Tech Support Forum banner
Status
Not open for further replies.
1 - 1 of 1 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 · (Edited)
DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 17:13:22.76 on Thu 10/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1598 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashQuick.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No File
BHO: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: CDNSCacheObj Object: {376892ae-1825-4e5f-9f85-23f9640051cc} - c:\windows\mplayerplgn.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No File
TB: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4f07da45-8170-4859-9b5f-037ef2970034}: OA Shell Helper

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\lh57mbe3.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-29 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-10-29 200784]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-10-29 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-10-29 29776]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-29 20560]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2007-8-8 12032]
S2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-10-29 1244360]
S2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-10-29 3184328]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2008-4-14 14336]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [2005-1-6 18048]

=============== Created Last 30 ================

2009-10-29 19:24:57 268435456 --sha-w- c:\windows\system32\temppf.sys
2009-10-29 19:07:53 0 d-----w- c:\docume~1\owner\applic~1\OnlineArmor
2009-10-29 19:07:53 0 d-----w- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-10-29 19:07:32 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2009-10-29 19:07:32 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
2009-10-29 19:07:32 200784 ----a-w- c:\windows\system32\drivers\OADriver.sys
2009-10-29 19:07:31 0 d-----w- c:\program files\Tall Emu
2009-10-29 18:45:42 1302914412 ----a-w- c:\documents and settings\owner\Desktop.zip
2009-10-29 15:41:26 0 d-----w- c:\windows\pss
2009-10-29 01:18:04 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-10-29 01:17:58 1412459 ----a-w- c:\documents and settings\owner\merge.flv
2009-10-29 01:17:04 0 d-----w- c:\program files\Sourceforge
2009-10-28 16:13:17 0 d-----w- c:\program files\Unlocker
2009-10-28 01:35:20 0 d-----w- c:\program files\Defraggler
2009-10-26 04:57:30 0 ----a-w- c:\windows\win32k.sys
2009-10-25 07:12:42 0 d-----w- c:\program files\Ventrilo
2009-10-25 07:12:33 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-10-25 07:11:56 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-25 06:25:53 0 d-----w- c:\program files\Steam
2009-10-23 05:37:32 0 d-----w- c:\docume~1\owner\applic~1\quickhit.football.QHFootball.4D5206CA741FBF5FD6AAD1A97F5076E917382B34.1
2009-10-23 05:34:53 0 d-----w- c:\program files\Quick Hit
2009-10-23 05:34:29 0 d--h--w- c:\program files\Zero G Registry
2009-10-23 05:34:29 0 d-----w- c:\program files\Quick Hit Football
2009-10-23 05:34:26 0 d--h--w- c:\documents and settings\owner\InstallAnywhere
2009-10-21 01:29:42 0 d-----w- c:\windows\system32\SoftwareDistribution
2009-10-14 20:12:32 1435648 ------w- c:\windows\system32\dllcache\query.dll
2009-10-14 20:12:12 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-10-14 20:11:57 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-10-14 20:06:54 2189312 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-14 20:06:54 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-14 20:06:53 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-30 21:01:44 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-09-30 17:14:41 0 d-----w- C:\My Music
2009-09-30 15:21:35 69 ----a-w- c:\windows\NeroDigital.ini
2009-09-30 14:09:26 0 d-----w- c:\docume~1\owner\applic~1\AVS4YOU
2009-09-30 14:09:26 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU

==================== Find3M ====================

2009-10-21 01:03:26 66680 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-30 14:25:23 737280 ----a-w- c:\windows\iun6002.exe
2009-09-11 14:13:26 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:13:26 136704 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:03:23 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-09 21:47:06 5433520 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 09:01:48 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 22:47:50 2066176 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-04 13:54:30 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:17:52 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2005-07-14 18:31:20 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2009-05-20 15:31:00 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-05-20 15:31:00 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-05-20 15:31:00 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-05-20 15:31:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 17:13:30.96 ===============


I do not have a Windows Install disc nor a Boot CD. Tell me if I really, really need one though.

Did I follow protocol correctly?

I hope I haven't written wayyy too much information. If I did, I'm sorry, but you guys are smart, so I'm sure you'll be able to skim my post and find what you need. Thanks in advance for your help!!

Hi, guys. This problem began very recently. There are a couple things that I think could be the cause, but I really don't know, and I also don't know to exactly what extent the problem is.

The problem: avast! and Online Armor are not working properly. When I try to initiate them, I receive an error that reads, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." No other programs are behaving this way.

In addition, when I go to the control panel and click on Security Center, nothing happens. I was able to get Windows Firewall active via other methods though.

As far as I can tell, these are the only things that have been affected so far.

As you can see in ark.txt, it appears some threats were detected.

The "progress": Before I realized how serious this problem might be, I tried to do a few things on my own. I don't remember the exact order of events nor do I remember what happened when, but I'll speak to the best of my recollection.

I believe it was after trying for a while to no avail that I decided to restart my computer. If I remember correctly, this is when avast! alerted me that msa.exe was on my computer, and I told it to delete the program, but immediately afterward, I could no longer get avast! to do anything for me. The icon exists in the system tray, but when I try to click on it, it says, "The operation could not be completed." No explanation.

Sidenote—By contrast, Online Armor does not exist in the system tray, and if I reinstall it, it begins scanning but abruptly crashes and again becomes inaccessible. Both programs do exist in my processes list though.

Edit: I just re-checked, and it turns out that they don't both always show up in the process list. Right now, there's ashdisp.exe which is an avast! program but I don't think it's the main anti-virus part of it. Also, it's not showing up now, but earlier there was something like oaui.exe which I'm pretty sure is an Online Armor thing. It's probably not important, but I figured I should clarify.

So, I googled instructions on how to delete msa.exe. I followed them, including performing deletions on the registry while in Safe Mode. I then restarted and this time something similar happened: I was told b.exe was on my computer and so I told avast! to delete that too, and the same outcome occurred. I then googled instructions on how to get rid of that, and performed those tasks. As of now, I can't find anything in the registry nor elsewhere of b.exe nor msa.exe nor their cohorts.

Eventually, I was able to get avast! to agree to doing a scan on boot, which it did successfully. It found that I was infected with something like (I don't remember the name exactly) Malware Gen 32. It asked me if I wanted to delete. I said yes. It asked me to confirm since the file was in my Windows folder, and I confirmed.

The boot continued and here I am now, still unable to access avast! and Online Armor, even after having tried reinstalling them.

The possibilities: Below are more or less the only two things I could think of that could have caused this breach in security. If this is too much information, I apologize. Feel free to skip over it.

The first possibility I have in mind is the following: We have three computers on one wired router. My own computer is pretty good, but the one in the living room is rather slow, for a multitude of reasons I'm sure. I decided I'd try to speed it up, so one of the things I went to do was get a better defragger program (I picked UltraDefrag) which insisted that in order to use it on Vista (which the computer in the living room runs, SP2; I'm on XP SP3), you must disable UAC and sign the ultradefrag.sys driver.

I've used UltraDefrag before (on my XP machine) so I trusted these instructions (found here: hxxp://ultradefrag.sourceforge.net/handbook/installation.html#vista). It instructed that I, in order to sign the driver, download a certain program called ReadyDriver Plus (found here: hxxp://www.citadelindustries.net/readydriverplus/index.php). If memory serves, it was after I downloaded this problem and began to install it that I was alerted there was a possible rootkit on my computer. I don't remember what software alerted me to this danger, but in any case, I aborted the installation and deleted both ReadyDriver Plus and UltraDefrag a short time later. That was 2-3 days ago and I thought nothing of it. I still sort of figured it was probably a false positive.

In any case, now my XP machine appears to be infected with something, and I'm trying to figure out if the Vista machine is too, but I'm not as concerned about that one at the moment (I'll disconnect it from the LAN if I have to).

Another, perhaps much more likely cause: I had been using uTorrent to download some files from a trusted private tracker as I've been doing for more than a year without a problem.

I always download these files to my second hard drive which used to have my OS on it. It still has the files from the OS but I no longer run XP off that drive. I decided I'd like to delete Windows from that drive, but I couldn't figure out how. I'm not here to ask for advice on that. I only bring it up because one of the things I changed while fiddling around was to turn on file sharing (I forget why I did this, but it was suggested somewhere, maybe as a part of achieving some other goal). Perhaps somehow that allowed something bad to happen to my main system drive?

The questions:
1. What should I do?
2. Should I be worried about the LAN? Our computers do not communicate with each other very much, if at all, as far as I know.
3. Any insight into how this might have happened? Which of the two given possibilities is more likely? A third cause to which I'm oblivious?

Thanks again, guys. I really hope someone can help me. :)
 

Attachments

1 - 1 of 1 Posts
Status
Not open for further replies.
Top