
Here's the Attach.txtUNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/25/2006 9:40:16 PM
System Uptime: 5/27/2010 6:20:25 PM (0 hours ago)
Motherboard: Dell Inc. | | 0X8582
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 119 GiB total, 106.291 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 30 GiB total, 19.149 GiB free.
G: is FIXED (NTFS) - 298 GiB total, 245.665 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 537EP V9x DF PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&5855BE9&0&28F0
Manufacturer: Intel Corporation
Name: Intel(R) 537EP V9x DF PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&5855BE9&0&28F0
Service: Modem
==== System Restore Points ===================
RP244: 3/4/2010 10:29:02 AM - System Checkpoint
RP245: 3/6/2010 4:12:28 AM - System Checkpoint
RP246: 3/7/2010 7:22:18 AM - System Checkpoint
RP247: 3/14/2010 1:26:14 AM - System Checkpoint
RP248: 3/15/2010 9:51:21 AM - System Checkpoint
RP249: 3/20/2010 11:41:52 AM - System Checkpoint
RP250: 3/26/2010 10:21:52 PM - System Checkpoint
RP251: 3/28/2010 10:11:03 AM - System Checkpoint
RP252: 3/29/2010 10:21:10 AM - System Checkpoint
RP253: 3/31/2010 7:25:38 AM - System Checkpoint
RP254: 4/1/2010 7:36:08 AM - System Checkpoint
RP255: 4/2/2010 9:10:03 AM - System Checkpoint
RP256: 4/3/2010 9:29:09 AM - System Checkpoint
RP257: 4/4/2010 10:46:38 AM - System Checkpoint
RP258: 4/6/2010 7:37:40 AM - System Checkpoint
RP259: 4/7/2010 8:57:11 AM - System Checkpoint
RP260: 4/8/2010 11:58:35 AM - System Checkpoint
RP261: 4/10/2010 8:12:56 AM - System Checkpoint
RP262: 4/11/2010 10:29:18 AM - System Checkpoint
RP263: 4/12/2010 11:02:28 AM - System Checkpoint
RP264: 4/14/2010 8:10:44 AM - System Checkpoint
RP265: 4/15/2010 8:17:14 AM - System Checkpoint
RP266: 4/16/2010 8:23:08 AM - System Checkpoint
RP267: 4/17/2010 8:31:18 AM - System Checkpoint
RP268: 4/18/2010 9:08:28 AM - System Checkpoint
RP269: 4/19/2010 9:21:30 AM - System Checkpoint
RP270: 4/20/2010 9:32:49 AM - System Checkpoint
RP271: 4/21/2010 9:51:09 AM - System Checkpoint
RP272: 4/23/2010 7:11:59 AM - System Checkpoint
RP273: 4/24/2010 7:59:11 AM - System Checkpoint
RP274: 4/25/2010 8:00:29 AM - System Checkpoint
RP275: 4/27/2010 7:59:25 AM - System Checkpoint
RP276: 4/28/2010 10:15:13 AM - System Checkpoint
RP277: 5/1/2010 12:52:01 AM - System Checkpoint
RP278: 5/2/2010 7:56:56 AM - System Checkpoint
RP279: 5/3/2010 10:20:37 AM - System Checkpoint
RP280: 5/5/2010 8:33:43 AM - System Checkpoint
RP281: 5/9/2010 8:04:02 AM - System Checkpoint
RP282: 5/10/2010 8:11:10 AM - System Checkpoint
RP283: 5/12/2010 10:02:23 AM - System Checkpoint
RP284: 5/16/2010 9:11:56 AM - System Checkpoint
RP285: 5/17/2010 10:05:39 AM - System Checkpoint
RP286: 5/19/2010 8:03:07 AM - System Checkpoint
RP287: 5/21/2010 8:25:40 AM - System Checkpoint
RP288: 5/23/2010 6:18:51 AM - System Checkpoint
RP289: 5/24/2010 6:41:55 AM - System Checkpoint
RP290: 5/24/2010 10:47:08 AM - Installed D-Link Wireless N DWA-130
RP291: 5/24/2010 10:47:15 AM - Installed ANIO Service
RP292: 5/24/2010 10:47:28 AM - Installed ANIWZCS2 Service
RP293: 5/25/2010 8:54:05 PM - Restore Operation
RP294: 5/25/2010 9:47:31 PM - Installed D-Link Wireless N DWA-130
RP295: 5/25/2010 9:47:37 PM - Installed ANIO Service
RP296: 5/25/2010 9:47:50 PM - Installed ANIWZCS2 Service
RP297: 5/25/2010 11:00:38 PM - Removed ANIWZCS2 Service
RP298: 5/25/2010 11:00:55 PM - Removed ANIO Service
RP299: 5/25/2010 11:01:06 PM - Removed D-Link Wireless N DWA-130
RP300: 5/25/2010 11:06:00 PM - Installed D-Link Wireless N DWA-130
RP301: 5/25/2010 11:06:09 PM - Installed ANIO Service
RP302: 5/25/2010 11:06:23 PM - Installed ANIWZCS2 Service
RP303: 5/25/2010 11:12:05 PM - Restore Operation
RP304: 5/25/2010 11:41:36 PM - Installed AVG 9.0
RP305: 5/26/2010 7:14:27 PM - Installed D-Link Wireless N DWA-130
RP306: 5/26/2010 7:14:55 PM - Installed ANIWZCS2 Service
RP307: 5/26/2010 7:19:49 PM - Removed AVG 9.0
RP308: 5/26/2010 7:20:50 PM - Installed AVG 9.0
RP309: 5/26/2010 7:27:42 PM - Removed ANIWZCS2 Service
RP310: 5/26/2010 7:28:00 PM - Removed ANIO Service
RP311: 5/26/2010 7:28:12 PM - Removed D-Link Wireless N DWA-130
RP312: 5/26/2010 10:37:27 PM - avast! Free Antivirus Setup
==== Installed Programs ======================
Apple Software Update
ATI Display Driver
avast! Free Antivirus
Comcast High-Speed Internet Install Wizard
D-Link Wireless N DWA-130
Digidesign Pro Tools® LE 6.9
Digidesign Shared Plug-Ins
Eqium Demo
Firium Demo
HijackThis 2.0.2
IK Digidesign Bundle
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
iZotope Trash 1.06
Live Digidesign Edition 2.1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.3)
Neodynium Demo
Nero 7 Ultra Edition
PACE System Files
PartitionMagic
PowerQuest PartitionMagic 8.0
QuickTime
Reason 4.0.1
Reason Adapted for Digidesign 2.5
Switch Sound File Converter
Synful Orchestra DXi/VSTi v2.0
Update for Windows XP (KB911164)
Waves Diamond Bundle v5.0
WebFldrs XP
==== Event Viewer Messages From Past Week ========
5/26/2010 7:50:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Wireless Zero Configuration service to connect.
5/26/2010 7:50:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
5/26/2010 7:50:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Task Scheduler service to connect.
5/26/2010 7:50:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Shell Hardware Detection service to connect.
5/26/2010 7:50:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the DHCP Client service to connect.
5/26/2010 7:50:36 PM, error: Service Control Manager [7000] - The Wireless Zero Configuration service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/26/2010 7:50:36 PM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/26/2010 7:50:36 PM, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/26/2010 7:50:36 PM, error: Service Control Manager [7000] - The DHCP Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/26/2010 7:49:27 PM, error: ipnathlp [31012] - The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Time service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Management Instrumentation service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the System Restore Service service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Server service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Secondary Logon service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Network Connections service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Logical Disk Manager service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Help and Support service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Fast User Switching Compatibility service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Error Reporting Service service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Distributed Link Tracking Client service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ Event System service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic Updates service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7001] - The Security Center service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The System Restore Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Network Connections service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Logical Disk Manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Help and Support service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Fast User Switching Compatibility service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Distributed Link Tracking Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/25/2010 8:53:28 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/25/2010 11:02:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Workstation service to connect.
5/25/2010 11:02:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Audio service to connect.
5/25/2010 11:02:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Cryptographic Services service to connect.
5/25/2010 11:02:41 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 11:02:41 PM, error: Service Control Manager [7000] - The Workstation service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 11:02:41 PM, error: Service Control Manager [7000] - The Windows Audio service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 11:02:41 PM, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
==== End Of File ===========================
Here is the DDS text-DDS (Ver_10-03-17.01) - NTFSx86
Run by Andy at 18:31:30.76 on Thu 05/27/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.735 [GMT -7:00]
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andy\Desktop\dds.scr
============== Pseudo HJT Report ===============
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
hxxp://fpdownload.macromedia.com/pub/sh ... wflash.cab================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\fnsulyyz.default\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-11-26 15872]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-26 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-26 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-26 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-26 40384]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-11-26 74752]
S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [2010-5-24 439680]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [2006-11-25 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [2006-11-25 69680]
=============== Created Last 30 ================
2010-05-27 06:17:42 0 d-----w- c:\program files\Trend Micro
2010-05-27 05:37:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-27 03:36:27 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 03:36:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-27 02:14:06 0 d-----w- c:\windows\system32\ReinstallBackups
2010-05-26 06:41:59 0 d-----w- c:\program files\AVG
2010-05-26 06:12:24 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-26 06:06:55 3284 ----a-w- c:\windows\system32\ANIWZCS{39A8FA5B-D7AE-4288-A4F4-CEEB59F9321A}
2010-05-26 06:06:43 143360 ----a-w- c:\windows\system32\ANIWConnService(2)(2).exe
2010-05-26 06:06:37 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{39A8FA5B-D7AE-4288-A4F4-CEEB59F9321A}
2010-05-26 04:56:35 0 d-----w- c:\program files\Mozilla Firefox(2)
2010-05-26 04:51:00 0 d-s---w- c:\documents and settings\andy\UserData
2010-05-26 04:49:18 3284 ----a-w- c:\windows\system32\ANIWZCS{553FEE6C-F93B-4BCE-9EA8-B46CDCD824F3}
2010-05-26 04:48:05 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{553FEE6C-F93B-4BCE-9EA8-B46CDCD824F3}
2010-05-25 16:26:19 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME
2010-05-24 17:49:07 3284 ----a-w- c:\windows\system32\ANIWZCS{6D27BB31-2114-4C59-A12F-9F046D965A3D}
2010-05-24 17:47:43 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{6D27BB31-2114-4C59-A12F-9F046D965A3D}
2010-05-24 17:47:09 200704 ----a-w- c:\windows\system32\ssleay32.dll
2010-05-24 17:47:09 1089536 ----a-w- c:\windows\system32\libeay32.dll
2010-05-24 17:46:37 439680 ----a-w- c:\windows\system32\drivers\RTL8192u.sys
2010-05-24 17:46:37 0 d-----w- c:\program files\D-Link
==================== Find3M ====================
2010-03-27 06:48:45 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-03-27 06:48:45 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
============= FINISH: 18:31:59.46 ===============
Here is the gmer scan log -GMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-05-27 18:56:27
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Andy\LOCALS~1\Temp\pwlcqpod.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwClose [0xEF959C7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateKey [0xEF959B36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDeleteKey [0xEF95A0EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDeleteValueKey [0xEF95A014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDuplicateObject [0xEF95970C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenKey [0xEF959C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenProcess [0xEF95964C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenThread [0xEF9596B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwQueryValueKey [0xEF959D30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRenameKey [0xEF95A1B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRestoreKey [0xEF959CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwSetValueKey [0xEF959E70]
Code \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateProcessEx [0xEF966AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateSection [0xEF9668EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS ZwLoadDriver [0xEF966A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2C30 80503830 4 Bytes JMP 54EF95A0
PAGE ntkrnlpa.exe!ZwLoadDriver 80582DFE 7 Bytes JMP EF966A28 \SystemRoot\System32\Drivers\aswSP.SYS
PAGE ntkrnlpa.exe!NtCreateSection 805A9DEE 7 Bytes JMP EF9668EE \SystemRoot\System32\Drivers\aswSP.SYS
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAEDA 5 Bytes JMP EF962536 \SystemRoot\System32\Drivers\aswSP.SYS
PAGE ntkrnlpa.exe!ObInsertObject 805C1810 5 Bytes JMP EF963EC2 \SystemRoot\System32\Drivers\aswSP.SYS
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CF966 7 Bytes JMP EF966ACA \SystemRoot\System32\Drivers\aswSP.SYS
? System32\Drivers\aswTdi.SYS The system cannot find the path specified. !
? System32\Drivers\aswSP.SYS The system cannot find the path specified. !
? System32\Drivers\Aavmker4.SYS The system cannot find the path specified. !
? System32\Drivers\aswFsBlk.SYS The system cannot find the path specified. !
? System32\Drivers\aswMon2.SYS The system cannot find the path specified. !
? System32\Drivers\aswRdr.SYS The system cannot find the path specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[488] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\svchost.exe[488] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00A7000A
.text C:\WINDOWS\System32\svchost.exe[488] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A5000C
.text C:\WINDOWS\System32\svchost.exe[488] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 01DF000A
.text C:\WINDOWS\System32\svchost.exe[488] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 01AD000A
.text C:\WINDOWS\Explorer.EXE[1504] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00AE000A
.text C:\WINDOWS\Explorer.EXE[1504] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[1504] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A0000C
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS
AttachedDevice \FileSystem\Fastfat \Fat DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS
---- EOF - GMER 1.0.15 ----