|
-
February 8th, 2010, 07:13 PM
#1
AGprotect - unable to remove
Hi, a guy who works for me installed "internet security 2010" on his laptop, I followed removal instructions, but I still get this AGprotect malware trace on every scan with MBAM. Please could someone help me remove this? A rebuild would be a real pain right now. I have seen another thread where this is fixed so I hope it's possible!
Here is my MBAM log
Malwarebytes' Anti-Malware 1.44
Database version: 3703
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
08/02/2010 21:46:04
mbam-log-2010-02-08 (21-46-04).txt
Scan type: Quick Scan
Objects scanned: 140145
Time elapsed: 6 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
----------------------------------------------------------------------------------------------------------------------------------------------------
HIJACK THIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:57:22, on 08/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6060906
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6060906
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6060906
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DriverCure] C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1238769866718
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = workgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11683 bytes
----------------------------------------------------------------------------------------------------------------------------------------------------
Having trouble getting GMER to run at the moment as doing it will try to get it on asap.
Thanks
Chris
-
February 8th, 2010, 10:54 PM
#2
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
February 14th, 2010, 01:08 PM
#3
ComboFix 10-02-08.06 - acoles 14/02/2010 16:35:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.507 [GMT 0:00]
Running from: c:\documents and settings\Acoles\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Acoles\Local Settings\Application Data\{233B6261-2C40-4CE5-A89A-BA4F8444452A}
c:\documents and settings\Acoles\Local Settings\Application Data\{233B6261-2C40-4CE5-A89A-BA4F8444452A}\chrome.manifest
c:\documents and settings\Acoles\Local Settings\Application Data\{233B6261-2C40-4CE5-A89A-BA4F8444452A}\chrome\content\_cfg.js
c:\documents and settings\Acoles\Local Settings\Application Data\{233B6261-2C40-4CE5-A89A-BA4F8444452A}\chrome\content\overlay.xul
c:\documents and settings\Acoles\Local Settings\Application Data\{233B6261-2C40-4CE5-A89A-BA4F8444452A}\install.rdf
c:\program files\Open
c:\windows\system32\18467.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DAVINCIDR
-------\Service_DaVinciDr
((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.
2010-02-08 21:57 . 2010-02-08 21:57 -------- d-----w- c:\program files\Trend Micro
2010-02-08 21:11 . 2010-02-08 21:11 -------- d-----w- C:\_OTL
2010-02-08 21:08 . 2010-02-08 21:08 -------- d-----w- c:\program files\ERUNT
2010-02-06 18:47 . 2010-02-06 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-06 18:47 . 2010-02-06 18:47 -------- d-----w- c:\documents and settings\Acoles\Application Data\Office Genuine Advantage
2010-02-02 11:40 . 2010-02-02 11:34 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-02 11:40 . 2010-02-01 16:24 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-02 11:34 . 2010-02-02 11:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-02 11:34 . 2010-02-02 11:34 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-02-02 11:34 . 2010-02-02 11:34 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-02 11:34 . 2010-02-02 11:34 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-02 11:34 . 2010-02-02 11:34 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-02 11:34 . 2010-02-02 11:34 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-02 11:34 . 2010-02-09 08:33 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-02 11:33 . 2010-02-03 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-02 11:30 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-02-02 11:28 . 2001-08-17 13:28 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
2010-02-02 11:27 . 2001-08-17 13:49 24576 ----a-w- c:\windows\system32\dllcache\viairda.sys
2010-02-02 11:26 . 2001-08-17 22:36 69632 ----a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-02-02 11:25 . 2001-08-17 22:35 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2010-02-02 11:24 . 2001-08-17 14:56 172768 ----a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-02-02 11:23 . 2001-08-17 13:51 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2010-02-02 11:22 . 2001-08-17 22:36 45568 ----a-w- c:\windows\system32\dllcache\smb3w.dll
2010-02-02 11:21 . 2001-07-21 14:29 161568 ----a-w- c:\windows\system32\dllcache\sgsmusb.sys
2010-02-02 11:20 . 2001-08-17 14:56 245632 ----a-w- c:\windows\system32\dllcache\s3savmx.dll
2010-02-02 11:19 . 2001-08-17 12:19 3840 ----a-w- c:\windows\system32\dllcache\rpfun.sys
2010-02-02 11:18 . 2001-08-17 13:51 16128 ----a-w- c:\windows\system32\dllcache\pscr.sys
2010-02-02 11:17 . 2001-08-17 12:12 26153 ----a-w- c:\windows\system32\dllcache\pcmlm56.sys
2010-02-02 11:16 . 2001-08-17 12:20 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-02-02 11:15 . 2001-08-17 12:50 27936 ----a-w- c:\windows\system32\dllcache\n9i3d.sys
2010-02-02 11:14 . 2001-08-17 14:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2010-02-02 11:13 . 2001-08-17 12:49 22848 ----a-w- c:\windows\system32\dllcache\lwusbhid.sys
2010-02-02 11:12 . 2008-04-14 01:09 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2010-02-02 11:11 . 2001-08-17 14:06 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys
2010-02-02 11:10 . 2001-08-17 22:36 9759 ----a-w- c:\windows\system32\dllcache\hsf_inst.dll
2010-02-02 11:09 . 2001-08-17 14:02 8576 ----a-w- c:\windows\system32\dllcache\hidgame.sys
2010-02-02 11:08 . 2001-08-17 12:12 24618 ----a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-02-02 11:07 . 2001-08-17 13:50 144896 ----a-w- c:\windows\system32\dllcache\epcfw2k.sys
2010-02-02 11:06 . 2001-08-17 22:36 37962 ----a-w- c:\windows\system32\dllcache\divaprop.dll
2010-02-02 11:05 . 2001-08-17 22:36 27136 ----a-w- c:\windows\system32\dllcache\cyzcoins.dll
2010-02-02 11:04 . 2001-08-17 14:04 171264 ----a-w- c:\windows\system32\dllcache\camdrv30.sys
2010-02-02 11:03 . 2001-08-17 12:49 10240 ----a-w- c:\windows\system32\dllcache\atipcxxx.sys
2010-02-02 11:02 . 2001-08-17 14:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-02-02 11:02 . 2004-08-04 04:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-02-02 11:02 . 2004-08-04 04:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-02-02 11:01 . 2004-08-04 04:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-02-02 11:01 . 2004-08-04 04:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-02-02 11:01 . 2004-08-04 04:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2010-02-02 11:01 . 2004-08-04 04:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-02-02 10:55 . 2010-02-02 10:55 -------- d-----w- C:\ERDNT
2010-02-02 09:57 . 2010-02-02 09:57 -------- d-----w- c:\documents and settings\Acoles\Application Data\Malwarebytes
2010-02-02 09:57 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 09:57 . 2010-02-02 09:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 09:57 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 09:57 . 2010-02-02 09:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-02 09:16 . 2010-02-02 09:16 -------- d-----w- c:\documents and settings\Acoles\Local Settings\Application Data\Mozilla
2010-02-01 16:25 . 2010-02-01 16:25 -------- d-----w- C:\$AVG
2010-02-01 16:23 . 2010-02-01 16:23 -------- d-----w- c:\program files\AVG
2010-01-31 22:52 . 2010-01-31 22:52 -------- d-----w- c:\documents and settings\Acoles\Local Settings\Application Data\LogMeIn
2010-01-31 22:52 . 2010-01-31 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2010-01-30 22:09 . 2010-01-31 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-30 22:02 . 2010-02-01 19:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-30 22:02 . 2010-02-01 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-30 22:01 . 2010-01-30 22:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2010-01-30 22:00 . 2009-09-28 19:34 47416 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-01-30 22:00 . 2009-09-28 19:34 28984 ----a-w- c:\windows\system32\LMIport.dll
2010-01-30 22:00 . 2009-09-28 19:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-01-30 22:00 . 2008-08-11 12:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2010-01-30 22:00 . 2009-09-28 19:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
2010-01-30 22:00 . 2010-02-14 15:58 -------- d-----w- c:\program files\LogMeIn
2010-01-29 22:08 . 2010-01-30 21:51 -------- d-----w- c:\documents and settings\Acoles\Local Settings\Application Data\Deployment
2010-01-26 13:43 . 2010-01-26 13:43 212224 ------w- c:\windows\system32\dllcache\ndis.sys
2010-01-26 12:49 . 2010-01-30 22:01 120 ----a-w- c:\windows\Ltusafonut.dat
2010-01-26 12:49 . 2010-01-30 19:58 0 ----a-w- c:\windows\Ktigog.bin
2010-01-17 21:26 . 2010-01-17 21:26 -------- d-----w- c:\windows\system32\LogFiles
2010-01-17 20:05 . 2010-01-17 20:05 152576 ----a-w- c:\documents and settings\Acoles\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 15:58 . 2008-12-08 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-09 17:59 . 2007-06-25 07:50 7100 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-09 17:59 . 2007-06-25 07:50 88 --sh--r- c:\windows\system32\D455B9E15A.sys
2010-02-02 11:36 . 2006-09-06 10:14 -------- d-----w- c:\program files\Google
2010-01-26 13:43 . 2004-08-11 16:00 212224 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-01-26 08:27 . 2009-11-20 08:24 79488 ----a-w- c:\documents and settings\Acoles\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-16 13:02 . 2007-07-17 10:52 56 --sh--r- c:\windows\system32\5AE1B955D4.sys
2010-01-05 10:00 . 2004-08-11 16:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-11 16:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-11 16:00 17408 ------w- c:\windows\system32\corpol.dll
2009-11-21 15:51 . 2004-08-11 16:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.
------- Sigcheck -------
[-] 2010-01-26 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-01-26 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2004-08-04 . 1DF7F42665C94B825322FAE71721130D . 182912 . . [5.1.2600.5512] . . c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-02 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-09-06 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-06 98304]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-6 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-02 11:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 19:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [02/02/2010 11:34 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [02/02/2010 11:34 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/02/2010 11:34 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/02/2010 11:34 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [02/02/2010 11:34 285392]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [02/02/2010 11:33 5832712]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/08/2008 12:41 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [30/01/2010 22:00 47640]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [02/02/2010 11:34 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [02/02/2010 11:34 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [02/02/2010 11:34 25736]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder
2010-02-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-26 08:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6060906
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 16:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x86F69530]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf757cf28
\Driver\ACPI -> ACPI.sys @ 0xf740fcb8
\Driver\atapi -> atapi.sys @ 0xf73a1852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0x86f09bb0
PacketIndicateHandler -> NDIS.sys @ 0x86ef8a0d
SendHandler -> NDIS.sys @ 0x86f0cb40
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\H*� 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\H*� �]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(3168)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2010-02-14 16:52:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-14 16:52
Pre-Run: 10,423,619,584 bytes free
Post-Run: 10,299,543,552 bytes free
- - End Of File - - 15C5B4CC30DD58702B0268BF5197D653
-
February 14th, 2010, 01:08 PM
#4
Hijack this log
--------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:54:15, on 14/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6060906
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6060906
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1238769866718
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = workgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10695 bytes
Flyer4life
-
February 14th, 2010, 01:38 PM
#5
Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
-
February 14th, 2010, 02:02 PM
#6
17:48:45:937 0172 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
17:48:45:937 0172 ================================================================================
17:48:45:937 0172 SystemInfo:
17:48:45:937 0172 OS Version: 5.1.2600 ServicePack: 3.0
17:48:45:937 0172 Product type: Workstation
17:48:45:937 0172 ComputerName: ANDYLAPTOP
17:48:45:937 0172 UserName: acoles
17:48:45:937 0172 Windows directory: C:\WINDOWS
17:48:45:937 0172 Processor architecture: Intel x86
17:48:45:937 0172 Number of processors: 2
17:48:45:953 0172 Page size: 0x1000
17:48:45:953 0172 Boot type: Normal boot
17:48:45:953 0172 ================================================================================
17:48:45:953 0172 UnloadDriverW: NtUnloadDriver error 2
17:48:45:953 0172 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:48:46:000 0172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:48:46:125 0172 UtilityInit: KLMD drop and load success
17:48:46:125 0172 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
17:48:46:125 0172 UtilityInit: KLMD open success
17:48:46:125 0172 UtilityInit: Initialize success
17:48:46:125 0172
17:48:46:125 0172 Scanning Services ...
17:48:46:125 0172 CreateRegParser: Registry parser init started
17:48:46:125 0172 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
17:48:46:125 0172 CreateRegParser: DisableWow64Redirection error
17:48:46:125 0172 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:48:46:125 0172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
17:48:46:125 0172 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:48:46:125 0172 wfopen_ex: Trying to KLMD file open
17:48:46:125 0172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
17:48:46:125 0172 wfopen_ex: File opened ok (Flags 2)
17:48:46:125 0172 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384B28
17:48:46:125 0172 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:48:46:125 0172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
17:48:46:125 0172 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:48:46:125 0172 wfopen_ex: Trying to KLMD file open
17:48:46:125 0172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
17:48:46:125 0172 wfopen_ex: File opened ok (Flags 2)
17:48:46:125 0172 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384A18
17:48:46:125 0172 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
17:48:46:125 0172 CreateRegParser: EnableWow64Redirection error
17:48:46:125 0172 CreateRegParser: RegParser init completed
17:48:46:671 0172 GetAdvancedServicesInfo: Raw services enum returned 382 services
17:48:46:687 0172 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:48:46:687 0172 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:48:46:687 0172
17:48:46:687 0172 Scanning Kernel memory ...
17:48:46:687 0172 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:48:46:687 0172 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86FC0458
17:48:46:687 0172 DetectCureTDL3: KLMD_GetDeviceObjectList returned 7 DevObjects
17:48:46:687 0172
continues......................
-
February 14th, 2010, 02:03 PM
#7
17:48:46:687 0172 DetectCureTDL3: DEVICE_OBJECT: 85E34AC8
17:48:46:687 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85E34AC8
17:48:46:687 0172 KLMD_ReadMem: Trying to ReadMemory 0x85E34AC8[0x38]
17:48:46:687 0172 DetectCureTDL3: DRIVER_OBJECT: 86FC0458
17:48:46:687 0172 KLMD_ReadMem: Trying to ReadMemory 0x86FC0458[0xA8]
17:48:46:687 0172 KLMD_ReadMem: Trying to ReadMemory 0xE1014FE0[0x18]
17:48:46:687 0172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:48:46:687 0172 DetectCureTDL3: IrpHandler (0) addr: F7543BB0
17:48:46:687 0172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (2) addr: F7543BB0
17:48:46:687 0172 DetectCureTDL3: IrpHandler (3) addr: F753DD1F
17:48:46:687 0172 DetectCureTDL3: IrpHandler (4) addr: F753DD1F
17:48:46:687 0172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (9) addr: F753E2E2
17:48:46:687 0172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (14) addr: F753E3BB
17:48:46:687 0172 DetectCureTDL3: IrpHandler (15) addr: F7541F28
17:48:46:687 0172 DetectCureTDL3: IrpHandler (16) addr: F753E2E2
17:48:46:687 0172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (22) addr: F753FC82
17:48:46:687 0172 DetectCureTDL3: IrpHandler (23) addr: F754499E
17:48:46:687 0172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
17:48:46:687 0172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
17:48:46:687 0172 TDL3_FileDetect: Processing driver: Disk
17:48:46:687 0172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:48:46:687 0172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:48:46:703 0172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:48:46:703 0172
17:48:46:703 0172 DetectCureTDL3: DEVICE_OBJECT: 85FEBAB8
17:48:46:703 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85FEBAB8
17:48:46:703 0172 DetectCureTDL3: DEVICE_OBJECT: 86094738
17:48:46:703 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86094738
17:48:46:703 0172 DetectCureTDL3: DEVICE_OBJECT: 86CAFEA0
17:48:46:703 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86CAFEA0
17:48:46:703 0172 KLMD_ReadMem: Trying to ReadMemory 0x86CAFEA0[0x38]
17:48:46:703 0172 DetectCureTDL3: DRIVER_OBJECT: 86E72D58
17:48:46:703 0172 KLMD_ReadMem: Trying to ReadMemory 0x86E72D58[0xA8]
17:48:46:703 0172 KLMD_ReadMem: Trying to ReadMemory 0xE2B0A8C8[0x1E]
17:48:46:703 0172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
17:48:46:703 0172 DetectCureTDL3: IrpHandler (0) addr: A80DA218
17:48:46:703 0172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (2) addr: A80DA218
17:48:46:703 0172 DetectCureTDL3: IrpHandler (3) addr: A80DA23C
17:48:46:703 0172 DetectCureTDL3: IrpHandler (4) addr: A80DA23C
17:48:46:703 0172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (9) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (14) addr: A80DA180
17:48:46:703 0172 DetectCureTDL3: IrpHandler (15) addr: A80D59E6
17:48:46:703 0172 DetectCureTDL3: IrpHandler (16) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (22) addr: A80D95F0
17:48:46:703 0172 DetectCureTDL3: IrpHandler (23) addr: A80D7A6E
17:48:46:703 0172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
17:48:46:703 0172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
17:48:46:703 0172 KLMD_ReadMem: Trying to ReadMemory 0xA80D6F26[0x400]
17:48:46:703 0172 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:48:46:703 0172 TDL3_FileDetect: Processing driver: USBSTOR
17:48:46:703 0172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:48:46:703 0172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:48:46:734 0172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:48:46:734 0172
17:48:46:734 0172 DetectCureTDL3: DEVICE_OBJECT: 86F7AC68
17:48:46:734 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F7AC68
17:48:46:734 0172 KLMD_ReadMem: Trying to ReadMemory 0x86F7AC68[0x38]
17:48:46:734 0172 DetectCureTDL3: DRIVER_OBJECT: 86FC0458
17:48:46:734 0172 KLMD_ReadMem: Trying to ReadMemory 0x86FC0458[0xA8]
17:48:46:734 0172 KLMD_ReadMem: Trying to ReadMemory 0xE1014FE0[0x18]
17:48:46:734 0172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:48:46:734 0172 DetectCureTDL3: IrpHandler (0) addr: F7543BB0
17:48:46:734 0172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (2) addr: F7543BB0
17:48:46:734 0172 DetectCureTDL3: IrpHandler (3) addr: F753DD1F
17:48:46:734 0172 DetectCureTDL3: IrpHandler (4) addr: F753DD1F
17:48:46:734 0172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (9) addr: F753E2E2
17:48:46:734 0172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (14) addr: F753E3BB
17:48:46:734 0172 DetectCureTDL3: IrpHandler (15) addr: F7541F28
17:48:46:734 0172 DetectCureTDL3: IrpHandler (16) addr: F753E2E2
17:48:46:734 0172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (22) addr: F753FC82
17:48:46:734 0172 DetectCureTDL3: IrpHandler (23) addr: F754499E
17:48:46:734 0172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
17:48:46:734 0172 TDL3_FileDetect: Processing driver: Disk
17:48:46:734 0172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:48:46:734 0172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:48:46:734 0172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:48:46:734 0172
17:48:46:734 0172 DetectCureTDL3: DEVICE_OBJECT: 86F56C68
17:48:46:734 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F56C68
17:48:46:734 0172 KLMD_ReadMem: Trying to ReadMemory 0x86F56C68[0x38]
17:48:46:734 0172 DetectCureTDL3: DRIVER_OBJECT: 86FC0458
17:48:46:734 0172 KLMD_ReadMem: Trying to ReadMemory 0x86FC0458[0xA8]
17:48:46:734 0172 KLMD_ReadMem: Trying to ReadMemory 0xE1014FE0[0x18]
17:48:46:734 0172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:48:46:734 0172 DetectCureTDL3: IrpHandler (0) addr: F7543BB0
17:48:46:734 0172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (2) addr: F7543BB0
17:48:46:734 0172 DetectCureTDL3: IrpHandler (3) addr: F753DD1F
17:48:46:734 0172 DetectCureTDL3: IrpHandler (4) addr: F753DD1F
17:48:46:734 0172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (9) addr: F753E2E2
17:48:46:734 0172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (14) addr: F753E3BB
17:48:46:734 0172 DetectCureTDL3: IrpHandler (15) addr: F7541F28
17:48:46:734 0172 DetectCureTDL3: IrpHandler (16) addr: F753E2E2
17:48:46:734 0172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (22) addr: F753FC82
17:48:46:734 0172 DetectCureTDL3: IrpHandler (23) addr: F754499E
17:48:46:734 0172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
17:48:46:734 0172 TDL3_FileDetect: Processing driver: Disk
17:48:46:734 0172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:48:46:734 0172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:48:46:734 0172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:48:46:734 0172
17:48:46:734 0172 DetectCureTDL3: DEVICE_OBJECT: 86FD1C68
17:48:46:734 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FD1C68
17:48:46:734 0172 KLMD_ReadMem: Trying to ReadMemory 0x86FD1C68[0x38]
17:48:46:734 0172 DetectCureTDL3: DRIVER_OBJECT: 86FC0458
17:48:46:734 0172 KLMD_ReadMem: Trying to ReadMemory 0x86FC0458[0xA8]
17:48:46:734 0172 KLMD_ReadMem: Trying to ReadMemory 0xE1014FE0[0x18]
17:48:46:734 0172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:48:46:734 0172 DetectCureTDL3: IrpHandler (0) addr: F7543BB0
17:48:46:734 0172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (2) addr: F7543BB0
17:48:46:734 0172 DetectCureTDL3: IrpHandler (3) addr: F753DD1F
17:48:46:734 0172 DetectCureTDL3: IrpHandler (4) addr: F753DD1F
17:48:46:734 0172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (9) addr: F753E2E2
17:48:46:734 0172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
17:48:46:734 0172 DetectCureTDL3: IrpHandler (14) addr: F753E3BB
17:48:46:734 0172 DetectCureTDL3: IrpHandler (15) addr: F7541F28
17:48:46:734 0172 DetectCureTDL3: IrpHandler (16) addr: F753E2E2
17:48:46:750 0172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (22) addr: F753FC82
17:48:46:750 0172 DetectCureTDL3: IrpHandler (23) addr: F754499E
17:48:46:750 0172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
17:48:46:750 0172 TDL3_FileDetect: Processing driver: Disk
17:48:46:750 0172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:48:46:750 0172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:48:46:750 0172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:48:46:750 0172
17:48:46:750 0172 DetectCureTDL3: DEVICE_OBJECT: 86F1EC68
17:48:46:750 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F1EC68
17:48:46:750 0172 KLMD_ReadMem: Trying to ReadMemory 0x86F1EC68[0x38]
17:48:46:750 0172 DetectCureTDL3: DRIVER_OBJECT: 86FC0458
17:48:46:750 0172 KLMD_ReadMem: Trying to ReadMemory 0x86FC0458[0xA8]
17:48:46:750 0172 KLMD_ReadMem: Trying to ReadMemory 0xE1014FE0[0x18]
17:48:46:750 0172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:48:46:750 0172 DetectCureTDL3: IrpHandler (0) addr: F7543BB0
17:48:46:750 0172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (2) addr: F7543BB0
17:48:46:750 0172 DetectCureTDL3: IrpHandler (3) addr: F753DD1F
17:48:46:750 0172 DetectCureTDL3: IrpHandler (4) addr: F753DD1F
17:48:46:750 0172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (9) addr: F753E2E2
17:48:46:750 0172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (14) addr: F753E3BB
17:48:46:750 0172 DetectCureTDL3: IrpHandler (15) addr: F7541F28
17:48:46:750 0172 DetectCureTDL3: IrpHandler (16) addr: F753E2E2
17:48:46:750 0172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (22) addr: F753FC82
17:48:46:750 0172 DetectCureTDL3: IrpHandler (23) addr: F754499E
17:48:46:750 0172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
17:48:46:750 0172 TDL3_FileDetect: Processing driver: Disk
17:48:46:750 0172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:48:46:750 0172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:48:46:750 0172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:48:46:750 0172
17:48:46:750 0172 DetectCureTDL3: DEVICE_OBJECT: 86F7BAB8
17:48:46:750 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F7BAB8
17:48:46:750 0172 DetectCureTDL3: DEVICE_OBJECT: 86FC5348
17:48:46:750 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FC5348
17:48:46:750 0172 DetectCureTDL3: DEVICE_OBJECT: 86F69940
17:48:46:750 0172 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F69940
17:48:46:750 0172 KLMD_ReadMem: Trying to ReadMemory 0x86F69940[0x38]
17:48:46:750 0172 DetectCureTDL3: DRIVER_OBJECT: 86F6A510
17:48:46:750 0172 KLMD_ReadMem: Trying to ReadMemory 0x86F6A510[0xA8]
17:48:46:750 0172 KLMD_ReadMem: Trying to ReadMemory 0xE101DD50[0x1A]
17:48:46:750 0172 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:48:46:750 0172 DetectCureTDL3: IrpHandler (0) addr: F736A6F2
17:48:46:750 0172 DetectCureTDL3: IrpHandler (1) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (2) addr: F736A6F2
17:48:46:750 0172 DetectCureTDL3: IrpHandler (3) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (4) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (5) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (6) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (7) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (8) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (9) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (10) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (11) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (12) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (13) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (14) addr: F736A712
17:48:46:750 0172 DetectCureTDL3: IrpHandler (15) addr: F7366852
17:48:46:750 0172 DetectCureTDL3: IrpHandler (16) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (17) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (18) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (19) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (20) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (21) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (22) addr: F736A73C
17:48:46:750 0172 DetectCureTDL3: IrpHandler (23) addr: F7371336
17:48:46:750 0172 DetectCureTDL3: IrpHandler (24) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (25) addr: 804F4562
17:48:46:750 0172 DetectCureTDL3: IrpHandler (26) addr: 804F4562
17:48:46:750 0172 KLMD_ReadMem: Trying to ReadMemory 0xF7367864[0x400]
17:48:46:750 0172 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:48:46:750 0172 TDL3_FileDetect: Processing driver: atapi
17:48:46:750 0172 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:48:46:750 0172 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
17:48:46:765 0172 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
17:48:46:765 0172
17:48:46:765 0172 Completed
17:48:46:765 0172
17:48:46:765 0172 Results:
17:48:46:765 0172 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
17:48:46:765 0172 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:48:46:765 0172 File objects infected / cured / cured on reboot: 0 / 0 / 0
17:48:46:765 0172
17:48:46:765 0172 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:48:46:765 0172 UtilityDeinit: KLMD(ARK) unloaded successfully
-
February 14th, 2010, 02:27 PM
#8
Make sure to allow Recovery Console installation on this Combofix run.
1. Please open Notepad- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::
File::
c:\windows\Ltusafonut.dat
c:\windows\Ktigog.bin
c:\windows\system32\D455B9E15A.sys
c:\windows\system32\5AE1B955D4.sys
Folder::
Driver::
FCopy::
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\dllcache\ndis.sys
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\$NtServicePackUninstall$\ndis.sys
Registry::
RegLockDel::
MBR::
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:- Combofix.txt
- A new HijackThis log.
-
February 14th, 2010, 03:19 PM
#9
ComboFix 10-02-12.01 - acoles 14/02/2010 18:48:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.475 [GMT 0:00]
Running from: c:\documents and settings\Acoles\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Acoles\Desktop\cfscript.txt
FILE ::
"c:\windows\Ktigog.bin"
"c:\windows\Ltusafonut.dat"
"c:\windows\system32\5AE1B955D4.sys"
"c:\windows\system32\D455B9E15A.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Ktigog.bin
c:\windows\Ltusafonut.dat
c:\windows\system32\5AE1B955D4.sys
c:\windows\system32\D455B9E15A.sys
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\ndis.sys --> c:\windows\system32\drivers\ndis.sys
c:\windows\ServicePackFiles\i386\ndis.sys --> c:\windows\system32\dllcache\ndis.sys
c:\windows\ServicePackFiles\i386\ndis.sys --> c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.
2010-02-08 21:57 . 2010-02-08 21:57 -------- d-----w- c:\program files\Trend Micro
2010-02-08 21:11 . 2010-02-08 21:11 -------- d-----w- C:\_OTL
2010-02-08 21:08 . 2010-02-08 21:08 -------- d-----w- c:\program files\ERUNT
2010-02-06 18:47 . 2010-02-06 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-06 18:47 . 2010-02-06 18:47 -------- d-----w- c:\documents and settings\Acoles\Application Data\Office Genuine Advantage
2010-02-02 11:34 . 2010-02-02 11:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-02 11:34 . 2010-02-02 11:34 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-02-02 11:34 . 2010-02-02 11:34 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-02 11:34 . 2010-02-02 11:34 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-02 11:34 . 2010-02-02 11:34 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-02 11:34 . 2010-02-02 11:34 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-02 11:34 . 2010-02-14 18:46 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-02 11:33 . 2010-02-03 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-02 11:30 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-02-02 11:28 . 2001-08-17 13:28 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
2010-02-02 11:27 . 2001-08-17 13:49 24576 ----a-w- c:\windows\system32\dllcache\viairda.sys
2010-02-02 11:26 . 2001-08-17 22:36 69632 ----a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-02-02 11:25 . 2001-08-17 22:35 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2010-02-02 11:24 . 2001-08-17 14:56 172768 ----a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-02-02 11:23 . 2001-08-17 13:51 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2010-02-02 11:22 . 2001-08-17 22:36 45568 ----a-w- c:\windows\system32\dllcache\smb3w.dll
2010-02-02 11:21 . 2001-07-21 14:29 161568 ----a-w- c:\windows\system32\dllcache\sgsmusb.sys
2010-02-02 11:20 . 2001-08-17 14:56 245632 ----a-w- c:\windows\system32\dllcache\s3savmx.dll
2010-02-02 11:19 . 2001-08-17 12:19 3840 ----a-w- c:\windows\system32\dllcache\rpfun.sys
2010-02-02 11:18 . 2001-08-17 13:51 16128 ----a-w- c:\windows\system32\dllcache\pscr.sys
2010-02-02 11:17 . 2001-08-17 12:12 26153 ----a-w- c:\windows\system32\dllcache\pcmlm56.sys
2010-02-02 11:16 . 2001-08-17 12:20 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-02-02 11:15 . 2001-08-17 12:50 27936 ----a-w- c:\windows\system32\dllcache\n9i3d.sys
2010-02-02 11:14 . 2001-08-17 14:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2010-02-02 11:13 . 2001-08-17 12:49 22848 ----a-w- c:\windows\system32\dllcache\lwusbhid.sys
2010-02-02 11:12 . 2008-04-14 01:09 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2010-02-02 11:11 . 2001-08-17 14:06 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys
2010-02-02 11:10 . 2001-08-17 22:36 9759 ----a-w- c:\windows\system32\dllcache\hsf_inst.dll
2010-02-02 11:09 . 2001-08-17 14:02 8576 ----a-w- c:\windows\system32\dllcache\hidgame.sys
2010-02-02 11:08 . 2001-08-17 12:12 24618 ----a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-02-02 11:07 . 2001-08-17 13:50 144896 ----a-w- c:\windows\system32\dllcache\epcfw2k.sys
2010-02-02 11:06 . 2001-08-17 22:36 37962 ----a-w- c:\windows\system32\dllcache\divaprop.dll
2010-02-02 11:05 . 2001-08-17 22:36 27136 ----a-w- c:\windows\system32\dllcache\cyzcoins.dll
2010-02-02 11:04 . 2001-08-17 14:04 171264 ----a-w- c:\windows\system32\dllcache\camdrv30.sys
2010-02-02 11:03 . 2001-08-17 12:49 10240 ----a-w- c:\windows\system32\dllcache\atipcxxx.sys
2010-02-02 11:02 . 2001-08-17 14:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-02-02 11:02 . 2004-08-04 04:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-02-02 11:02 . 2004-08-04 04:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-02-02 11:01 . 2004-08-04 04:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-02-02 11:01 . 2004-08-04 04:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-02-02 11:01 . 2004-08-04 04:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2010-02-02 11:01 . 2004-08-04 04:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-02-02 10:55 . 2010-02-02 10:55 -------- d-----w- C:\ERDNT
2010-02-02 09:57 . 2010-02-02 09:57 -------- d-----w- c:\documents and settings\Acoles\Application Data\Malwarebytes
2010-02-02 09:57 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 09:57 . 2010-02-02 09:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 09:57 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 09:57 . 2010-02-02 09:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-02 09:16 . 2010-02-02 09:16 -------- d-----w- c:\documents and settings\Acoles\Local Settings\Application Data\Mozilla
2010-02-01 16:25 . 2010-02-01 16:25 -------- d-----w- C:\$AVG
2010-02-01 16:23 . 2010-02-01 16:23 -------- d-----w- c:\program files\AVG
2010-01-31 22:52 . 2010-01-31 22:52 -------- d-----w- c:\documents and settings\Acoles\Local Settings\Application Data\LogMeIn
2010-01-31 22:52 . 2010-01-31 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2010-01-30 22:09 . 2010-01-31 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-30 22:02 . 2010-02-01 19:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-30 22:02 . 2010-02-01 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-30 22:01 . 2010-01-30 22:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2010-01-30 22:00 . 2009-09-28 19:34 47416 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-01-30 22:00 . 2009-09-28 19:34 28984 ----a-w- c:\windows\system32\LMIport.dll
2010-01-30 22:00 . 2009-09-28 19:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-01-30 22:00 . 2008-08-11 12:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2010-01-30 22:00 . 2009-09-28 19:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
2010-01-30 22:00 . 2010-02-14 15:58 -------- d-----w- c:\program files\LogMeIn
2010-01-29 22:08 . 2010-01-30 21:51 -------- d-----w- c:\documents and settings\Acoles\Local Settings\Application Data\Deployment
2010-01-26 13:43 . 2008-04-13 19:20 182656 ----a-w- c:\windows\system32\dllcache\ndis.sys
2010-01-17 21:26 . 2010-01-17 21:26 -------- d-----w- c:\windows\system32\LogFiles
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 15:58 . 2008-12-08 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-09 17:59 . 2007-06-25 07:50 7100 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-02 11:36 . 2006-09-06 10:14 -------- d-----w- c:\program files\Google
2010-02-02 11:34 . 2010-02-02 11:40 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-01 16:24 . 2010-02-02 11:40 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-26 08:27 . 2009-11-20 08:24 79488 ----a-w- c:\documents and settings\Acoles\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-17 20:05 . 2010-01-17 20:05 152576 ----a-w- c:\documents and settings\Acoles\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-05 10:00 . 2004-08-11 16:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-11 16:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-11 16:00 17408 ------w- c:\windows\system32\corpol.dll
2009-11-21 15:51 . 2004-08-11 16:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-02 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-09-06 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-06 98304]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-6 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-02 11:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 19:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [02/02/2010 11:34 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [02/02/2010 11:34 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/02/2010 11:34 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/02/2010 11:34 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [02/02/2010 11:34 285392]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [02/02/2010 11:33 5832712]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/08/2008 12:41 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [30/01/2010 22:00 47640]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [02/02/2010 11:34 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [02/02/2010 11:34 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [02/02/2010 11:34 25736]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder
2010-02-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-26 08:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6060906
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 18:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\H*� 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\H*� �]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(2972)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2010-02-14 19:07:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-14 19:07
ComboFix2.txt 2010-02-14 16:52
Pre-Run: 10,260,426,752 bytes free
Post-Run: 10,249,101,312 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 308DDFB64C80E752F5166464912725B6
-
February 14th, 2010, 03:20 PM
#10
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:08:42, on 14/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6060906
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6060906
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1238769866718
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = workgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10728 bytes
-
February 14th, 2010, 03:23 PM
#11
How are things?
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
==============================================================
1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.
2. Go to Kaspersky website and perform an online antivirus scan.
1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
Post fresh HijackThis log as well.
-
February 15th, 2010, 10:44 AM
#12
Still trying to get the Kaspersky scan done. The one I left scanning was lost last night as I think windoes did an auto update and rebooted, the one I have been running today has been going for 5 hours and is only 55%, and it appears to have got stuck. However it does say 1 threat found and 2 suspicious objects but I dont think I am going to let this scan complete as its not progressing past "Driver18.cab in P:\information resources\WIN98"
There is a lot of data on this laptop as it is syncronized with server data.
Any ideas?
-
February 15th, 2010, 10:47 AM
#13
so I stopped it as was not progressing... report:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, February 15, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, February 15, 2010 07:02:07
Records in database: 3504744
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
P:\
Scan statistics:
Objects scanned: 179096
Threats found: 1
Infected objects found: 0
Suspicious objects found: 2
Scan duration: 05:01:41
File name / Threat / Threats count
C:\Documents and Settings\Acoles\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
Scanning stopped by the user.
-
February 15th, 2010, 10:48 AM
#14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:38:45, on 15/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6060906
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6060906
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1238769866718
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup.local
O17 - HKLM\Software\..\Telephony: DomainName = workgroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10995 bytes
-
February 15th, 2010, 12:43 PM
#15
Please run a free online scan with the ESET Online Scanner
- Disable your antivirus program
- Tick the box next to YES, I accept the Terms of Use
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats and the option Scan unwanted applications is checked
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
