It is currently Tue Feb 20, 2018 6:35 pm


New Trojan Downloader--Ate a bite from Symantec????

Discuss security related topics in here (Hacking, Cracking, and Protecting)
Do not post HJT Logs here

Moderator: PCguy

New Trojan Downloader--Ate a bite from Symantec????

Postby AM1555 » Sun Jan 20, 2008 9:00 am

Hi:

I have been fighting with some type of "downloader" virus for a week(see logs below).
One day Symantec(v.9.0.1.1000) displayed its status window once saying it quarentined a trojan.
Then the next day, it happen a few more time the following day, only then a window display Symantec Email Proxy error...basically stating its preventing some email being sent from my PC to an address I did not recognize.
BTW, the Symantec email proxy messages populate all over my screen very rapidly now--may be 2-3 "bugs" working.
I also think the Symantec scanner may be bad from info read on other forums--it doesnt seem to find the virus' or trojans as reported any more. To date, I have ran many virus scanners--SuperAntivirus, AVG Anti-spy.7.5.1, BitDefender on-line scan, Spy-bot SD1.4, F-prot, CCleaner, Spyware Blaster, Ad-Aware1.6.
After running these programs, still have the same problem with the message filling up the display after boot. Note, I did install Kerio Firewall(v.2.1.5) and no more pop-ups Email proxy messages with the Symantec banner across the top appear.
Here is my pc's log from ComboFix & HiJackThis.
It was running in NORMAL mode for these logs.
Your comments are very much appreciated.

Thank you,

Al

HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:13, on 2008-01-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Alan\My Documents\VirusCheck\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - C:\Program Files\Helper\superfindout.dll
O2 - BHO: (no name) - {FC7FF7DC-C5F6-D3CA-D1F2-CD9E1FC437EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1987472687
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.1.6.cab
O20 - Winlogon Notify: efccdca - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10451 bytes

ComboFix Log

ComboFix 08-01-20.1 - Alan 2008-01-20 0:26:23.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1080 [GMT -6:00]
Running from: C:\Documents and Settings\Alan\Local Settings\Temporary Internet Files\Content.IE5\61IV4L05\ComboFix[1].exe
Command switches used :: and Settings\Alan\Local Settings\Temporary Internet Files\Content.IE5\61IV4L05\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\Program Files\Helper\superfindout.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-19 23:37 . 2008-01-19 23:37 <DIR> d-------- C:\Program Files\Kerio
2008-01-19 23:37 . 2002-04-15 12:28 102,912 --------- C:\WINDOWS\SYSTEM32\DRIVERS\FWDRV.SYS
2008-01-19 23:19 . 2008-01-19 23:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 23:19 . 2008-01-19 23:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 16:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 09:54 . 2008-01-18 09:54 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-01-18 09:54 . 2008-01-18 09:54 <DIR> d-------- C:\Program Files\FRISK Software
2008-01-18 09:54 . 2008-01-18 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2008-01-18 09:54 . 2007-10-22 09:48 579,808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\FStopW.sys
2008-01-18 08:17 . 2008-01-18 08:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-18 00:49 . 2008-01-18 00:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-18 00:49 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2008-01-17 22:55 . 2008-01-17 22:55 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Grisoft
2008-01-17 22:54 . 2008-01-17 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-17 22:54 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-01-17 22:41 . 2008-01-17 22:41 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-17 22:41 . 2008-01-17 22:41 <DIR> d-------- C:\Program Files\CCleaner
2008-01-17 20:45 . 2008-01-18 08:34 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-15 10:26 . 2008-01-15 10:26 58,880 --a------ C:\uxgq.exe
2008-01-15 10:26 . 54,764 C:\WINDOWS\SYSTEM32\dxdss.sys
2008-01-15 10:26 . 2008-01-15 10:26 2 --a------ C:\-1000312545
2008-01-15 10:25 . 2008-01-15 10:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA17
2008-01-04 15:59 . 2008-01-04 15:59 524,288 --a------ C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-01-04 15:59 . 2008-01-04 15:59 4,816 --a------ C:\WINDOWS\SYSTEM32\divxsm.tlb
2008-01-04 15:58 . 2008-01-04 15:58 3,596,288 --a------ C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-01-04 15:58 . 2008-01-04 15:58 1,044,480 --a------ C:\WINDOWS\SYSTEM32\libdivx.dll
2008-01-04 15:58 . 2008-01-04 15:58 200,704 --a------ C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-01-04 15:56 . 2008-01-04 15:56 156,992 --a------ C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-01-04 15:56 . 2008-01-04 15:56 12,288 --a------ C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-01-04 14:40 . 2008-01-04 14:40 <DIR> d-------- C:\Program Files\VTech
2008-01-04 14:09 . 2008-01-04 14:09 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\InstallShield
2007-12-28 23:00 . 2004-08-04 00:10 48,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\61883.sys
2007-12-28 23:00 . 2004-08-04 00:10 48,128 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\61883.sys
2007-12-28 23:00 . 2004-08-04 00:10 38,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avc.sys
2007-12-28 23:00 . 2004-08-04 00:10 38,912 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\avc.sys
2007-12-28 22:35 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\enum1394.sys
2007-12-28 22:35 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\enum1394.sys
2007-12-28 22:34 . 2004-08-04 00:10 61,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ohci1394.sys
2007-12-28 22:34 . 2004-08-04 00:10 61,056 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ohci1394.sys
2007-12-28 22:34 . 2004-08-04 00:10 53,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\1394bus.sys
2007-12-28 22:34 . 2004-08-04 00:10 53,248 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\1394bus.sys
2007-12-28 17:14 . 2007-12-28 17:14 <DIR> d-------- C:\Documents and Settings\Gabriela\Application Data\DivX
2007-12-26 22:32 . 2008-01-04 10:15 <DIR> d-------- C:\divx
2007-12-26 21:38 . 2007-12-26 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-26 21:20 . 2007-12-26 21:20 <DIR> d-------- C:\Program Files\Bonjour
2007-12-26 21:07 . 2007-12-26 21:07 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-12-26 18:50 . 2007-12-26 21:06 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Download Manager
2007-12-26 17:14 . 2007-12-26 17:14 <DIR> d-------- C:\WINDOWS\Progress Data
2007-12-24 16:42 . 2007-12-25 09:54 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\DivX
2007-12-24 16:39 . 2007-12-11 16:34 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2007-12-24 16:39 . 2007-12-11 16:34 120,056 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-12-24 16:39 . 2007-12-11 16:34 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-12-24 16:39 . 2007-12-11 16:34 9,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys
2007-12-24 16:39 . 2007-12-11 16:34 9,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-12-24 16:38 . 2008-01-13 23:25 <DIR> d-------- C:\Program Files\DivX
2007-12-23 18:54 . 2007-12-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-23 18:51 . 2007-12-23 18:51 <DIR> d-------- C:\Program Files\SlySoft
2007-12-23 18:51 . 2007-12-23 18:53 24 ---hs---- C:\WINDOWS\S4E912AD9.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 05:44 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-20 05:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-18 14:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 06:44 --------- d-----w C:\Program Files\Symantec
2008-01-18 04:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 16:02 --------- d-----w C:\Program Files\Yahoo SiteBuilder
2008-01-15 16:25 --------- d-----w C:\Documents and Settings\Alan\Application Data\uTorrent
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2007-12-29 22:58 --------- d-----w C:\Program Files\Dell AIO Printer A940
2007-12-28 03:52 --------- d-----w C:\Program Files\uTorrent
2007-12-27 03:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-19 20:05 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-12-17 16:47 --------- d-----w C:\Program Files\Skype
2007-12-17 16:45 --------- d-----w C:\Documents and Settings\Alan\Application Data\Skype
2007-12-11 22:34 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-25 16:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 13:21 68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-21 06:34 1649600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 09:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 18:47 204800]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 16:00 86102]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-01 12:15 53248]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31 66680]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-09-20 08:35 94208]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-09-20 08:32 77824]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-09-20 08:36 114688]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 15:55 339968]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-29 19:24 77824]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-11-12 12:45 2250104]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 19:36 124232]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2007-10-24 14:28 1428064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-06 08:08:53 24576]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-31 23:00:00 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-31 23:00:00 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efccdca]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

R0 FPAV_RTP;FPAV_RTP;C:\WINDOWS\system32\DRIVERS\FStopW.sys [2007-10-22 09:48]
R1 fwdrv;Kerio Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys [2002-04-15 12:28]
R2 FPAVServer;F-PROT Antivirus for Windows system;"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe" [2007-10-24 14:28]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]

*Newly Created Service* - FWDRV
*Newly Created Service* - PERSFW
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 15:40:02 C:\WINDOWS\Tasks\Shortcut to Symantec LiveUpdate.job"
- C:\Documents and Settings\Alan\Desktop\Shortcut to Symantec LiveUpdate.lnk
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 00:33:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 0:35:43
ComboFix-quarantined-files.txt 2008-01-20 06:34:56
ComboFix2.txt 2008-01-18 23:10:14
.
2007-08-16 22:42:11 --- E O F ---
User avatar
AM1555
Newbie
Newbie
 
Posts: 5
Joined: Sun Jan 20, 2008 8:49 am

Thanks given:0
Thanks received:0
Top

Postby Gecko » Sun Jan 20, 2008 1:10 pm

Hello AM1555, and welcome to our forum.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
File::
C:\WINDOWS\SYSTEM32\dxdss.sys
C:\WINDOWS\SYSTEM32\dxdss.ini
C:\WINDOWS\SYSTEM32\dxdss.ini2
C:\-1000312545
C:\uxgq.exe
C:\uxgq.dll
C:\uxgq.bak
C:\WINDOWS\efccdca.dll
C:\WINDOWS\efccdca.bak
C:\WINDOWS\efccdca.bak2
Folder::
C:\WINDOWS\SYSTEM32\edcA17
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efccdca]

Now drag then drop the CFScript file onto ComboFix.exe


This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5208
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

ComboFix log as requested

Postby AM1555 » Mon Jan 21, 2008 8:01 am

Hi Gecko:

PC is running in Normal mode with System Restore Off.
Downloaded Combofix to my infected PCs' desktop.
Drag/dropped text file with your script to Combofix.exe
It appeared to scan the PC twice--second time various entries/files were deleted as displayed.
PC shut-down, rebooted--I logged in.
Combofix ran at startup dispaying " Find 3M" in the top border of its window--widow displayed the message "Preparing Log Report. Do not run any programs until Combofix has finished". This took awhile--I have a few trial s/w programs that all put up their messages to buy/exit.
I have scanned this PC with at least 10 different "highly rated" virus scanners last week.
Let me know any comments. I am just getting up to speed all the knowledge found on this forum.
Also, it would be interesting to know what might have been causing the noted problem--if possible to briefly explain if it was anything major(virus, trojan, etc) I have been downloading a bit from various p2p sites but alway scan the files before loading/running.

Thank you very much for your help in advance.
Al.

ComboFix 08-01-20.1 - Alan 2008-01-21 0:27:33.5 - NTFSx86
Running from: C:\Documents and Settings\Alan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alan\Desktop\CFScripta.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\-1000312545
C:\uxgq.bak
C:\uxgq.dll
C:\uxgq.exe
C:\WINDOWS\efccdca.bak
C:\WINDOWS\efccdca.bak2
C:\WINDOWS\efccdca.dll
C:\WINDOWS\SYSTEM32\dxdss.ini
C:\WINDOWS\SYSTEM32\dxdss.ini2
C:\WINDOWS\SYSTEM32\dxdss.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1000312545
C:\Program Files\Helper
C:\Program Files\Helper\superfindout.dll
C:\uxgq.exe
C:\WINDOWS\SYSTEM32\dxdss.sys
C:\WINDOWS\SYSTEM32\edcA17

.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-19 23:37 . 2008-01-19 23:37 <DIR> d-------- C:\Program Files\Kerio
2008-01-19 23:37 . 2002-04-15 12:28 102,912 --------- C:\WINDOWS\SYSTEM32\DRIVERS\FWDRV.SYS
2008-01-18 16:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 09:54 . 2008-01-18 09:54 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-01-18 09:54 . 2008-01-18 09:54 <DIR> d-------- C:\Program Files\FRISK Software
2008-01-18 09:54 . 2008-01-18 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2008-01-18 09:54 . 2007-10-22 09:48 579,808 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\FStopW.sys
2008-01-18 08:17 . 2008-01-18 08:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-18 00:49 . 2008-01-18 00:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-18 00:49 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2008-01-17 22:55 . 2008-01-17 22:55 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Grisoft
2008-01-17 22:54 . 2008-01-17 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-17 22:54 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-01-17 22:41 . 2008-01-17 22:41 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-17 22:41 . 2008-01-17 22:41 <DIR> d-------- C:\Program Files\CCleaner
2008-01-17 20:45 . 2008-01-18 08:34 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-04 15:59 . 2008-01-04 15:59 524,288 --a------ C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-01-04 15:59 . 2008-01-04 15:59 4,816 --a------ C:\WINDOWS\SYSTEM32\divxsm.tlb
2008-01-04 15:58 . 2008-01-04 15:58 3,596,288 --a------ C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-01-04 15:58 . 2008-01-04 15:58 1,044,480 --a------ C:\WINDOWS\SYSTEM32\libdivx.dll
2008-01-04 15:58 . 2008-01-04 15:58 200,704 --a------ C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-01-04 15:56 . 2008-01-04 15:56 156,992 --a------ C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-01-04 15:56 . 2008-01-04 15:56 12,288 --a------ C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-01-04 14:40 . 2008-01-04 14:40 <DIR> d-------- C:\Program Files\VTech
2008-01-04 14:09 . 2008-01-04 14:09 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\InstallShield
2007-12-28 23:00 . 2004-08-04 00:10 48,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\61883.sys
2007-12-28 23:00 . 2004-08-04 00:10 48,128 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\61883.sys
2007-12-28 23:00 . 2004-08-04 00:10 38,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avc.sys
2007-12-28 23:00 . 2004-08-04 00:10 38,912 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\avc.sys
2007-12-28 22:35 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\enum1394.sys
2007-12-28 22:35 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\enum1394.sys
2007-12-28 22:34 . 2004-08-04 00:10 61,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ohci1394.sys
2007-12-28 22:34 . 2004-08-04 00:10 61,056 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ohci1394.sys
2007-12-28 22:34 . 2004-08-04 00:10 53,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\1394bus.sys
2007-12-28 22:34 . 2004-08-04 00:10 53,248 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\1394bus.sys
2007-12-28 17:14 . 2007-12-28 17:14 <DIR> d-------- C:\Documents and Settings\Gabriela\Application Data\DivX
2007-12-26 22:32 . 2008-01-04 10:15 <DIR> d-------- C:\divx
2007-12-26 21:38 . 2007-12-26 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-26 18:50 . 2007-12-26 21:06 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Download Manager
2007-12-26 17:14 . 2007-12-26 17:14 <DIR> d-------- C:\WINDOWS\Progress Data
2007-12-24 16:42 . 2007-12-25 09:54 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\DivX
2007-12-24 16:39 . 2007-12-11 16:34 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2007-12-24 16:39 . 2007-12-11 16:34 120,056 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-12-24 16:39 . 2007-12-11 16:34 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-12-24 16:39 . 2007-12-11 16:34 9,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys
2007-12-24 16:39 . 2007-12-11 16:34 9,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2007-12-24 16:38 . 2008-01-13 23:25 <DIR> d-------- C:\Program Files\DivX
2007-12-23 18:54 . 2007-12-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-23 18:51 . 2007-12-23 18:51 <DIR> d-------- C:\Program Files\SlySoft
2007-12-23 18:51 . 2007-12-23 18:53 24 ---hs---- C:\WINDOWS\S4E912AD9.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 06:42 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-20 07:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-20 05:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-18 14:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-18 06:44 --------- d-----w C:\Program Files\Symantec
2008-01-18 04:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 16:02 --------- d-----w C:\Program Files\Yahoo SiteBuilder
2008-01-15 16:25 --------- d-----w C:\Documents and Settings\Alan\Application Data\uTorrent
2007-12-29 22:58 --------- d-----w C:\Program Files\Dell AIO Printer A940
2007-12-28 03:52 --------- d-----w C:\Program Files\uTorrent
2007-12-19 20:05 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-12-17 16:47 --------- d-----w C:\Program Files\Skype
2007-12-17 16:45 --------- d-----w C:\Documents and Settings\Alan\Application Data\Skype
2007-12-11 22:34 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-10-25 16:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_ 0.34.13.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 06:25:30 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 06:27:09 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 06:25:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 06:27:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 06:25:30 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 06:27:10 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 06:25:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 06:27:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 06:25:30 6,012,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-21 06:27:12 6,045,696 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-20 06:25:30 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 06:27:13 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 13:21 68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-21 06:34 1649600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 09:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 18:47 204800]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 16:00 86102]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-01 12:15 53248]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31 66680]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-09-20 08:35 94208]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-09-20 08:32 77824]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-09-20 08:36 114688]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 15:55 339968]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-29 19:24 77824]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-11-12 12:45 2250104]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 19:36 124232]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2007-10-24 14:28 1428064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-06 08:08:53 24576]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-31 23:00:00 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-31 23:00:00 51984]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

R0 FPAV_RTP;FPAV_RTP;C:\WINDOWS\system32\DRIVERS\FStopW.sys [2007-10-22 09:48]
R1 fwdrv;Kerio Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys [2002-04-15 12:28]
R2 FPAVServer;F-PROT Antivirus for Windows system;"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe" [2007-10-24 14:28]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
S1 mp32;mp3 audio;C:\WINDOWS\system32\dxdss.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 15:40:02 C:\WINDOWS\Tasks\Shortcut to Symantec LiveUpdate.job"
- C:\Documents and Settings\Alan\Desktop\Shortcut to Symantec LiveUpdate.lnk
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 00:43:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 0:51:10 - machine was rebooted [Alan]
ComboFix-quarantined-files.txt 2008-01-21 06:50:34
ComboFix2.txt 2008-01-20 06:35:45
ComboFix3.txt 2008-01-18 23:10:14
.
2007-08-16 22:42:11 --- E O F ---
User avatar
AM1555
Newbie
Newbie
 
Posts: 5
Joined: Sun Jan 20, 2008 8:49 am

Thanks given:0
Thanks received:0
Top

Postby Gecko » Mon Jan 21, 2008 12:38 pm

AM1555,

I need to see a new hijackthis log also please.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5208
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

HJT log

Postby AM1555 » Mon Jan 21, 2008 7:16 pm

Ok.
Here is is.

Logfile of HijackThis v1.99.1
Scan saved at 12:13, on 2008-01-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1987472687
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.1.6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
User avatar
AM1555
Newbie
Newbie
 
Posts: 5
Joined: Sun Jan 20, 2008 8:49 am

Thanks given:0
Thanks received:0
Top

HJT log above

Postby AM1555 » Tue Jan 22, 2008 7:51 pm

Hi Gecko:

How does the HJT log appear above?
Note, an exception report menu titled "Unhandled Exception" for the program aawservice.exe was displayed after booting my PC up today--the "crash report" was to be sent to Lavasoft for review as the Send/Dont Send buttons were labeled(see report contents below).
Let me know any comments on the HJT report above or this info below.

Thank you very much,

AM1555


aawservice.exe has unfortunately experienced an unhandled exception and was foreced to close.
Please submit this error and we will endeavor to solve the problem as soon as possible.

Note: No other information than that in this text box will be sent to us.

An unhandled exception occured at 0x1005E760 in aawservice.exe

Exception Code : 0xc0000005
Client version : 0.669
Attached Debugger : 0

Windows Information :
---------------------
Windows Version : Windows XP (5.1)
Build Number : 2600
Service Pack : 2.0

CPU Information:
----------------
CPU Name : Intel(R) Pentium(R) 4 CPU 2.80GHz
Type : 0
Vendor : GenuineIntel
Family : 15
Extended Family : 0
Model : 3
Extended Model : 0
Stepping : 4

Registry Content:
-----------------
EAX : 0x050cfa20
ECX : 0x0127efd4
EDX : 0x050cfa22
EBX : 0x0127efb8
ESP : 0x0127ee54
EBP : 0x00000000
ESI : 0x0127ef90
EDI : 0x0508e6c8
EIP : 0x1005e760

Memory Usage:
-------------
Physical Memory in use : 17%
Total Physical Memory : 1570800 kb
Free Physical Memory : 1291448 kb
Total Virtual Memory : 2097024 kb
Free Virtual Memory : 1990448 kb
Max Page file size : 2206608 kb
Current Page file size : 2099696 kb
Free Extended memory : 0kb

Stack Information:
------------------
Total stack size : 4488

Stack Content:
--------------
f406939e 00c93a60 050d0948 00c93990 0000000b 050cfa22
00000001 0127ef90 0127f014 1008c239 00000000 10064172
0127ef90 f406934a 0000000e 00c93948 02cda418 0000000b
00c93a60 050d0948 00c93a60 012f6688 00c94368 00000000
00cb0328 00000004 00cb0178 00cb0548 012f6898 00000000
00000000 012cfa88 00cb0178 00cb0338 0000000f 00000000
00000040 000004f8 00000000 00000000 00000001 00000480
00000000 00000000 00000004 000000ee 012cfa88 00cb0000
00cb0178 00000770 00cb0548 012d01f8 00cb0178 01013810
00cb0388 0127ee8c 7c9106f0 0127ef78 7c90ee18 7c910570
ffffffff 012f6688 00450921 00000042 00000000 00000000
f4069f69 012cfa88 012b41f0 0000013c 012f6680 00cb0168
00000000 00000000 012f6680 00000210 012f6688 00450940
00cb0178 00000002 00000001 00000000 00000063 0002d000
c3fcdff0 c34a2a50 e86e539c 99622010 5dd32f22 0045216c
00cb0000 00000000 00000208 02d61d08 00000000 00000007
0127efec 00440000 00000208 00cbf960 00000000 00000000
00000007 00c94290 02cda158 04e60601 00c93948 0000000a
012f6478 00c94284 02cda320 00000001 0127f1cc 1008c841
ffffffff 10011345 00000000 f4068dea 00000002 00000000
7c809a09 00000000 0000000e 0000000b 00000080 02cda418
00080000 00020000 00000000 00000800 00000001 00000000
00004000 10000000 0127f23c 7c90ee18 7c9106f0 ffffffff
0127f0b0 00008000 02ce89b8 00200000 00010000 0127f73c
00800000 00400000 7ffd6000 0127f2cc 7c90ee18 7c910738
ffffffff 7c910732 7c9106ab 7c9106eb 00000028 00000000
7c9105d4 0015fe80 00000000 00000000 00cbc0c0 00000038
7c00ee18 00150000 0127eedc 7c9140bb 0127f4bc 7c90ee18
0127f104 7c911b3c 0015fe94 00000000 0127f118 7c80eecc
0015fe94 7c90253a 00cbc710 0127f3fc 7c80eda5 00000118
0047374c 0127f490 7c80edb8 00000018 00000000 0127f180
00000003 00000000 00000000 00cbc710 00610074 00000002
00000000 00000000 00000000 00000000 0000009a 00c000be
00000000 00cbd008 00cb0000 001a001a 00000018 00000000
00cb0000 0127ef80 0127f1a4 0127f6d8 7c90ee18 7c9106f0
ffffffff 7c9106eb 0045216c 00cb0000 00000000 00000010
0127f230 00cb588c 0000001a 0127f1d8 0044ec3c f4068dfa
0127f6d8 100854f6 ffffffff 004242dd 0127f23c 00000002
00100000 10ebd997 00000003 0127f73c 00000000 f406811d
00cbf960 0127f720 00cbf960 00000007 00000002 10ebd997
00cbf960 00000000 0127f73c 0000003c 006f006c 00000067
00000000 00cbd008 00000007 00150640 00cb9bc0 00cbdf58
00000000 00000000 00000000 00000000 00150178 0127f268
00000000 7c9105c8 00152098 0127f334 7c910551 00151378
7c91056d 0127f288 00000000 7c9105c8 00166310 0127f354
7c910551 00150778 7c91056d 00166338 00166318 0015fe94
00000000 00000000 00150178 00000000 00166e30 00000030
00000000 0127f2d0 00000000 7c9105c8 00cbfab8 0127f39c
7c910551 00cb07a8 7c91056d 00cbfac0 00cbfac0 0127f484
00150000 0127f300 00000000 7c9105c8 0015fe78 0127f3cc
0127f314 00000000 7c9105c8 00cbce00 0127f3e0 7c910551
00cb07a8 7c91056d 0127f484 00cbce08 00cbfac0 00166e30
0001ae1d 00000005 00000030 00150178 0127f380 7c90ee18
7c910570 ffffffff 7c91056d 7c911962 7c911993 7c97c080
00cb0000 00166338 00000038 0015fe94 7ffdb000 0127f368
00010000 00000030 0127f2e0 7c911978 0127f3cc 7c90ee18
7c910570 ffffffff 7c91056d 00450921 00cb0000 00cb0000
00450940 f406833d 00cbfac0 00cbce08 0127f484 0001ee18
00000006 0127f324 0127f4bc 0127f410 7c90ee18 7c910570
ffffffff 7c91056d 00450921 00cb0000 00000000 00450940
f40684c1 0127f484 0127f484 00cbfac0 00cbfac0 0127f3f4
0127f4bc 0127f4bc 00457010 f56952b1 fffffffe 00450940
00407374 00cbce08 f40684d1 00cbf960 00000000 00cba9d8
014508b1 00000000 00cbc710 00000000 0015fe80 00000001
0127f484 00cbfac0 4794f1c6 00000000 0127f4c0 4794f1c6
00000000 f56952d1 fffffffe 0127f484 00cbce08 00cbfac0
00458e4d 00cbce08 00000000 00cbcae8 0000005f 00450103
0048a390 004500d7 f4068431 000107d8 00150001 0019000d
02bf003a 0127f4a4 0127f504 0046ba8b ffffffff f5695169
0127f514 00407a38 00cba9d8 0047374c f4068401 00cbf960
00000016 00000001 00000001 0127f4dc 0000000c 0127f6d8
00457010 f5695111 0127f6d8 0046c7d0 ffffffff 0048a390
0000000c 0041e64d f40685c1 0127f720 00cbf960 0041e66d
00000004 47963668 00000000 0000001f 0127f720 00cb0178
00cb0000 00cbd020 ffffffff 00cb5978 00000000 00000007
00000004 0000001f 0000000c 00000016 00000000 0000006c
00000002 00000015 00000000 00000004 0000001f 0000000c
00000016 00000000 0000006c 00000002 00000015 00000000
00000004 0000001f 0000000c 00000016 00000000 0000006c
00000002 00000015 0127f5d4 00000000 7c9105c8 00cbbf70
0127f6a0 7c910551 00cb07d8 7c91056d 00cbf960 00cbbf78
00000007 0000001f 0000000c 00000016 00000000 0000006c
00000002 00000015 00000000 00000004 0000001f 0000000c
00000016 00000000 0000006c 00000002 00000015 00000000
7c9106f0 00cbc0c0 7c9106eb 00000038 00cb0000 00000062
003a0046 00300000 003a0046 0000005c 00320032 00310020
002d0032 00cb0000 0030002d 00200034 0020003a 00400000
00000030 00011620 00000007 0127f5e4 00000000 0127f6d0
7c90ee18 7c910570 ffffffff 7c91056d 00450921 00cb0000
00000000 00450940 f4068601 00cbf960 0127f720 00000007
00cbbf78 0127f6b4 00477fb4 0127fc20 f40682ed 0127fc20
00469fdd 00000000 00422b26 0127f73c f4068611 00cbf960
7c901005 0127ffb0 7c9010ed 00000008 0127f6e0 00cb9bc0
00000000 00cb0178 00000000 00cbce08 0048d39c 002d0044
00cbbf78 007e0041 002e0031 004f004c 00000012 00000017
00000001 00000000 00200065 00cbb988 00000004 00310000
00cbce08 00cbced8 002d0033 00350032 0035002d 002e0038
006f006c 7c900067 00000000 000001f3 0127f790 00150640
00000000 00251f18 7c91393d 00cb5980 6365446c 00000000
00150178 01007265 0127f7b8 00000000 00cb5980 00251f18
7c91393d 00cbce08 00000000 0127f7d0 00000000 7c9105c8
00166310 0127f89c 7c910551 00150778 7c91056d 00166338
00166318 0015fe94 00cbce00 00000030 00150178 00cb0178
00166e30 00000030 00000178 0127f818 00000000 7c9105c8
00cbce00 0127f8e4 7c910551 00cb07a8 7c91056d 00cbce08
00cbce08 0127f9cc 00150000 0127f848 00000000 7c9105c8
0015fe78 0127f914 0127f85c 00000000 7c9105c8 00cbfab8
0127f928 7c910551 00cb07a8 7c91056d 0127f9cc 00cbfac0
00cbce08 00166e30 0001ae1d 00000005 00000030 00150178
0127f8c8 7c90ee18 7c910570 ffffffff 7c91056d 7c911962
7c911993 7c97c080 00cb0000 00166338 00000038 0015fe94
7ffdb000 0127f8b0 00010000 00000030 0127f828 7c911978
0127f914 7c90ee18 7c910570 ffffffff 7c91056d 00450921
00cb0000 00cb0000 00450940 f40689c5 00cbce08 00cbfac0
0127f9cc 0001ee18 00000006 0127f86c 0127fa04 0127f958
7c90ee18 7c910570 ffffffff 7c91056d 00450921 00cb0000
00000000 00450940 f4068989 0127f9cc 0127f9cc 00cbce08
00cbce08 0127f93c 0127fa04 0127fa04 00457010 f56952b1
fffffffe 00450940 00407374 00cbfac0 f4068999 00cbf960
00000000 00cba9d8 014508b1 00000000 00cbc710 00000000
0015fe80 00000001 0127f9cc 00cbce08 4794f1c6 00000000
0127fa08 4794f1c6 00000000 f56952d1 fffffffe 0127f9cc
00cbfac0 00cbce08 00458e4d 00cbfac0 00000000 00cbcae8
0000005f 00450103 0048a390 004500d7 f4068af9 000107d8
00150001 0019000d 02bf003a 0127f9ec 0127fa4c 0046ba8b
ffffffff f5695169 0127fa5c 00407a38 00cba9d8 0047374c
f4068ac9 00cbf960 00000016 00000001 00000001 0127fa24
0000000c 0127fc20 00457010 f5695111 0127fc20 0046c7d0
ffffffff 0048a390 0000000c 0041e64d f4068a89 7c901005
0127ffb0 0041e66d 00000004 47963668 00000000 0000001f
0127fdb8 00cb4a28 00cb0000 0127fb00 00cb4618 00000028
00000000 00000007 00000004 0000001f 0000000c 00000016
00000000 0000006c 00000002 00000015 00000000 00000004
0000001f 0000000c 00000016 00000000 0000006c 00000002
00000015 00000000 00000004 0000001f 0000000c 00000016
00000000 0000006c 00000002 0127fb18 00000000 7c9105c8
00cbbf70 0127fbe4 7c910551 00cb07d8 7c91056d 00cbf960
00cbbf78 7c9010ed 00000004 0000001f 0000000c 00000016
00000000 0000006c 00000002 00000015 00000000 00000004
0000001f 0000000c 00000016 00000000 0000006c 00000002
00000015 00000000 0045216c 00cbc0c0 00000038 00000030
0127fdb8 00000062 7c901005 004219c5 00380030 00310030
00320032 00310020 00cb0000 00310033 0030002d 00200034
0020003a 00000000 00010000 00000007 0127fb28 f4068b15
0127fc14 7c90ee18 7c910570 ffffffff 7c91056d 00450921
00cb0000 00000000 00450940 f4068cc5 00cbf960 0127fdb8
7c9010ed 00478254 0127fbf8 00478256 0127ffa4 f40687e1
7c80a027 0127ffa4 0046f22c 00000000 00424a83 00cbf960
f4068cd9 00e1fb10 00cb5140 00cbf960 0048d498 00cbf960
0048d49c 00cbf9f0 00cbf96c 00000001 00000000 00153170
00000000 00000000 00cbf0b0 00000004 00000000 00000000
00000000 7ffd6000 763912c0 000000dc 000000d8 00000000
0127fd0c 7c90ee18 7c918ed0 ffffffff 7c918e74 7c90e8c4
7c918dfa 0127fd30 00cb5140 00cbf960 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 7ffdb000 00000000
00000000 00000000 00000000 00000000 0127fcb0 00000000
00000000 7c90ee00 7c918e00 ffffffff 7c918dfa 7c90d625
7c90eacf 0127fd30 00000001 00010017 00000000 00000000
00000000 00000000 00000000 00000000 003cac70 00000001
00000001 65726150 6449746e 66657250 00007869 00000248
00206b6e 5e53a2a0 01c4639b 00000000 003ca648 00000000
00000000 ffffffff ffffffff 00000002 003ca3e8 ffffffff
ffffffff 00000000 00000000 00000018 00000088 00000000
00000011 69766544 00cb0000 00000038 00000023 00000023
00000000 00000007 00cbf960 00000000 7c9105c8 004456c0
00e1fad0 7c810659 0000001b 00000200 0127fffc 00000023
003f005c 005c003f 00530055 00230042 004f0052 0054004f
0048005f 00420055 00340023 00320026 00610066 00340032
00340035 00260038 00230030 0066007b 00380031 00300061
00380065 002d0038 00330063 00630030 0031002d 00640031
002d0030 00380038 00350031 0030002d 00610030 00630030
00300039 00620036 00640065 007d0038 00000000 00000038
000c6b76 80000004 00000005 00000004 00000001 6c696146
73616552 44496e6f 00000000 00000010 004e4ae8 004e4b08
00000000 00000070 00206b6e 547d5da0 01c4639b 00000000
003ca648 00000000 00000000 ffffffff ffffffff 00000000
ffffffff ffffffff ffffffff 00000000 00000000 00000000
00000000 00000001 00000007 43676f4c 8a1aff44 b07f5c24
804dc2b2 804dc2ba 8a1aff14 8a1afda8 8a1afddc 00000060
8057c8c6 8a137020 8a1afda8 7ffdb000 b07f5c84 804f8639
00000000 00000005 00000000 00000000 00000000 804efb50
00000000 00000000 804e5358 806ee2e7 8a1afda8 b07f5d50
0000000c 32332634 35663701 00000000 8a137020 804f8641
00000000 00000000 f4068ca5 804f8621 0127ffdc 0046f46a
00000001 0127ffec 004456d4 7c80b683 00cbf960 00e1fb10
00cb5140 00cbf960 7ffdb000 c0000005 0127ffc0 0127ea78


System Activity:
----------------
Process 00000000: [System Process]
Module at 0x00400000: aawservice.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x10000000: CEAPI.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x004a0000: PKArchive84cb.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x7e410000: USER32.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x774e0000: ole32.dll
Module at 0x77a80000: CRYPT32.dll
Module at 0x77b20000: MSASN1.dll
Module at 0x76f60000: WLDAP32.dll
Module at 0x76bf0000: PSAPI.DLL
Module at 0x77c00000: VERSION.dll
Module at 0x771b0000: WININET.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x00340000: Update.dll
Module at 0x71ad0000: WSOCK32.dll
Module at 0x71ab0000: WS2_32.dll
Module at 0x71aa0000: WS2HELP.dll
Module at 0x769c0000: USERENV.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x773d0000: comctl32.dll
Module at 0x5d090000: comctl32.dll
Module at 0x0ffd0000: rsaenh.dll

Process 00000004: System
Current Memory usage : 220 kb
Memory usage peak : 2032 kb
Current Paged Pool usage : 0 kb
Paged Pool usage peak : 0 kb
Current Non-Paged Pool usage : 0 kb
Non-Paged Pool usage peak : 0 kb
Current Page file usage : 0 kb
Page file usage peak : 0 kb
Page Faults : 5828

Module list
Module at 0x00000000:

Process 000002bc: smss.exe
Current Memory usage : 372 kb
Memory usage peak : 464 kb
Current Paged Pool usage : 5 kb
Paged Pool usage peak : 13 kb
Current Non-Paged Pool usage : 0 kb
Non-Paged Pool usage peak : 1 kb
Current Page file usage : 164 kb
Page file usage peak : 1672 kb
Page Faults : 213

Module list
Module at 0x48580000: smss.exe
Module at 0x7c900000: ntdll.dll

Process 000002ec: csrss.exe
Current Memory usage : 3492 kb
Memory usage peak : 3820 kb
Current Paged Pool usage : 50 kb
Paged Pool usage peak : 81 kb
Current Non-Paged Pool usage : 4 kb
Non-Paged Pool usage peak : 4 kb
Current Page file usage : 1608 kb
Page file usage peak : 1620 kb
Page Faults : 1966

Module list
Module at 0x4a680000: csrss.exe
Module at 0x7c900000: ntdll.dll
Module at 0x75b40000: CSRSRV.dll
Module at 0x75b50000: basesrv.dll
Module at 0x75b60000: winsrv.dll
Module at 0x77f10000: GDI32.dll
Module at 0x7c800000: KERNEL32.dll
Module at 0x7e410000: USER32.dll
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x75e90000: sxs.dll

Process 00000304: winlogon.exe
Current Memory usage : 10104 kb
Memory usage peak : 10248 kb
Current Paged Pool usage : 46 kb
Paged Pool usage peak : 51 kb
Current Non-Paged Pool usage : 63 kb
Non-Paged Pool usage peak : 65 kb
Current Page file usage : 6356 kb
Page file usage peak : 6608 kb
Page Faults : 3738

Module list
Module at 0x01000000: winlogon.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x776c0000: AUTHZ.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77a80000: CRYPT32.dll
Module at 0x7e410000: USER32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x77b20000: MSASN1.dll
Module at 0x75940000: NDdeApi.dll
Module at 0x75930000: PROFMAP.dll
Module at 0x5b860000: NETAPI32.dll
Module at 0x769c0000: USERENV.dll
Module at 0x76bf0000: PSAPI.DLL
Module at 0x76bc0000: REGAPI.dll
Module at 0x77920000: SETUPAPI.dll
Module at 0x77c00000: VERSION.dll
Module at 0x76360000: WINSTA.dll
Module at 0x76c30000: WINTRUST.dll
Module at 0x76c90000: IMAGEHLP.dll
Module at 0x71ab0000: WS2_32.dll
Module at 0x71aa0000: WS2HELP.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x75970000: MSGINA.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x5d090000: COMCTL32.dll
Module at 0x74320000: ODBC32.dll
Module at 0x763b0000: comdlg32.dll
Module at 0x773d0000: comctl32.dll
Module at 0x20000000: odbcint.dll
Module at 0x776e0000: SHSVCS.dll
Module at 0x76bb0000: sfc.dll
Module at 0x76c60000: sfc_os.dll
Module at 0x774e0000: ole32.dll
Module at 0x77b40000: Apphelp.dll
Module at 0x755c0000: msctfime.ime
Module at 0x723d0000: WINSCARD.DLL
Module at 0x76f50000: WTSAPI32.dll
Module at 0x75e90000: sxs.dll
Module at 0x5ad70000: uxtheme.dll
Module at 0x76b40000: WINMM.dll
Module at 0x5cd70000: serwvdrv.dll
Module at 0x5b0a0000: umdmxfrm.dll
Module at 0x76600000: cscdll.dll
Module at 0x75950000: WlNotify.dll
Module at 0x73000000: WINSPOOL.DRV
Module at 0x71b20000: MPR.dll
Module at 0x0ffd0000: rsaenh.dll
Module at 0x01370000: WgaLogon.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x77690000: NTMARTA.DLL
Module at 0x76f60000: WLDAP32.dll
Module at 0x71bf0000: SAMLIB.dll
Module at 0x76fd0000: CLBCATQ.DLL
Module at 0x77050000: COMRes.dll
Module at 0x77c70000: msv1_0.dll
Module at 0x76d60000: iphlpapi.dll

Process 00000330: services.exe
Current Memory usage : 4004 kb
Memory usage peak : 4052 kb
Current Paged Pool usage : 35 kb
Paged Pool usage peak : 36 kb
Current Non-Paged Pool usage : 5 kb
Non-Paged Pool usage peak : 6 kb
Current Page file usage : 2056 kb
Page file usage peak : 2076 kb
Page Faults : 1142

Module list
Module at 0x01000000: services.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x7e410000: USER32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x769c0000: USERENV.dll
Module at 0x758e0000: SCESRV.dll
Module at 0x776c0000: AUTHZ.dll
Module at 0x7dba0000: umpnpmgr.dll
Module at 0x76360000: WINSTA.dll
Module at 0x5b860000: NETAPI32.dll
Module at 0x5f770000: NCObjAPI.DLL
Module at 0x76080000: MSVCP60.dll
Module at 0x5cb70000: ShimEng.dll
Module at 0x6f880000: AcGenral.DLL
Module at 0x76b40000: WINMM.dll
Module at 0x774e0000: ole32.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x77be0000: MSACM32.dll
Module at 0x77c00000: VERSION.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x5ad70000: UxTheme.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x5cd70000: serwvdrv.dll
Module at 0x5b0a0000: umdmxfrm.dll
Module at 0x773d0000: comctl32.dll
Module at 0x5d090000: comctl32.dll
Module at 0x77b40000: Apphelp.dll
Module at 0x77b70000: eventlog.dll
Module at 0x71ab0000: WS2_32.dll
Module at 0x71aa0000: WS2HELP.dll
Module at 0x76bf0000: PSAPI.DLL
Module at 0x76f50000: wtsapi32.dll

Process 0000033c: lsass.exe
Current Memory usage : 5024 kb
Memory usage peak : 5024 kb
Current Paged Pool usage : 38 kb
Paged Pool usage peak : 40 kb
Current Non-Paged Pool usage : 7 kb
Non-Paged Pool usage peak : 8 kb
Current Page file usage : 2304 kb
Page file usage peak : 2304 kb
Page Faults : 1381

Module list
Module at 0x01000000: lsass.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x75730000: LSASRV.dll
Module at 0x71b20000: MPR.dll
Module at 0x7e410000: USER32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x77b20000: MSASN1.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x5b860000: NETAPI32.dll
Module at 0x767a0000: NTDSAPI.dll
Module at 0x76f20000: DNSAPI.dll
Module at 0x71ab0000: WS2_32.dll
Module at 0x71aa0000: WS2HELP.dll
Module at 0x76f60000: WLDAP32.dll
Module at 0x71bf0000: SAMLIB.dll
Module at 0x74440000: SAMSRV.dll
Module at 0x76790000: cryptdll.dll
Module at 0x5cb70000: ShimEng.dll
Module at 0x6f880000: AcGenral.DLL
Module at 0x76b40000: WINMM.dll
Module at 0x774e0000: ole32.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x77be0000: MSACM32.dll
Module at 0x77c00000: VERSION.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x769c0000: USERENV.dll
Module at 0x5ad70000: UxTheme.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x5cd70000: serwvdrv.dll
Module at 0x5b0a0000: umdmxfrm.dll
Module at 0x773d0000: comctl32.dll
Module at 0x5d090000: comctl32.dll
Module at 0x20000000: msprivs.dll
Module at 0x71cf0000: kerberos.dll
Module at 0x77c70000: msv1_0.dll
Module at 0x76d60000: iphlpapi.dll
Module at 0x744b0000: netlogon.dll
Module at 0x767c0000: w32time.dll
Module at 0x76080000: MSVCP60.dll
Module at 0x767f0000: schannel.dll
Module at 0x77a80000: CRYPT32.dll
Module at 0x74380000: wdigest.dll
Module at 0x0ffd0000: rsaenh.dll
Module at 0x77920000: setupapi.dll
Module at 0x74410000: scecli.dll

Process 000003f4: svchost.exe
Current Memory usage : 3204 kb
Memory usage peak : 3204 kb
Current Paged Pool usage : 32 kb
Paged Pool usage peak : 34 kb
Current Non-Paged Pool usage : 3 kb
Non-Paged Pool usage peak : 3 kb
Current Page file usage : 1380 kb
Page file usage peak : 1380 kb
Page Faults : 843

Module list
Module at 0x01000000: svchost.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x5cb70000: ShimEng.dll
Module at 0x6f880000: AcGenral.DLL
Module at 0x7e410000: USER32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x76b40000: WINMM.dll
Module at 0x774e0000: ole32.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x77be0000: MSACM32.dll
Module at 0x77c00000: VERSION.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x769c0000: USERENV.dll
Module at 0x5ad70000: UxTheme.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x5cd70000: serwvdrv.dll
Module at 0x5b0a0000: umdmxfrm.dll
Module at 0x773d0000: comctl32.dll
Module at 0x5d090000: comctl32.dll
Module at 0x77690000: NTMARTA.DLL
Module at 0x76f60000: WLDAP32.dll
Module at 0x71bf0000: SAMLIB.dll
Module at 0x76a80000: rpcss.dll
Module at 0x71ab0000: WS2_32.dll
Module at 0x71aa0000: WS2HELP.dll
Module at 0x20000000: xpsp2res.dll

Process 00000444: svchost.exe
Current Memory usage : 4036 kb
Memory usage peak : 4036 kb
Current Paged Pool usage : 37 kb
Paged Pool usage peak : 37 kb
Current Non-Paged Pool usage : 13 kb
Non-Paged Pool usage peak : 15 kb
Current Page file usage : 1704 kb
Page file usage peak : 1732 kb
Page Faults : 1124

Module list
Module at 0x01000000: svchost.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x5cb70000: ShimEng.dll
Module at 0x6f880000: AcGenral.DLL
Module at 0x7e410000: USER32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x76b40000: WINMM.dll
Module at 0x774e0000: ole32.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x77be0000: MSACM32.dll
Module at 0x77c00000: VERSION.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x769c0000: USERENV.dll
Module at 0x5ad70000: UxTheme.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x5cd70000: serwvdrv.dll
Module at 0x5b0a0000: umdmxfrm.dll
Module at 0x773d0000: comctl32.dll
Module at 0x5d090000: comctl32.dll
Module at 0x76a80000: rpcss.dll
Module at 0x71ab0000: WS2_32.dll
Module at 0x71aa0000: WS2HELP.dll
Module at 0x20000000: xpsp2res.dll
Module at 0x0ffd0000: rsaenh.dll
Module at 0x71a50000: mswsock.dll
Module at 0x662b0000: hnetcfg.dll
Module at 0x71a90000: wshtcpip.dll
Module at 0x76f20000: DNSAPI.dll
Module at 0x76d60000: iphlpapi.dll
Module at 0x76fb0000: winrnr.dll
Module at 0x76f60000: WLDAP32.dll
Module at 0x76fc0000: rasadhlp.dll
Module at 0x76fd0000: CLBCATQ.DLL
Module at 0x77050000: COMRes.dll

Process 000004a4: svchost.exe
Current Memory usage : 6032 kb
Memory usage peak : 7896 kb
Current Paged Pool usage : 44 kb
Paged Pool usage peak : 44 kb
Current Non-Paged Pool usage : 9 kb
Non-Paged Pool usage peak : 9 kb
Current Page file usage : 5416 kb
Page file usage peak : 5416 kb
Page Faults : 2772

Module list
Module at 0x01000000: svchost.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x5cb70000: ShimEng.dll
Module at 0x6f880000: AcGenral.DLL
Module at 0x7e410000: USER32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x76b40000: WINMM.dll
Module at 0x774e0000: ole32.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x77be0000: MSACM32.dll
Module at 0x77c00000: VERSION.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x769c0000: USERENV.dll
Module at 0x5ad70000: UxTheme.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x5cd70000: serwvdrv.dll
Module at 0x5b0a0000: umdmxfrm.dll
Module at 0x773d0000: comctl32.dll
Module at 0x5d090000: comctl32.dll
Module at 0x77690000: NTMARTA.DLL
Module at 0x76f60000: WLDAP32.dll
Module at 0x71bf0000: SAMLIB.dll
Module at 0x20000000: xpsp2res.dll
Module at 0x776e0000: shsvcs.dll
Module at 0x76360000: WINSTA.dll
Module at 0x5b860000: NETAPI32.dll
Module at 0x76d80000: dhcpcsvc.dll
Module at 0x76f20000: DNSAPI.dll
Module at 0x71ab0000: WS2_32.dll
Module at 0x71aa0000: WS2HELP.dll
Module at 0x76d60000: iphlpapi.dll
Module at 0x0ffd0000: rsaenh.dll
Module at 0x71a50000: mswsock.dll
Module at 0x662b0000: hnetcfg.dll
Module at 0x71a90000: wshtcpip.dll
Module at 0x77620000: wzcsvc.dll
Module at 0x76e80000: rtutils.dll
Module at 0x76d30000: WMI.dll
Module at 0x77a80000: CRYPT32.dll
Module at 0x77b20000: MSASN1.dll
Module at 0x76f50000: WTSAPI32.dll
Module at 0x606b0000: ESENT.dll
Module at 0x76b20000: ATL.DLL
Module at 0x77920000: SETUPAPI.DLL
Module at 0x76b70000: rastls.dll
Module at 0x754d0000: CRYPTUI.dll
Module at 0x76c30000: WINTRUST.dll
Module at 0x76c90000: IMAGEHLP.dll
Module at 0x771b0000: WININET.dll
Module at 0x76d40000: MPRAPI.dll
Module at 0x77cc0000: ACTIVEDS.dll
Module at 0x76e10000: adsldpc.dll
Module at 0x76ee0000: RASAPI32.dll
Module at 0x76e90000: rasman.dll
Module at 0x76eb0000: TAPI32.dll
Module at 0x767f0000: SCHANNEL.dll
Module at 0x723d0000: WinSCard.dll
Module at 0x76bd0000: raschap.dll
Module at 0x77c70000: msv1_0.dll
Module at 0x76fd0000: CLBCATQ.DLL
Module at 0x77050000: COMRes.dll

Process 000004f4: svchost.exe
Current Memory usage : 2968 kb
Memory usage peak : 2968 kb
Current Paged Pool usage : 29 kb
Paged Pool usage peak : 34 kb
Current Non-Paged Pool usage : 3 kb
Non-Paged Pool usage peak : 3 kb
Current Page file usage : 1212 kb
Page file usage peak : 1236 kb
Page Faults : 775

Module list
Module at 0x01000000: svchost.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x5cb70000: ShimEng.dll
Module at 0x6f880000: AcGenral.DLL
Module at 0x7e410000: USER32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x76b40000: WINMM.dll
Module at 0x774e0000: ole32.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x77be0000: MSACM32.dll
Module at 0x77c00000: VERSION.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x769c0000: USERENV.dll
Module at 0x5ad70000: UxTheme.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x5cd70000: serwvdrv.dll
Module at 0x5b0a0000: umdmxfrm.dll
Module at 0x773d0000: comctl32.dll
Module at 0x5d090000: comctl32.dll
Module at 0x76770000: dnsrslvr.dll
Module at 0x76f20000: DNSAPI.dll
Module at 0x71ab0000: WS2_32.dll
Module at 0x71aa0000: WS2HELP.dll
Module at 0x76d60000: iphlpapi.dll

Process 00000514: logonui.exe
Current Memory usage : 3608 kb
Memory usage peak : 5312 kb
Current Paged Pool usage : 34 kb
Paged Pool usage peak : 37 kb
Current Non-Paged Pool usage : 5 kb
Non-Paged Pool usage peak : 6 kb
Current Page file usage : 3088 kb
Page file usage peak : 3088 kb
Page Faults : 2299

Module list
Module at 0x01000000: logonui.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x7e410000: USER32.dll
Module at 0x773d0000: COMCTL32.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x5b860000: NETAPI32.dll
Module at 0x774e0000: ole32.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x6c1b0000: DUSER.dll
Module at 0x76380000: MSIMG32.dll
Module at 0x74c80000: OLEACC.dll
Module at 0x76080000: MSVCP60.dll
Module at 0x5cb70000: ShimEng.dll
Module at 0x6f880000: AcGenral.DLL
Module at 0x76b40000: WINMM.dll
Module at 0x77be0000: MSACM32.dll
Module at 0x77c00000: VERSION.dll
Module at 0x769c0000: USERENV.dll
Module at 0x5ad70000: UxTheme.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x5cd70000: serwvdrv.dll
Module at 0x5b0a0000: umdmxfrm.dll
Module at 0x755c0000: msctfime.ime
Module at 0x76fd0000: CLBCATQ.DLL
Module at 0x77050000: COMRes.dll
Module at 0x73d70000: shgina.dll
Module at 0x76360000: WINSTA.dll
Module at 0x71bf0000: SAMLIB.dll
Module at 0x75970000: MSGINA.dll
Module at 0x74320000: ODBC32.dll
Module at 0x763b0000: comdlg32.dll
Module at 0x20000000: odbcint.dll

Process 000005a8: svchost.exe
Current Memory usage : 3140 kb
Memory usage peak : 3140 kb
Current Paged Pool usage : 32 kb
Paged Pool usage peak : 34 kb
Current Non-Paged Pool usage : 2 kb
Non-Paged Pool usage peak : 3 kb
Current Page file usage : 1252 kb
Page file usage peak : 1252 kb
Page Faults : 817

Module list
Module at 0x01000000: svchost.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x5cb70000: ShimEng.dll
Module at 0x6f880000: AcGenral.DLL
Module at 0x7e410000: USER32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x76b40000: WINMM.dll
Module at 0x774e0000: ole32.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x77be0000: MSACM32.dll
Module at 0x77c00000: VERSION.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x769c0000: USERENV.dll
Module at 0x5ad70000: UxTheme.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x5cd70000: serwvdrv.dll
Module at 0x5b0a0000: umdmxfrm.dll
Module at 0x773d0000: comctl32.dll
Module at 0x5d090000: comctl32.dll
Module at 0x77690000: NTMARTA.DLL
Module at 0x76f60000: WLDAP32.dll
Module at 0x71bf0000: SAMLIB.dll
Module at 0x20000000: xpsp2res.dll
Module at 0x74c40000: lmhsvc.dll
Module at 0x76d60000: iphlpapi.dll
Module at 0x71ab0000: WS2_32.dll
Module at 0x71aa0000: WS2HELP.dll

Process 00000624: aawservice.exe
Current Memory usage : 1828 kb
Memory usage peak : 65528 kb
Current Paged Pool usage : 66 kb
Paged Pool usage peak : 70 kb
Current Non-Paged Pool usage : 3 kb
Non-Paged Pool usage peak : 4 kb
Current Page file usage : 6904 kb
Page file usage peak : 64384 kb
Page Faults : 30336

Module list
Module at 0x00400000: aawservice.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x10000000: CEAPI.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x004a0000: PKArchive84cb.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x7e410000: USER32.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x774e0000: ole32.dll
Module at 0x77a80000: CRYPT32.dll
Module at 0x77b20000: MSASN1.dll
Module at 0x76f60000: WLDAP32.dll
Module at 0x76bf0000: PSAPI.DLL
Module at 0x77c00000: VERSION.dll
Module at 0x771b0000: WININET.dll
Module at 0x77120000: OLEAUT32.dll
Module at 0x00340000: Update.dll
Module at 0x71ad0000: WSOCK32.dll
Module at 0x71ab0000: WS2_32.dll
Module at 0x71aa0000: WS2HELP.dll
Module at 0x769c0000: USERENV.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000: USP10.dll
Module at 0x773d0000: comctl32.dll
Module at 0x5d090000: comctl32.dll
Module at 0x0ffd0000: rsaenh.dll

Process 0000064c: AAWTray.exe
Current Memory usage : 1452 kb
Memory usage peak : 1464 kb
Current Paged Pool usage : 24 kb
Paged Pool usage peak : 32 kb
Current Non-Paged Pool usage : 1 kb
Non-Paged Pool usage peak : 2 kb
Current Page file usage : 608 kb
Page file usage peak : 608 kb
Page Faults : 368

Module list
Module at 0x00400000: AAWTray.exe
Module at 0x7c900000: ntdll.dll
Module at 0x7c800000: kernel32.dll
Module at 0x7e410000: USER32.dll
Module at 0x77f10000: GDI32.dll
Module at 0x7c9c0000: SHELL32.dll
Module at 0x77dd0000: ADVAPI32.dll
Module at 0x77e70000: RPCRT4.dll
Module at 0x77fe0000: Secur32.dll
Module at 0x77c10000: msvcrt.dll
Module at 0x77f60000: SHLWAPI.dll
Module at 0x76390000: IMM32.DLL
Module at 0x629c0000: LPK.DLL
Module at 0x74d90000:
User avatar
AM1555
Newbie
Newbie
 
Posts: 5
Joined: Sun Jan 20, 2008 8:49 am

Thanks given:0
Thanks received:0
Top

Postby Gecko » Tue Jan 22, 2008 10:09 pm

AM1555,

aawservice.exe is part of Ad Aware:
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

So you might have to uninstall Ad-Aware and then reinstall it.
There might be a couple of other program that were affected by this infection also.
Just uninstall and reinstall them as well.

The only thing I see in your log that could be bad is Viewpoint, some say its spyware/adware some say it is not.
Your option to keep it or uninstall it through the control panel, add/remove programs.

Otherwise you log is clean

How is it running
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5208
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Much Thanks

Postby AM1555 » Wed Jan 23, 2008 6:54 am

Hi Gecko:

My PC is running much better now.
I did zap Viewpoint using the Add/Remove program utility in XP.
The last major app loaded was this Adobe Premier Pro along with all the add-ons--I think there may have been some malware hidden with it--I thought I was downloading it from the main Adobe site at least.

Also, prior to getting your help, I turned off the firewall in XP & installed the Kerio firewall--it seems to slow processes down a bit, but better safe than sorry I guess--I also saw similar throughput decrease when using the Zonealarm s/w firewall. Any comments on either product?

But,
Many thanks to you and/or your team here on this site. I am much more educated about various virus' & malware having read many other threads on the subject. Your site is great! I was dreading having to take the pc down to the local pc retail repair shop only to be told I would have to back-up my data & re-load my OS all over again.
Like my friends in Tampa at BTLS.com say....You are THE Man!
User avatar
AM1555
Newbie
Newbie
 
Posts: 5
Joined: Sun Jan 20, 2008 8:49 am

Thanks given:0
Thanks received:0
Top

Re: Much Thanks

Postby Gecko » Thu Jan 24, 2008 1:41 am

AM1555 wrote:Also, prior to getting your help, I turned off the firewall in XP & installed the Kerio firewall--it seems to slow processes down a bit, but better safe than sorry I guess--I also saw similar throughput decrease when using the Zonealarm s/w firewall. Any comments on either product?


I do not have first hand knowledge of Kerio so I really can't say anything about it.

Zonealarm, IMHO has become bloat-ware, it's still a good product but it's become more than just a firewall. All the extra features is what's slowing it down. As far as a software firewall its one of the best.

I have read that the AVG firewall is also quite good but it only comes bundled with their retail Anti virus, spyware, firewall package.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5208
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top


Return to Security

Who is online

Users browsing this forum: No registered users and 2 guests

cron