ok, so probably got something from limewire downloading. system was acting very odd. weird mousepad reactions, very slow program opening and closing, having to click twice in a browser sometimes to achieve link. just weird stuff. did everything in the tutorial and it helped considerably, but there is still an issue. following are the logs from rootrepeal and hijack this. i have dds log as well if needed. thanks in advance and you guys rock!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:17 PM, on 9/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\yacpower.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Hal Seabolt.LEE.000\Desktop\security\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonela...eqId=1994699909
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [YAMAHA AC-XG Power Utility] yacpower.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gbridge] "C:\Program Files\Gbridge LLC\Gbridge\pstartw.exe" "C:\Program Files\Gbridge LLC\Gbridge\Gbridge.exe" -autostart
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 3603 bytes
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/15 16:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6F36000 Size: 49152 File Visible: No Signed: -
Status: -
Name: srescan.sys
Image Path: srescan.sys
Address: 0xF9647000 Size: 81920 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86d2fc0
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86cfc80
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf9ef3b56
#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86d3580
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86e7900
#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86e7b10
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86ebb10
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf9ef3b4c
#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86d3670
#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86d0210
#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf9ef3b5b
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf9ef3b65
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86e7280
#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf9ef3b6a
#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86eaf90
#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86d0070
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86e9180
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86e8f40
#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86eb6f0
#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf9ef3b74
#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86d2be0
#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf9ef3b6f
#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86d3190
#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86d0440
#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf9ef3b60
#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86e8200
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf86e8080
==EOF==
Thanks again and hope to hear from someone.
Sign In
Create Account
