Ried, could you please point out where the rootkit infection is on the txt documents supplied. Here is a new dds and attach. Please analyze these and point out where rootkit is. Thx Could you please tell me what a ddx scr, is and if i submitted all I need
DDS (Version 1.0)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 28/01/2008 2:29:21 AM
System Uptime: 28/11/2008 7:30:49 AM (5 hours ago)
Motherboard: Acer | | Acadia
Processor: Intel(R) Celeron(R) CPU 540 @ 1.86GHz | uPGA-478 | 1862/133mhz
BIOS: Default System BIOS | ACRSYS - 1 | V1.21 | 08/11/2007 4:00:00 PM
==== Disk Partitions =========================
C: is FIXED (NTFS) - 51 GiB total, 14.758 GiB free.
D: is FIXED (NTFS) - 51 GiB total, 12.701 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP449: 27/11/2008 8:29:39 AM - Windows Update
RP451: 27/11/2008 1:48:34 PM - Avg8 Update
RP452: 28/11/2008 8:32:06 AM - Scheduled Checkpoint
==== Installed Programs ======================
32 Bit HP CIO Components Installer
3Com PC Digital WebCam Lite
3Com PC Digital WebCam Lite USB Device Driver
3Com Video Producer
AC-3 ACM Codec
ACDSee 32
Acer Arcade Deluxe
Acer Assist
Acer Crystal Eye webcam
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer Registration
Acer ScreenSaver
Acer Tour
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Reader 8.1.2
Adobe Shockwave Player 11
AIO_Scan
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
ArcSoft Camera Suite
ArcSoft PhotoBase 3
ArcSoft VideoImpression 1.6
µTorrent
AutoUpdate
avast! Antivirus
AVG Free 8.0
Bonjour
BufferChm
Compatibility Pack for the 2007 Office system
Copy
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX
DivX Player
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
Driver Detective
eSupportQFolder
F2100
F2100_doccd
F2100_Help
General File Splitter 2.0 build 601
Google Earth
Google Toolbar for Internet Explorer
HDAUDIO Soft Data Fax Modem with SmartCP
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
HP Customer Participation Program 9.0
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Product Assistant
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPProductAssistant
HPSSupply
IncrediMail
Intel(R) Graphics Media Accelerator Driver
iPod for Windows 2006-06-28
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Just the Fax
Launch Manager
LightScribe 1.4.142.1
Map Button (Windows Live Toolbar)
MarketResearch
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
OpenOffice.org Installer 1.0
PhXTitanium
PowerProducer 3.72
PSSWCORE
QuickTime
Realtek High Definition Audio Driver
Safari
Scan
Security Update for CAPICOM (KB931906)
Shareaza 2.3.1.0
Skype™ 3.8
Smart Menus (Windows Live Toolbar)
SolutionCenter
Status
TeveoLive
The File Splitter 1.31
Toolbox
TrayApp
UnloadSupport
VideoToolkit01
WebReg
WinAVI MP4 Converter
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
WinRAR archiver
Yahoo! Toolbar
==== Event Viewer Messages ===================
22/11/2008 9:55:00 AM, Error: EventLog [6008] - The previous system shutdown at 9:52:47 AM on 22/11/2008 was unexpected.
26/11/2008 6:57:40 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
==== End Of File ===========================
DDS (Version 1.0) - NTFSx86
Run by Harry at 12:04:20.88 on 28/11/2008
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1013.232 [GMT -8:00]
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Users\Harry\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Harry\Downloads\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Psuedo HJT Report ===============
uStart Page = hxxp://en.ca.acer.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
mDefault_Page_URL = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyServer = proxy.library.ubc.ca:8000
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
TB: {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - c:\windows\system32\eDStoolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\play movie\PMVService.exe"
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~3.0_0\bin\ssv.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
TCP: {2AEC3DE6-CA55-4741-9B18-3F7B52AAA50A} = 4.2.2.2,4.2.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: eNetHook.dll,avgrsstx.dll
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2008-11-20 16:04 250 a------- c:\windows\gmer.ini
2008-11-20 09:08 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2008-11-20 07:32 147,456 a------- c:\windows\system32\Faultrep.dll
2008-11-20 07:32 125,952 a------- c:\windows\system32\wersvc.dll
2008-11-19 19:01 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2008-11-19 19:01 1,191,936 a------- c:\windows\system32\msxml3.dll
2008-11-19 19:01 1,334,272 a------- c:\windows\system32\msxml6.dll
2008-11-18 16:07 99 a------- c:\windows\WININIT.INI
2008-11-17 21:19 148,296 a---h--- c:\windows\system32\mlfcache.dat
2008-11-13 15:19 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2008-11-12 13:40 18,299 a------- c:\windows\system32\746backup.d
2008-11-12 08:52 29,192 a------- c:\windows\system32\drivers\ndisprot.sys
2008-11-12 08:52 <DIR> --dshr-- C:\resycled
2008-11-08 11:01 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-08 11:01 <DIR> --d----- c:\program files\iTunes
2008-11-08 11:01 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
==================== Find3M ====================
2008-11-14 15:44 <DIR> --d----- c:\users\harry\appdata\roaming\uTorrent
2008-11-12 13:41 17,709 a------- c:\windows\system32\718page.dat
2008-11-12 13:41 17,153 a------- c:\windows\system32\keys726.dat
2008-11-12 13:41 5,950 a------- c:\windows\system32\866_data.zip
2008-11-12 13:41 5,394 a------- c:\windows\system32\images875.zip
2008-11-12 13:41 4,401 a------- c:\windows\system32\uninstall2b4.bin
2008-11-12 13:41 3,845 a------- c:\windows\system32\701_data.bin
2008-11-12 13:41 3,288 a------- c:\windows\system32\709part.bin
2008-11-08 11:01 <DIR> --d----- c:\program files\iPod
2008-10-01 19:49 827,392 a------- c:\windows\system32\wininet.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-28 09:23 <DIR> --d----- c:\progra~2\PC Drivers HeadQuarters
2008-09-27 13:22 <DIR> --d----- c:\progra~2\IM
2008-09-27 13:20 <DIR> --d----- c:\progra~2\IncrediMail
2008-09-17 21:09 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2008-09-17 21:09 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2008-09-17 18:16 2,032,640 a------- c:\windows\system32\win32k.sys
2008-09-14 16:52 <DIR> --d----- c:\progra~2\Symantec
2008-09-14 12:56 141,228 a------- c:\windows\hpoins14.dat
2008-07-16 17:02 <DIR> --d----- c:\progra~2\WEBREG
2008-05-26 13:33 <DIR> --d----- c:\progra~2\avg8
2008-05-24 18:49 <DIR> --d----- c:\users\harry\appdata\roaming\Uniblue
2008-01-28 12:09 <DIR> --d----- c:\users\harry\appdata\roaming\Shareaza
2008-01-27 20:34 <DIR> --d----- c:\progra~2\Lavasoft
2008-01-27 13:53 <DIR> --d----- c:\progra~2\Pure Networks
2008-01-27 12:11 <DIR> --d----- c:\users\harry\appdata\roaming\Acer
2007-07-25 19:14 <DIR> --d----- c:\progra~2\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
2008-02-01 08:20 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-02-01 08:20 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-02-01 08:20 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 12
24.15 ===============