PDA

View Full Version : Concerned about infection / rootkit



JimNicolay
2007-08-01, 08:18
I would appreciate it if someone would look at the attached HijackThis log.

My computer is running slowly.

I also downloaded MaAfee Rootkit Detective and found numerous hidden items ... but have no idea what to do about this information.

Thanks!

XP Pro, SP 2
HJT 2.0.2

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SetDefPrt] "E:\Program Files\Brother\Brmfl04e\BrStDvPt.exe"
O4 - HKLM\..\Run: [PaperPort PTD] "E:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [IndexSearch] "E:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [EEventManager] "E:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "E:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [AVG7_CC] "E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = E:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134787685009
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5972 bytes

pskelley
2007-08-01, 15:03
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Hi Jim, you need to start with the instructions which are also Pinned to the top of the forum. Let me give you information first.

1) You have not posted a complete HJT log, cutting of the header which we need to see. When HJT creates a log in Notepad click Edit then Select All. Copy and Paste the highlited information.

2) Your HJT log is showing nothing in the way of any malware, and you should be aware it is only one of the many causes of a slowing computer, here are links that may help:
http://www.castlecops.com/postitle175256-0-0-.html
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b

3)
I also downloaded MaAfee Rootkit Detective and found numerous hidden items ... but have no idea what to do about this information.What other symptoms besides slowing does your computer have. Be aware when a rootkit infection is at work, you will very rarely know it.
I am not familiar yet with the McAfee tool but I would be interested in seeing the results of the scan. There will be a way to save those results. Post them for me to view.

4) I see SpySweeper running from your services, do you own this program? Many people download the trial and do not remove it and it uses many resouces as it runs and gives no benefits. If it is a viable program, run a scan, save the scan results and post them.

Thanks

JimNicolay
2007-08-02, 01:16
Thanks for your prompt feedback. I am posting an updated HJT log (with header!). Prior to posting, I scanned with Spybot in Safe Mode & checked that I had the latest Updates from Microsoft. I am defragging now and have downsized my IE cache - thanks for the links.

I will post separately a copy of the hidden registry keys from the McAfee Rootkit Detective report.

I'll also send separately a copy of Spysweeper's report. My subscription to that is valid & its definitions are current. Please take a look at all three and let me know if there is anything to worry about.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:37 AM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
E:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Cloudmark\SpamNet\OE\snoe.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\system32\BRMFRSMG.EXE
E:\Program Files\iPod\bin\iPodService.exe
e:\program files\common files\installshield\updateservice\isuspm.exe
E:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
E:\Program Files\Webroot\Spy Sweeper\SSU.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SetDefPrt] "E:\Program Files\Brother\Brmfl04e\BrStDvPt.exe"
O4 - HKLM\..\Run: [PaperPort PTD] "E:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "e:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IndexSearch] "E:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [EEventManager] "E:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "E:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [AVG7_CC] "E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = E:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134787685009
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7049 bytes

JimNicolay
2007-08-02, 01:23
As requested, here is the log from MaAfee Rootkit Detective. I have not pasted the 'visible' processes to keep this list manageable.

McAfee(R) Rootkit Detective 1.0 scan report
On 01-08-2007 at 11:50:42
OS-Version 5.1.2600
Service Pack 2.0
====================================

Object-Type: SSDT-hook
Object-Name: ZwAllocateVirtualMemory
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwConnectPort
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateFile
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateKey
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreatePort
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateProcess
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateProcessEx
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateSection
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwCreateThread
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwCreateWaitablePort
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwDeleteFile
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwDeleteKey
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwDeleteValueKey
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwDuplicateObject
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwLoadKey2
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenFile
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenProcess
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwOpenThread
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwQueueApcThread
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwReadVirtualMemory
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwRenameKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwReplaceKey
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwRequestWaitReplyPort
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwRestoreKey
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwSecureConnectPort
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwSetContextThread
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwSetInformationFile
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwSetInformationKey
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwSetInformationProcess
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwSetInformationThread
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwSetValueKey
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwSuspendProcess
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwSuspendThread
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwTerminateProcess
Object-Path: E:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook
Object-Name: ZwTerminateThread
Object-Path: (NULL)

Object-Type: SSDT-hook
Object-Name: ZwWriteVirtualMemory
Object-Path: (NULL)

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_SET_QUOTA
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_QUERY_QUOTA
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_DEVICE_CHANGE
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_SYSTEM_CONTROL
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_POWER
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_SET_SECURITY
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_QUERY_SECURITY
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CREATE_MAILSLOT
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CLEANUP
Object-Path: \??\E:\WINDOWS\system32\vsdatant.sys

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_LOCK_CONTROL
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_SHUTDOWN
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_INTERNAL_DEVICE_CONTROL
Object-Path: \SystemRoot\System32\Drivers\avgtdi.sys

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_DEVICE_CONTROL
Object-Path: \??\E:\WINDOWS\system32\vsdatant.sys

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_FILE_SYSTEM_CONTROL
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_DIRECTORY_CONTROL
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_SET_VOLUME_INFORMATION
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_QUERY_VOLUME_INFORMATION
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_FLUSH_BUFFERS
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_SET_EA
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_QUERY_EA
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_SET_INFORMATION
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_QUERY_INFORMATION
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_WRITE
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_READ
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CLOSE
Object-Path: \??\E:\WINDOWS\system32\vsdatant.sys

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CREATE_NAMED_PIPE
Object-Path:

Object-Type: IRP-hook
Object-Name: \Driver\Tcpip->IRP_MJ_CREATE
Object-Path: \??\E:\WINDOWS\system32\vsdatant.sys

Object-Type: Registry-key
Object-Name: DataE:\WINDOWS\system32\vsdatant.sys
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
Status: Hidden

Object-Type: Registry-key
Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771 System Provider\*Local Machine*\Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Status: Hidden

Object-Type: Registry-key
Object-Name: 00000000-0000-0000-0000-000000000000 System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Status: Hidden

Object-Type: Registry-key
Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}ystem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Status: Hidden

Object-Type: Registry-key
Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}.RENm Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: Item Data
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}.REN
Status: Hidden

Object-Type: Registry-key
Object-Name: 00000000-0000-0000-0000-000000000000.RENtem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}.REN
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000.REN
Status: Hidden

Object-Type: Registry-key
Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771.RENtem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000.REN
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: Display String
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771.REN
Status: Hidden

Object-Type: Registry-key
Object-Name: Data 2RE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771.REN
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Status: Hidden

Object-Type: Registry-key
Object-Name: WindowsE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Status: Hidden

Object-Type: Registry-key
Object-Name: Windows.RENcrosoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows.REN
Status: Hidden

Object-Type: Registry-value
Object-Name: Value
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows.REN
Status: Hidden

Object-Type: Registry-key
Object-Name: Data 2.RENicrosoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows.REN
Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2.REN
Status: Hidden

NOTE: visible processes not copied!

scan complete. Hidden registry keys/values: 15

pskelley
2007-08-02, 02:24
Thanks for returning your information and the feedback, starting with the HJT log, I see no malware in the log. HJT is just short of a miracle but it can not show everything.

McAfee(R) Rootkit Detective 1.0 scan report
Unfortunately, I am new to this program and know little about the report. I did scan a few files:
vsdatant.sys > http://www.google.com/search?hl=en&q=vsdatant.sys&btnG=Google+Search

avgtdi.sys > http://www.google.com/search?hl=en&q=avgtdi.sys&btnG=Search

and looked it over, but as far as I can see everything is normal. When the scan ends it does not tell you it has located a rootkit and ask you to take action does it? Without having the software on my computer and the time to learn it, which is not going to happen, I really can not comment further other than to suggest if it found anything you should have been asked to take some kind of action. You may find more information or a forum where you can ask questions in this Google:
http://www.google.com/search?hl=en&q=McAfee%28R%29+Rootkit+Detective+forum&btnG=Search

Let's give another free rootkit scan a try and see what it reports:

Click here to download AVG Anti Rootkit and save it to your desktop.
http://free.grisoft.com/softw/70free/setup/avgarkt-setup-1.1.0.42.exe
Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
Click "I Agree" to agree to the EULA.
By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
Click "Next" to begin the installation then click "Install".
It will then ask you to reboot now to finish the installation.
Click "Finish" and your computer will reboot.
After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click on the "Perform in-depth search" button to begin the scan.
The scan will take a while so be patient and let it complete.
When the scan is finished, click the "Save result to file" button.
Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.

Post those results and I'll look at SpySweeper's scan results when you post them.

Thanks

JimNicolay
2007-08-02, 02:55
Webroot Spysweeper ran a full sweep and detected nothing. Partial Report:

1:43 PM: None
1:43 PM: Traces Found: 0
1:43 PM: Full Sweep has completed. Elapsed time 01:57:27
1:43 PM: File Sweep Complete, Elapsed Time: 01:51:44
1:38 PM: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.
1:38 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [e:\windows\tasks\cloudmark desktop config guard.job]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsba48cd04-1d18-4d93-bffd-aba3938638e3.tmp]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsa4f0ab6f-3c3d-469a-9a10-3aad305ce31a.tmp]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms77d0bc80-b9aa-4c5b-b76c-141182a17906.tmp]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4ab153a0-8468-4c44-aecd-18dcbfb0afd7.tmp]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5bae1ade-3af1-4bbf-ac49-013d5af86bfe.tmp]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4fd3d1f5-a2c8-44d2-bc9b-53b16df80037.tmp]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms69e047d5-8f64-4e12-995e-e4b307f0a675.tmp]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsf34bbcb7-8663-4941-9201-f6ce08bdabc8.tmp]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscd4dffd8-7cb7-4a6f-9d28-cba1663c729b.tmp]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms439600b5-07d0-41ca-a846-aff5fd4bce51.tmp]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\jim\local settings\temp\sqlite_jvafwcinip97brj]
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\jim\local settings\temp\sqlite_agxrhceegundte0]
1:38 PM: Warning: Failed to open file "e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsba48cd04-1d18-4d93-bffd-aba3938638e3.tmp". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsa4f0ab6f-3c3d-469a-9a10-3aad305ce31a.tmp". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms77d0bc80-b9aa-4c5b-b76c-141182a17906.tmp". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4ab153a0-8468-4c44-aecd-18dcbfb0afd7.tmp". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5bae1ade-3af1-4bbf-ac49-013d5af86bfe.tmp". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4fd3d1f5-a2c8-44d2-bc9b-53b16df80037.tmp". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms69e047d5-8f64-4e12-995e-e4b307f0a675.tmp". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsf34bbcb7-8663-4941-9201-f6ce08bdabc8.tmp". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscd4dffd8-7cb7-4a6f-9d28-cba1663c729b.tmp". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms439600b5-07d0-41ca-a846-aff5fd4bce51.tmp". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\jim\local settings\temp\sqlite_jvafwcinip97brj". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\windows\tasks\cloudmark desktop config guard.job". The operation completed successfully
1:38 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [e:\documents and settings\jim\cookies\jim@msnbc.msn[2].txt]
1:38 PM: Warning: Failed to open file "e:\documents and settings\jim\local settings\temp\sqlite_agxrhceegundte0". The operation completed successfully
1:38 PM: Warning: Failed to open file "e:\documents and settings\jim\cookies\jim@msnbc.msn[2].txt". The operation completed successfully
1:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\jim\application data\mozilla\firefox\profiles\p7vnye4t.default\parent.lock]
1:38 PM: Warning: Failed to open file "e:\documents and settings\jim\application data\mozilla\firefox\profiles\p7vnye4t.default\parent.lock". The operation completed successfully
1:37 PM: IE Tracking Cookies Shield: Removed tacoda cookie
1:13 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsee361b76-5782-46b1-b3b9-b0ff77c932e6.tmp]
1:13 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\windows\system32\408dc7.mht]
1:08 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms00a02253-cd0b-4b72-9ed3-3f35c7a37383.tmp]
1:06 PM: ApplicationMinimized - EXIT
1:06 PM: ApplicationMinimized - ENTER
1:05 PM: ApplicationMinimized - EXIT
1:05 PM: ApplicationMinimized - ENTER
12:57 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [e:\windows\system32\ca5dc9.tmp]
12:55 PM: ApplicationMinimized - EXIT
12:55 PM: ApplicationMinimized - ENTER
12:55 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsc2dde099-de1a-438f-9ae7-d973435b0a9c.tmp]
12:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms499d9d3b-68be-48ce-aa38-b85e0b33d40b.tmp]
12:43 PM: ApplicationMinimized - EXIT
12:43 PM: ApplicationMinimized - ENTER
12:32 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms503622b7-127e-4d0a-a2e3-1ffee4d3fd5e.tmp]
12:31 PM: Warning: AntiVirus engine for IFO returned [File Corrupted] on [e:\windows\system32\spool\drivers\w32x86\eb3st000.dat]
12:23 PM: ApplicationMinimized - EXIT
12:23 PM: ApplicationMinimized - ENTER
12:21 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms19c01a88-d5cf-4527-a366-d271bdf59b8d.tmp]
12:18 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsd938895e-229b-43d6-808a-9a4636bdcca5.tmp]
12:13 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\windows\system32\config\default]
12:12 PM: ApplicationMinimized - EXIT
12:12 PM: ApplicationMinimized - ENTER
12:11 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\ntuser.dat]
12:11 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\jim\ntuser.dat]
12:10 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\networkservice\ntuser.dat]
12:10 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\windows\system32\config\software]
12:10 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\windows\system32\config\system]
12:09 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\pagefile.sys]
12:06 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms27bd9705-9976-4d70-8fc9-3440abf78380.tmp]
12:03 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\hiberfil.sys]
11:59 AM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [e:\windows\system32\config\sam]
11:57 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [e:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7ee9b671-90b8-4fb3-98fd-a37f3dabf613.tmp]
11:57 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [e:\documents and settings\jim\application data\superantispyware.com\superantispyware\quarantine\quarantine - 07-26-2007 - 15-01-02.sbu]
11:56 AM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [e:\windows\system32\config\security]
11:55 AM: Warning: AntiVirus engine for IFO returned [Error Code 8000FFFF] on [E:\WINDOWS\DEBUG\USERMODE\USERENV.LOG]
11:52 AM: Starting File Sweep
11:52 AM: Warning: SweepDirectories: Cannot find directory "d:". This directory was not added to the list of paths to be scanned.
11:52 AM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
11:51 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:51 AM: Starting Cookie Sweep
11:51 AM: Registry Sweep Complete, Elapsed Time:00:00:11
11:51 AM: Starting Registry Sweep
11:51 AM: Memory Sweep Complete, Elapsed Time: 00:04:57
11:47 AM: ApplicationMinimized - EXIT
11:47 AM: ApplicationMinimized - ENTER
11:46 AM: Starting Memory Sweep
11:46 AM: Start Full Sweep
11:46 AM: Sweep initiated using definitions version 959
11:45 AM: Your virus definitions have been updated.
11:45 AM: Informational: Loaded AntiVirus Engine: 2.47.0; SDK Version: 4.19E; Virus Definitions: 8/1/2007 10:22:26 PM (GMT)
11:45 AM: Your spyware definitions have been updated.
10:54 AM: ApplicationMinimized - EXIT
10:54 AM: ApplicationMinimized - ENTER
7:59 AM: Your virus definitions have been updated.
7:59 AM: Informational: Loaded AntiVirus Engine: 2.47.0; SDK Version: 4.19E; Virus Definitions: 8/1/2007 7:09:54 PM (GMT)
7:59 AM: Your spyware definitions have been updated.
7:58 AM: Automated check for program update in progress.

The report also showed an incredible amount of tamper detection at 8 pm last night. I've not copied all of this as the text file is 312kB.

pskelley
2007-08-02, 03:18
The report also showed an incredible amount of tamper detection at 8 pm last night. I've not copied all of this as the text file is 312kB.

There is an incredible amount of junk roaming the www, as long as your programs stop it. Look at this information:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html

Let's see what the AVG Rootkit scan has to say.

Thanks...Phil

JimNicolay
2007-08-02, 03:36
I downloaded & ran AVG Anti-rootkit 1.1.0.42. It ran and gave me a "Congratulations - you have no rootkits" message.

But I ran GMER yesterday and it gave me a really bad feeling....

As the report is 50,000 characters long, I am cutting it into a couple of pieces.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-31 11:11:34
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT 866E8578 ZwAllocateVirtualMemory
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwConnectPort
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateFile
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreatePort
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateProcess
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateProcessEx
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateSection
SSDT 866E8848 ZwCreateThread
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwCreateWaitablePort
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwDeleteFile
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwDeleteKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwDeleteValueKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwDuplicateObject
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwLoadKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwOpenFile
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwOpenProcess
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwOpenThread
SSDT 866E85F0 ZwQueueApcThread
SSDT 866E8488 ZwReadVirtualMemory
SSDT 866E8C80 ZwRenameKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwReplaceKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwRestoreKey
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwSecureConnectPort
SSDT 866E86E0 ZwSetContextThread
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwSetInformationFile
SSDT 866E8C08 ZwSetInformationKey
SSDT 866E8938 ZwSetInformationProcess
SSDT 866E8758 ZwSetInformationThread
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwSetValueKey
SSDT 866E88C0 ZwSuspendProcess
SSDT 866E8668 ZwSuspendThread
SSDT \??\E:\WINDOWS\system32\vsdatant.sys ZwTerminateProcess
SSDT 866E87D0 ZwTerminateThread
SSDT 866E8500 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805012B4 12 Bytes [ F0, C1, 28, F4, 80, 24, 29, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2616 805014E6 2 Bytes [ 6E, 86 ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2782 80501652 2 Bytes [ 6E, 86 ]
? srescan.sys The system cannot find the file specified.
.text ntkrnlpa.exe!ZwYieldExecution + 28BC 805012B4 12 Bytes [ F0, C1, 28, F4, 80, 24, 29, ... ]
.text ntkrnlpa.exe!ZwYieldExecution + 2AEE 805014E6 2 Bytes [ 6E, 86 ]
.text ntkrnlpa.exe!ZwYieldExecution + 2C5A 80501652 2 Bytes [ 6E, 86 ]

---- User code sections - GMER 1.0.13 ----

.text E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[708] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ F7, FB, C3, 83 ]
.text E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1848] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 8F, FF, C3, 83 ]
.text E:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2644] ntdll.dll!KiUserExceptionDispatcher + 9 7C90EAF5 5 Bytes JMP 00016B10 E:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text E:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2644] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 000129B0 E:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text E:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2644] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00012AB0 E:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text E:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2644] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 000129B0 E:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text E:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2644] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00012A60 E:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text E:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2644] kernel32.dll!VirtualFree 7C809AE4 5 Bytes JMP 00012A90 E:\Program Files\Webroot\Spy Sweeper\SSU.EXE

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 866E8318
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 866E8410
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F4290950] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F4290E70] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F4290FD0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F4290AC0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F4290AC0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F4290950] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F4290E70] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F4290FD0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F4290950] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F4290FD0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F4290E70] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F4290AC0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F4290FD0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F4290E70] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F4290950] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F4290AC0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F4290950] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F4290E70] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F4290FD0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F4290FD0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F4290E70] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F4290AC0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F4290950] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] 866E8410
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] 866E8318
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F4290950] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F4290AC0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F4290FD0] \??\E:\WINDOWS\system32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F4290E70] \??\E:\WINDOWS\system32\vsdatant.sys

JimNicolay
2007-08-02, 03:48
Partial GMER report, part 2:

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7652E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7A24A96] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7A24958] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7A24DA8] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7A24306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7B64404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7B64404] avg7rsw.sys

pskelley
2007-08-02, 03:50
Please stop posting stuff I have not requested. The AVG report says no rootkit, I have no need to see the scan you are posting.

Thanks

pskelley
2007-08-03, 13:59
Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log
in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

pskelley
2007-08-13, 16:06
No response to directions since 8/03/2007. This topic is closed, if you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks