Gerald Leech Posted October 3, 2009 ID:137195 Share Posted October 3, 2009 from my log below i have mbr rootkit dose anyone know how to remove it?ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2009/10/02 00:00Program Version: Version 1.3.5.0Windows Version: Windows XP Media Center Edition SP3==================================================Hidden/Locked Files-------------------Path: Volume C:\Status: MBR Rootkit Detected!Path: Volume C:\, Sector 1Status: Sector mismatchPath: Volume C:\, Sector 3Status: Sector mismatchPath: Volume C:\, Sector 4Status: Sector mismatchPath: Volume C:\, Sector 5Status: Sector mismatchPath: Volume C:\, Sector 7Status: Sector mismatchPath: Volume C:\, Sector 8Status: Sector mismatchPath: Volume C:\, Sector 11Status: Sector mismatchPath: Volume C:\, Sector 12Status: Sector mismatchPath: Volume C:\, Sector 13Status: Sector mismatchPath: Volume C:\, Sector 14Status: Sector mismatchPath: Volume C:\, Sector 15Status: Sector mismatchPath: Volume C:\, Sector 16Status: Sector mismatchPath: Volume C:\, Sector 17Status: Sector mismatchPath: Volume C:\, Sector 18Status: Sector mismatchPath: Volume C:\, Sector 19Status: Sector mismatchPath: Volume C:\, Sector 20Status: Sector mismatchPath: Volume C:\, Sector 21Status: Sector mismatchPath: Volume C:\, Sector 23Status: Sector mismatchPath: Volume C:\, Sector 24Status: Sector mismatchPath: Volume C:\, Sector 25Status: Sector mismatchPath: Volume C:\, Sector 26Status: Sector mismatchPath: Volume C:\, Sector 27Status: Sector mismatchPath: Volume C:\, Sector 28Status: Sector mismatchPath: Volume C:\, Sector 29Status: Sector mismatchPath: Volume C:\, Sector 31Status: Sector mismatchPath: Volume C:\, Sector 32Status: Sector mismatchPath: Volume C:\, Sector 33Status: Sector mismatchPath: Volume C:\, Sector 34Status: Sector mismatchPath: Volume C:\, Sector 35Status: Sector mismatchPath: Volume C:\, Sector 36Status: Sector mismatchPath: Volume C:\, Sector 38Status: Sector mismatchPath: Volume C:\, Sector 39Status: Sector mismatchPath: Volume C:\, Sector 40Status: Sector mismatchPath: Volume C:\, Sector 41Status: Sector mismatchPath: Volume C:\, Sector 42Status: Sector mismatchPath: Volume C:\, Sector 43Status: Sector mismatchPath: Volume C:\, Sector 44Status: Sector mismatchPath: Volume C:\, Sector 45Status: Sector mismatchPath: Volume C:\, Sector 46Status: Sector mismatchPath: Volume C:\, Sector 48Status: Sector mismatchPath: Volume C:\, Sector 49Status: Sector mismatchPath: Volume C:\, Sector 50Status: Sector mismatchPath: Volume C:\, Sector 51Status: Sector mismatchPath: Volume C:\, Sector 52Status: Sector mismatchPath: Volume C:\, Sector 53Status: Sector mismatchPath: Volume C:\, Sector 54Status: Sector mismatchPath: Volume C:\, Sector 55Status: Sector mismatchPath: Volume C:\, Sector 56Status: Sector mismatchPath: Volume C:\, Sector 59Status: Sector mismatchPath: Volume C:\, Sector 60Status: Sector mismatchPath: Volume C:\, Sector 61Status: Sector mismatchPath: Volume C:\, Sector 62Status: Sector mismatchPath: C:\hiberfil.sysStatus: Locked to the Windows API!Path: C:\WINDOWS\system32\eventlog.dllStatus: Locked to the Windows API!Path: C:\Documents and Settings\Gerry\Application Data\Mozilla\Firefox\Profiles\gbagrzk7.default\prefs.jsStatus: Could not get file information (Error 0xc0000008) Link to post Share on other sites More sharing options...
Staff screen317 Posted October 4, 2009 Staff ID:137670 Share Posted October 4, 2009 Hi,Please download mbr.exe from here, and save it to your Desktop. Do not run it yet.Next, navigate to Start --> Run, and enter the following command:"%userprofile%\desktop\mbr.exe" -fPress Enter. The tool will run; post the contents of its log when it finishes.Next, we need to execute an Avenger2 script.Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.Please download The Avenger2 by Swandog46.Unzip avenger.exe to your desktop.Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"Files to move:C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dllNow start The Avenger2 by double clicking avenger.exe on your desktop.Read the prompt that appears, and press OK.Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".Press the "Execute" button.You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.Note: It is possible that Avenger will reboot your system TWICE.Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.Next, try running MBAM.-screen317 Link to post Share on other sites More sharing options...
Gerald Leech Posted October 5, 2009 Author ID:138159 Share Posted October 5, 2009 thanks for the reply -screen317mbr logStealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.netdevice: opened successfullyuser: MBR read successfullykernel: MBR read successfullyuser & kernel MBR OK avenger logLogfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.Completed script processing.*******************Finished! Terminate. Link to post Share on other sites More sharing options...
Gerald Leech Posted October 5, 2009 Author ID:138165 Share Posted October 5, 2009 Hoorahh it runs here's the logMalwarebytes' Anti-Malware 1.41Database version: 2908Windows 5.1.2600 Service Pack 35/10/2009 5:49:45 PMmbam-log-2009-10-05 (17-49-37).txtScan type: Quick ScanObjects scanned: 119172Time elapsed: 10 minute(s), 43 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 7Files Infected: 69Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> No action taken.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\malwareremovalbot\(default) (Rogue.MalwareRemovalBot) -> No action taken.Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38 (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> No action taken.C:\Program Files\Adware Away (Rogue.AdwareAway) -> No action taken.C:\Program Files\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> No action taken.Files Infected:C:\Program Files\Uninstall Fun Web Products.dll (Adware.MyWebSearch) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Log\2009 Sep 19 - 02_40_50 PM_609.log (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Log\2009 Sep 19 - 04_29_01 PM_359.log (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Log\2009 Sep 19 - 05_38_51 PM_781.log (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Log\2009 Sep 19 - 06_25_39 PM_281.log (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Log\2009 Sep 19 - 06_32_48 PM_890.log (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Log\2009 Sep 19 - 07_25_49 PM_703.log (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Log\2009 Sep 20 - 03_00_00 AM_312.log (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Log\2009 Sep 20 - 03_00_00 AM_953.log (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\0.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\0.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\1.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\1.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\10.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\10.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\11.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\11.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\12.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\12.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\13.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\13.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\14.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\14.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\15.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\15.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\16.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\16.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\17.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\17.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\18.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\18.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\19.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\19.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\2.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\2.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\20.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\20.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\21.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\21.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\22.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\22.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\23.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\23.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\24.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\24.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\25.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\25.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\3.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\3.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\4.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\4.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\5.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\5.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\6.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\6.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\7.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\7.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\8.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\8.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\9.qit (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\Application Data\MalwareRemovalBot\Quarantine\19-09-2009-17-41-38\9.qnf (Rogue.MalwareRemovalBot) -> No action taken.C:\Program Files\Adware Away\overall.log (Rogue.AdwareAway) -> No action taken.C:\Program Files\Adware Away\process.tmp (Rogue.AdwareAway) -> No action taken.C:\Program Files\Adware Away\service.tmp (Rogue.AdwareAway) -> No action taken.C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe (Rogue.MalwareRemovalBot) -> No action taken.C:\Documents and Settings\Gerry\results.txt (Malware.Trace) -> No action taken.C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> No action taken.C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> No action taken. Link to post Share on other sites More sharing options...
Gerald Leech Posted October 5, 2009 Author ID:138168 Share Posted October 5, 2009 heres the hijackthis log tooLogfile of Trend Micro HijackThis v2.0.2Scan saved at 5:55:44 PM, on 5/10/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exec:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\Program Files\DU Meter\DUMeterSvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\NetComm\Common\RegistryWriter.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exeC:\WINDOWS\system32\SearchIndexer.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Avira\AntiVir Desktop\avmailc.exeC:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXEC:\Program Files\TOSHIBA\TouchED\TouchED.ExeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Synaptics\SynTP\Toshiba.exeC:\Program Files\TOSHIBA\ConfigFree\CFSServ.exeC:\WINDOWS\system32\TPSBattM.exeC:\WINDOWS\system32\00THotkey.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\TOSHIBA\ConfigFree\CFXFER.exeC:\Program Files\Nokia\PC Internet Access\NPCIA.exeC:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exeC:\Program Files\TechSmith\Jing\Jing.exeC:\Program Files\NetComm\Common\RaUI.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclToBTSrv.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\1Malwarebytes' Anti-Malware6\mbam.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\1Trend Micro\HijackThis1\HijackThis.exeC:\WINDOWS\system32\SearchProtocolHost.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso0.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso0.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dllO2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dllO2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso0.dllO3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dllO4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.ExeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClientO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\1Malwarebytes' Anti-Malware6\mbamgui.exe /install /silentO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exeO4 - HKCU\..\Run: [NokiaPCInternetAccess] "C:\Program Files\Nokia\PC Internet Access\NPCIA.exe" /bO4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytrayO4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exeO4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -bootO4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [Google Update] "C:\Documents and Settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [NokiaPCInternetAccess] "C:\Program Files\Nokia\PC Internet Access\NPCIA.exe" /b (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot (User '?')O4 - Global Startup: NetComm Wireless Utility.lnk = C:\Program Files\NetComm\Common\RaUI.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O8 - Extra context menu item: LastPass - file://C:\Program Files\LastPass\context.html?cmd=lastpassO8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files\LastPass\context.html?cmd=fillformsO9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1224119822453O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dllO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exeO23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exeO23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exeO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXEO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AU - Unknown owner - C:\DOCUME~1\Gerry\LOCALS~1\Temp\AU.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: CSIScanner - Unknown owner - C:\Program Files\bpslzqvn\bpslzqvn.exeO23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Update Service (gupdate1c9e5d46c404ab0) (gupdate1c9e5d46c404ab0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: KJDXDKLPILSK - Unknown owner - C:\DOCUME~1\Gerry\LOCALS~1\Temp\KJDXDKLPILSK.exeO23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exeO23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeO23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exeO23 - Service: MIMI - Unknown owner - C:\DOCUME~1\Gerry\LOCALS~1\Temp\MIMI.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\NetComm\Common\RegistryWriter.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeO23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe--End of file - 13476 bytes Link to post Share on other sites More sharing options...
Staff screen317 Posted October 6, 2009 Staff ID:138672 Share Posted October 6, 2009 Hi,Update MBAM, run a Quick Scan, and post its log. Have it remove everything it finds before you post the log.Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
Gerald Leech Posted October 6, 2009 Author ID:138701 Share Posted October 6, 2009 Malwarebytes' Anti-Malware 1.41Database version: 2914Windows 5.1.2600 Service Pack 36/10/2009 10:39:36 PMmbam-log-2009-10-06 (22-39-36).txtScan type: Quick ScanObjects scanned: 119342Time elapsed: 11 minute(s), 17 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Gerald Leech Posted October 6, 2009 Author ID:138703 Share Posted October 6, 2009 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:43:42 PM, on 6/10/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exec:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\Program Files\DU Meter\DUMeterSvc.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\NetComm\Common\RegistryWriter.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeC:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\svchost.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exeC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Avira\AntiVir Desktop\avmailc.exeC:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXEC:\Program Files\TOSHIBA\TouchED\TouchED.ExeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\WINDOWS\system32\TPSBattM.exeC:\Program Files\TOSHIBA\ConfigFree\CFSServ.exeC:\Program Files\Synaptics\SynTP\Toshiba.exeC:\WINDOWS\system32\00THotkey.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\TOSHIBA\ConfigFree\CFXFER.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Nokia\PC Internet Access\NPCIA.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exeC:\Program Files\TechSmith\Jing\Jing.exeC:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclToBTSrv.exeC:\Program Files\NetComm\Common\RaUI.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\ARLT\ARLT8.0\Lifestyle Options.exeC:\Program Files\1Trend Micro\HijackThis1\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso0.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso0.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dllO2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dllO2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso0.dllO3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dllO4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.ExeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClientO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\1Malwarebytes' Anti-Malware6\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exeO4 - HKCU\..\Run: [NokiaPCInternetAccess] "C:\Program Files\Nokia\PC Internet Access\NPCIA.exe" /bO4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytrayO4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exeO4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [Google Update] "C:\Documents and Settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [NokiaPCInternetAccess] "C:\Program Files\Nokia\PC Internet Access\NPCIA.exe" /b (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe (User '?')O4 - Global Startup: NetComm Wireless Utility.lnk = C:\Program Files\NetComm\Common\RaUI.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O8 - Extra context menu item: LastPass - file://C:\Program Files\LastPass\context.html?cmd=lastpassO8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files\LastPass\context.html?cmd=fillformsO9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1224119822453O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dllO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exeO23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exeO23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exeO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXEO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AU - Unknown owner - C:\DOCUME~1\Gerry\LOCALS~1\Temp\AU.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: CSIScanner - Unknown owner - C:\Program Files\bpslzqvn\bpslzqvn.exeO23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Update Service (gupdate1c9e5d46c404ab0) (gupdate1c9e5d46c404ab0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: KJDXDKLPILSK - Unknown owner - C:\DOCUME~1\Gerry\LOCALS~1\Temp\KJDXDKLPILSK.exeO23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exeO23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeO23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exeO23 - Service: MIMI - Unknown owner - C:\DOCUME~1\Gerry\LOCALS~1\Temp\MIMI.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\NetComm\Common\RegistryWriter.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeO23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe--End of file - 13107 bytes Link to post Share on other sites More sharing options...
Gerald Leech Posted October 6, 2009 Author ID:138709 Share Posted October 6, 2009 ComboFix 09-10-05.01 - Gerry 06/10/2009 22:57.1.2 - NTFSx86Running from: c:\documents and settings\Gerry\Desktop\ComboFix.exeAV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}FW: Avira Firewall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6} * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\docume~1\Gerry\LOCALS~1\Temp\1.wmvc:\program files\Smart-Shopperc:\program files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dllc:\program files\Smart-Shopper\cs\antiphishing\antiphishing.htmlc:\program files\Smart-Shopper\cs\antiphishing\phishAlert.gifc:\program files\Smart-Shopper\cs\antiphishing\x.gifc:\program files\Smart-Shopper\cs\antiphishing\xActive.gifc:\program files\Smart-Shopper\Uninst.exec:\windows\appverespp.drvc:\windows\Installer\45c811d7.mspc:\windows\system32\Ijl11.dllD:\install.exeG:\autorun.infG:\install.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 ))))))))))))))))))))))))))))))).2009-10-06 06:16 . 2009-10-06 06:16 -------- d-----w- c:\program files\Meta Tags Retriever2009-10-06 05:56 . 2009-10-06 06:14 -------- d-----w- c:\program files\Easy Submit Website2009-10-05 06:55 . 2009-10-05 06:55 -------- d-----w- c:\program files\1Trend Micro2009-10-05 06:37 . 2009-10-05 06:49 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware62009-10-03 11:44 . 2009-10-03 11:44 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware52009-10-03 11:30 . 2009-10-03 11:27 123904 ----a-w- c:\documents and settings\Gerry\MbrFix.exe2009-10-03 08:35 . 2009-10-03 08:35 -------- d-----w- c:\program files\bpslzqvn2009-10-03 08:29 . 2009-10-03 08:29 -------- d-----w- c:\program files\PrevxCSI2009-10-03 07:51 . 2009-10-03 07:51 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys2009-10-03 07:51 . 2009-10-03 07:51 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys2009-10-03 07:51 . 2009-10-03 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI2009-10-02 11:57 . 2009-10-02 11:57 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware42009-10-02 07:00 . 2009-10-02 07:00 -------- d-----w- c:\program files\Sophos2009-10-01 13:15 . 2009-10-01 13:16 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware32009-09-29 20:44 . 2009-09-29 20:44 -------- d-----w- c:\program files\Market Samurai2009-09-27 17:03 . 2009-09-27 17:05 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware22009-09-25 07:16 . 2009-09-25 07:16 -------- d-----w- c:\documents and settings\Gerry\Local Settings\Application Data\Yahoo!2009-09-23 13:44 . 2009-09-23 13:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}2009-09-23 13:41 . 2009-09-23 13:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}2009-09-20 15:31 . 2009-09-20 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\GRETECH2009-09-20 08:10 . 2009-09-20 08:10 61440 ----a-w- c:\windows\system32\ScanAtStartup.dll2009-09-20 08:03 . 2009-09-20 08:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache2009-09-20 07:56 . 2009-03-13 20:48 5120 ----a-w- c:\windows\system32\drivers\Start1Driver.SYS2009-09-20 07:34 . 2009-09-20 07:34 -------- d-----w- C:\!KillBox2009-09-20 07:02 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-20 07:02 . 2009-09-27 16:56 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware2009-09-20 07:02 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-09-20 06:19 . 2009-09-20 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure2009-09-20 05:19 . 2009-09-20 05:19 -------- d-----w- c:\documents and settings\Gerry\Application Data\Avira2009-09-19 08:36 . 2009-05-08 04:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys2009-09-19 08:36 . 2009-03-30 00:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys2009-09-19 08:36 . 2009-02-24 03:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys2009-09-19 08:36 . 2009-02-13 02:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2009-09-19 08:36 . 2009-02-13 02:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2009-09-19 08:36 . 2009-09-19 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-09-19 08:36 . 2009-09-19 08:36 -------- d-----w- c:\program files\Avira2009-09-19 08:23 . 2009-09-19 08:23 -------- d-----w- c:\windows\system32\Search2009-09-19 07:15 . 2009-10-03 11:48 -------- d-----w- c:\program files\Trend Micro2009-09-19 03:49 . 2009-09-27 17:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-09-19 03:44 . 2009-09-19 03:44 -------- d-----w- c:\documents and settings\Gerry\Local Settings\Application Data\Apple_Inc2009-09-19 03:41 . 2009-09-19 03:41 -------- d-----w- c:\documents and settings\Gerry\Application Data\Malwarebytes2009-09-19 03:41 . 2009-09-19 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2009-09-19 02:49 . 2000-01-23 20:01 453632 ----a-w- c:\windows\system32\stdvcl40.dll2009-09-19 02:49 . 2009-09-19 02:50 -------- d-----w- c:\program files\Web CEO2009-09-17 07:30 . 2009-09-17 07:30 -------- d-----w- c:\program files\iPhone Configuration Utility2009-09-11 08:09 . 2009-09-11 08:09 -------- d-----w- c:\documents and settings\Gerry\Local Settings\Application Data\PCHealth2009-09-08 08:11 . 2009-09-08 08:11 -------- d-----w- c:\documents and settings\Gerry\Local Settings\Application Data\ArchonMedia2009-09-08 08:10 . 2009-09-08 08:10 -------- d-----w- c:\program files\CommentKahuna.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-10-06 12:06 . 2009-06-29 07:56 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs2009-10-05 08:04 . 2009-08-12 11:55 -------- d-----w- c:\program files\Mozilla Thunderbird2009-10-05 07:03 . 2009-09-02 07:21 1687664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat2009-10-03 08:11 . 2008-11-29 07:43 -------- d-----w- c:\program files\Badongo2009-09-28 06:27 . 2008-11-19 00:56 -------- d-----w- c:\documents and settings\Gerry\Application Data\Canon2009-09-27 04:37 . 2009-08-30 04:55 -------- d-----w- c:\documents and settings\Gerry\Application Data\ZoomBrowser EX2009-09-27 04:14 . 2009-08-30 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser2009-09-25 20:39 . 2009-06-05 11:54 -------- d-----w- c:\program files\Google2009-09-25 15:11 . 2008-11-14 02:34 -------- d-----w- c:\program files\HyperVRE2009-09-23 13:45 . 2008-10-16 07:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{1DC85608-1717-479C-A3DD-EB460E4D4F9C}2009-09-23 13:45 . 2008-10-16 05:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{856E04B3-8FD3-40EB-AE55-65BD0321FC59}2009-09-23 13:44 . 2008-10-16 05:10 -------- d-----w- c:\program files\Uniblue2009-09-23 13:39 . 2008-10-16 07:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner2009-09-20 14:33 . 2009-02-14 13:00 664 ----a-w- c:\windows\system32\d3d9caps.dat2009-09-20 07:26 . 2008-11-07 16:06 411368 ----a-w- c:\windows\system32\deploytk.dll2009-09-17 07:27 . 2008-10-16 00:09 -------- d-----w- c:\documents and settings\Gerry\Application Data\Skype2009-09-17 07:27 . 2008-10-16 00:10 -------- d-----w- c:\documents and settings\Gerry\Application Data\skypePM2009-09-16 14:01 . 2008-10-20 13:55 2035 ----a-w- c:\documents and settings\Gerry\Application Data\SAS7_000.DAT2009-09-16 14:00 . 2008-10-16 05:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2009-09-16 13:06 . 2009-04-12 13:06 -------- d-----w- c:\program files\PokerStars2009-09-16 07:35 . 2008-10-16 08:33 -------- d-----w- c:\documents and settings\Gerry\Application Data\uTorrent2009-09-09 17:09 . 2008-10-16 01:15 -------- d-----w- c:\program files\Microsoft Silverlight2009-09-08 08:35 . 2008-10-28 09:23 -------- d-----w- c:\program files\IncredibleCharts2009-09-02 17:39 . 2009-09-02 17:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\Smart-Shopper2009-09-01 01:56 . 2009-08-18 07:38 -------- d-----w- c:\documents and settings\Gerry\Application Data\vlc2009-08-31 12:17 . 2009-08-17 13:15 -------- d-----w- c:\program files\WebsiteContentWizard2009-08-30 05:06 . 2009-08-30 05:06 -------- d-----w- c:\documents and settings\Gerry\Application Data\HDRsoft2009-08-30 04:45 . 2008-11-18 21:43 -------- d-----w- c:\program files\Canon2009-08-30 04:41 . 2009-02-15 12:04 -------- d-----w- c:\program files\Common Files\Canon2009-08-30 04:22 . 2009-08-30 04:22 -------- d-----w- c:\program files\PhotomatixPro32009-08-29 02:45 . 2009-08-29 01:22 -------- d-----w- c:\program files\Visual Thesaurus 32009-08-29 01:22 . 2009-08-29 01:22 -------- d--h--w- c:\program files\Zero G Registry2009-08-28 08:41 . 2009-08-27 11:08 -------- d-----w- c:\program files\MassArticleCreator2009-08-27 13:38 . 2009-08-27 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet2009-08-27 13:26 . 2008-10-21 07:20 -------- d-----w- c:\program files\Common Files\Adobe2009-08-27 13:14 . 2009-08-27 13:14 -------- d-----w- c:\program files\Common Files\Macrovision Shared2009-08-27 11:08 . 2009-08-27 11:08 -------- d-----w- c:\program files\Mass Article Submitter2009-08-26 07:43 . 2009-08-26 07:34 -------- d-----w- c:\program files\Nitro PDF2009-08-25 08:51 . 2009-08-25 08:49 -------- d-----w- c:\documents and settings\Gerry\Application Data\KompoZer2009-08-24 11:40 . 2009-08-24 07:46 -------- d-----w- c:\documents and settings\Gerry\Application Data\Nvu2009-08-24 09:20 . 2009-05-29 07:25 -------- d-----w- c:\program files\DU Meter2009-08-24 07:45 . 2009-08-24 07:45 -------- d-----w- c:\program files\Nvu2009-08-22 00:55 . 2008-10-15 23:04 -------- d-----w- c:\program files\ARLT2009-08-18 08:42 . 2009-08-17 20:37 -------- d-----w- c:\documents and settings\Gerry\Application Data\StrategyOnline2009-08-18 07:24 . 2009-08-18 07:24 -------- d-----w- c:\documents and settings\Gerry\Application Data\Talkback2009-08-15 15:37 . 2009-08-15 15:37 -------- d-----w- c:\program files\Seesmic Desktop2009-08-12 11:55 . 2009-08-12 11:55 -------- d-----w- c:\documents and settings\Gerry\Application Data\Thunderbird2009-08-10 15:00 . 2009-05-26 13:15 -------- d-----w- c:\documents and settings\Gerry\Application Data\AVS4YOU2009-08-10 07:35 . 2009-08-10 07:35 -------- d-----w- c:\program files\GNU2009-08-10 07:27 . 2009-08-10 07:27 -------- d-----w- c:\program files\WMV9_VCM2009-08-10 07:23 . 2009-05-26 13:13 -------- d-----w- c:\program files\AVS4YOU2009-08-05 09:01 . 2006-04-04 22:31 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-28 06:33 . 2009-05-17 20:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-07-17 19:01 . 2006-04-04 22:30 58880 ----a-w- c:\windows\system32\atl.dll2009-07-13 00:08 . 2006-04-04 22:31 286720 ----a-w- c:\windows\system32\wmpdxm.dll2009-07-09 04:30 . 2009-07-09 04:30 4637952 ----a-w- c:\program files\Common Files\lpuninstall.exe2007-12-17 11:31 . 2008-10-15 22:25 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll2008-02-22 15:38 . 2008-10-15 22:25 125840 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}"= "c:\program files\IsoBuster\tbIso0.dll" [2009-08-26 2215960][HKEY_CLASSES_ROOT\clsid\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}]2009-08-26 07:52 2215960 ----a-w- c:\program files\IsoBuster\tbIso0.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2009-04-02 09:50 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}"= "c:\program files\IsoBuster\tbIso0.dll" [2009-08-26 2215960]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864][HKEY_CLASSES_ROOT\clsid\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}][HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{266FCDCA-7BB3-4DA7-B3BF-F845DEA2EBD6}"= "c:\program files\IsoBuster\tbIso0.dll" [2009-08-26 2215960]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864][HKEY_CLASSES_ROOT\clsid\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}][HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Google Update"="c:\documents and settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-07 133104]"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-08-07 2647064]"NokiaPCInternetAccess"="c:\program files\Nokia\PC Internet Access\NPCIA.exe" [2008-09-29 536576]"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2009-06-30 2893064]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-06-29 126976]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-08 761947]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-20 177472]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-14 7340032]"00THotkey"="c:\windows\system32\00THotkey.exe" [2005-03-01 245760]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-20 149280]"Malwarebytes Anti-Malware (reboot)"="c:\program files\1Malwarebytes' Anti-Malware6\mbam.exe" [2009-09-10 1312080]"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-14 88203]"NDSTray.exe"="NDSTray.exe" [bU]"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-12-07 315392]"CFSServ.exe"="CFSServ.exe" [bU]c:\documents and settings\Administrator\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2009-7-9 4637952]Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2009-7-9 4637952]c:\documents and settings\All Users\Start Menu\Programs\Startup\NetComm Wireless Utility.lnk - c:\program files\NetComm\Common\RaUI.exe [2009-6-12 1601536][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]2006-02-24 00:49 40448 ----a-w- c:\windows\system32\psqlpwd.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli psqlpwd[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\IncredibleCharts\\IncredibleCharts.exe"="c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\Quantum Quinn\\Day Bank Station\\daybankstation.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\eMule\\eMule.exe"=R0 DiagnosticScan;DiagnosticScan; [x]R2 CSIScanner;CSIScanner;c:\program files\bpslzqvn\bpslzqvn.exe [2009-10-03 927288]R2 gupdate1c9e5d46c404ab0;Google Update Service (gupdate1c9e5d46c404ab0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-07 133104]R3 AU;AU;c:\docume~1\Gerry\LOCALS~1\Temp\AU.exe [x]R3 KJDXDKLPILSK;KJDXDKLPILSK;c:\docume~1\Gerry\LOCALS~1\Temp\KJDXDKLPILSK.exe [x]R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\F.tmp [x]R3 MIMI;MIMI;c:\docume~1\Gerry\LOCALS~1\Temp\MIMI.exe [x]R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]R3 ttv400x;TOSHIBA PCI DVB-T/Analog Hybrid Tuner;c:\windows\system32\drivers\ttv400x.sys [2005-09-21 173696]S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2009-10-03 22024]S0 pxsec;pxsec;c:\windows\System32\drivers\pxsec.sys [2009-10-03 27656]S1 avfwot;avfwot;c:\windows\system32\DRIVERS\avfwot.sys [2009-05-08 97608]S1 Start1Driver;Start1Driver; [x]S2 AntiVirFirewallService;Avira Firewall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [2009-05-11 388865]S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-05-11 194817]S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-05-12 434945]S2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [2009-08-07 1387544]S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-02-24 13568]S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-02-24 33024]S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\NetComm\Common\RegistryWriter.exe [2008-05-13 69632]S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [2006-02-24 3456]S2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\DRIVERS\thdudf.sys [2006-04-19 66944]S2 TOS_SPS;TOSHIBA SPS Driver;c:\program files\TOSHIBA\TMP2VDec\TOS_SPS.sys [2005-12-21 169216]S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys [2009-02-24 69632]S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2008-06-10 580096]S3 ttv500x;TOSHIBA PCI TV Tuner(x86);c:\windows\system32\drivers\ttv500x.sys [2006-07-18 287360][HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP.Contents of the 'Scheduled Tasks' folder2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]2009-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-05 12:39]2009-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-05 12:39]2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-545241005-3319204467-2019157939-1005Core.job- c:\documents and settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-07 12:27]2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-545241005-3319204467-2019157939-1005UA.job- c:\documents and settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-07 12:27]2009-10-05 c:\windows\Tasks\OGADaily.job- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]2009-10-06 c:\windows\Tasks\OGALogon.job- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]2009-10-06 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 09:50]..------- Supplementary Scan -------.uStart Page = hxxp://au.yahoo.com/mStart Page = uInternet Settings,ProxyOverride = *.localIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpassIE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillformsLSP: c:\program files\Avira\AntiVir Desktop\avsda.dllFF - ProfilePath - c:\documents and settings\Gerry\Application Data\Mozilla\Firefox\Profiles\gbagrzk7.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://au.yahoo.com/FF - prefs.js: network.proxy.type - 4FF - component: c:\documents and settings\Gerry\Application Data\Mozilla\Firefox\Profiles\gbagrzk7.default\extensions\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}\components\FFExternalAlert.dllFF - component: c:\documents and settings\Gerry\Application Data\Mozilla\Firefox\Profiles\gbagrzk7.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dllFF - plugin: c:\documents and settings\Gerry\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dllFF - plugin: c:\documents and settings\Gerry\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dllFF - plugin: c:\program files\Common-Use Signing Interface\bin\npCsiPlugin.dllFF - plugin: c:\program files\Dassault Systemes\3DVIA Shape\intel_a\code\bin\NPShapePlugin.dllFF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dllFF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\.- - - - ORPHANS REMOVED - - - -SafeBoot-Wdf01000.sysAddRemove-Smart-Shopper - c:\program files\Smart-Shopper\Uninst.exeAddRemove-Uniblue DriverScanner 2009 - c:\documents and settings\All Users\Application Data\{148D8B8A-8F96-4822-81EC-D510B626B7D5}\DriverScanner_Setup.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-10-06 23:07Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]"ImagePath"="\??\c:\windows\system32\F.tmp".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]"Enabled"=dword:00000001[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]@Denied: (A 2) (Everyone)@="IFlashBroker3"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1660)c:\windows\system32\psqlpwd.dllc:\program files\Protector Suite QL\infra.dllc:\program files\Protector Suite QL\homefus2.dllc:\windows\system32\biologon.dllc:\program files\Protector Suite QL\homepass.dllc:\program files\Protector Suite QL\bio.dllc:\program files\Protector Suite QL\remote.dll- - - - - - - > 'lsass.exe'(1716)c:\windows\system32\psqlpwd.dllc:\program files\Protector Suite QL\infra.dllc:\program files\Protector Suite QL\homefus2.dll- - - - - - - > 'explorer.exe'(2228)c:\windows\system32\WININET.dllc:\windows\system32\Audiodev.dllc:\windows\system32\WMVCore.DLLc:\windows\system32\WMASF.DLLc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\TPwrCfg.DLLc:\windows\system32\TPwrReg.dllc:\windows\system32\TPSTrace.DLL.------------------------ Other Running Processes ------------------------.c:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\windows\system32\agrsmsvc.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Toshiba\ConfigFree\CFSvcs.exec:\windows\system32\DVDRAMSV.exec:\windows\ehome\ehrecvr.exec:\windows\ehome\ehSched.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exec:\windows\ehome\ehrec.exec:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exec:\windows\system32\nvsvc32.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\program files\SigmaTel\C-Major Audio\WDM\STACSV.EXEc:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exec:\windows\system32\searchindexer.exec:\program files\Canon\CAL\CALMAIN.exec:\windows\system32\searchprotocolhost.exec:\program files\Toshiba\ConfigFree\NDSTray.exec:\windows\system32\TPSBattM.exec:\program files\Synaptics\SynTP\Toshiba.exec:\program files\Toshiba\ConfigFree\CFSServ.exec:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exec:\program files\Toshiba\ConfigFree\CFXFER.exec:\program files\PC Connectivity Solution\ServiceLayer.exec:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exec:\program files\PC Connectivity Solution\Transports\NclRSSrv.exec:\program files\PC Connectivity Solution\Transports\NclToBTSrv.exec:\windows\system32\wscntfy.exec:\windows\system32\searchfilterhost.exe.**************************************************************************.Completion time: 2009-10-06 23:14 - machine was rebootedComboFix-quarantined-files.txt 2009-10-06 12:13Pre-Run: 26,746,802,176 bytes freePost-Run: 27,624,964,096 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /forceresetreg /NoExecute=OptIn410 --- E O F --- 2009-10-05 16:00 Link to post Share on other sites More sharing options...
Staff screen317 Posted October 6, 2009 Staff ID:138905 Share Posted October 6, 2009 Hi,I notice you have P2P programs installed. I hope you understand that these programs are the source of all of the infections you accumulated, not to mention the illegality of downloaded cracks/keygens. Please uninstall all P2P programs before continuing. Next, please go to VirusTotal, and upload the following file for analysis:c:\windows\system32\DRIVERS\avfwot.sysPost the results in your reply.Next, please open Notepad - don't use any other text editor than notepad or the script will fail.Copy/paste the text in the quotebox below into Notepad:File::c:\windows\system32\F.tmpc:\docume~1\Gerry\LOCALS~1\Temp\MIMI.exec:\docume~1\Gerry\LOCALS~1\Temp\KJDXDKLPILSK.exec:\docume~1\Gerry\LOCALS~1\Temp\AU.exeDriver::MEMSWEEP2AUMIMIKJDXDKLPILSKDiagnosticScanStart1DriverFolder::c:\program files\bpslzqvnSave this as CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.-screen317 Link to post Share on other sites More sharing options...
Gerald Leech Posted October 7, 2009 Author ID:139108 Share Posted October 7, 2009 Virus total resultsPermalink: analisis/902741f832ef9b7c89fa9c4a67e66a3e35b4fe57f13b1e2a50b992f03411b6cd-1252975039a-squared 4.5.0.24 2009.09.15 -AhnLab-V3 5.0.0.2 2009.09.14 -AntiVir 7.9.1.14 2009.09.14 -Antiy-AVL 2.0.3.7 2009.09.14 -Authentium 5.1.2.4 2009.09.14 -Avast 4.8.1351.0 2009.09.14 -AVG 8.5.0.412 2009.09.14 -BitDefender 7.2 2009.09.15 -CAT-QuickHeal 10.00 2009.09.14 -ClamAV 0.94.1 2009.09.14 -Comodo 2320 2009.09.15 -DrWeb 5.0.0.12182 2009.09.15 -eSafe 7.0.17.0 2009.09.14 -eTrust-Vet 31.6.6737 2009.09.14 -F-Prot 4.5.1.85 2009.09.14 -F-Secure 8.0.14470.0 2009.09.13 -Fortinet 3.120.0.0 2009.09.15 -GData 19 2009.09.15 -Ikarus T3.1.1.72.0 2009.09.15 -Jiangmin 11.0.800 2009.09.14 -K7AntiVirus 7.10.844 2009.09.14 -Kaspersky 7.0.0.125 2009.09.15 -McAfee 5741 2009.09.14 -McAfee+Artemis 5741 2009.09.14 -McAfee-GW-Edition 6.8.5 2009.09.14 -Microsoft 1.5005 2009.09.14 -NOD32 4425 2009.09.14 -Norman 6.01.09 2009.09.14 -nProtect 2009.1.8.0 2009.09.14 -Panda 10.0.2.2 2009.09.14 -PCTools 4.4.2.0 2009.09.14 -Prevx 3.0 2009.09.15 -Rising 21.47.04.00 2009.09.14 -Sophos 4.45.0 2009.09.15 -Sunbelt 3.2.1858.2 2009.09.15 -Symantec 1.4.4.12 2009.09.15 -TheHacker 6.3.4.4.404 2009.09.15 -TrendMicro 8.950.0.1094 2009.09.14 -VBA32 3.12.10.10 2009.09.14 -ViRobot 2009.9.14.1934 2009.09.14 -VirusBuster 4.6.5.0 2009.09.14 -Additional informationFile size: 97608 bytesMD5 : ab1cf38f5e7e3c83ff1073ca79e42dd9SHA1 : 19730d03c7b5c6c87d21a548a12f4b8a753cef0cSHA256: 902741f832ef9b7c89fa9c4a67e66a3e35b4fe57f13b1e2a50b992f03411b6cdPEInfo: PE Structure information( base data )entrypointaddress.: 0x14E85timedatestamp.....: 0x49F71646 (Tue Apr 28 16:44:22 2009)machinetype.......: 0x14C (Intel I386)( 6 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x480 0x138A0 0x13900 6.38 0e49967cc0a558cdffb909b2626fcf86.rdata 0x13D80 0x614 0x680 3.66 c1df5fea00d370178731f90ade0d54f0.data 0x14400 0xA38 0xA80 0.49 c5c7f5b963e650372798db7aa47d3b30INIT 0x14E80 0x6DC 0x700 5.44 62c24667bad73d0ba375cfb192e55a81.rsrc 0x15580 0x428 0x480 3.16 08dbe7fa3ffd38437fd6abe7b8afe667.reloc 0x15A00 0xDE4 0xE00 6.46 bb3e29c7bbe55404caac1782df840d4b( 2 imports )> hal.dll: KeQueryPerformanceCounter, KfAcquireSpinLock, KfReleaseSpinLock, KeGetCurrentIrql> ntoskrnl.exe: ExFreePoolWithTag, ZwQueryInformationFile, ZwReadFile, ZwWriteFile, ZwOpenFile, ZwCreateFile, RtlInitUnicodeString, ZwClose, KeReleaseSemaphore, memcpy, IoDeleteDevice, IoAttachDevice, IoCreateDevice, MmGetSystemRoutineAddress, KeInitializeSemaphore, KeSetEvent, DbgBreakPoint, ZwSetInformationFile, ZwOpenKey, ZwQueryValueKey, PsSetCreateProcessNotifyRoutine, ObfDereferenceObject, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, IoFreeWorkItem, IoQueueWorkItem, _allmul, IoStartTimer, IoInitializeTimer, PsSetLoadImageNotifyRoutine, IoCreateSymbolicLink, PsGetCurrentProcessId, KefReleaseSpinLockFromDpcLevel, KefAcquireSpinLockAtDpcLevel, KeQuerySystemTime, towlower, MmBuildMdlForNonPagedPool, IoAllocateMdl, IoFreeMdl, MmMapLockedPagesSpecifyCache, ObReferenceObjectByHandle, ProbeForWrite, IofCompleteRequest, ObfReferenceObject, RtlCompareMemory, RtlFreeUnicodeString, wcsncpy, IoCreateFile, PsCreateSystemThread, IoFreeIrp, IoReleaseCancelSpinLock, IoAllocateIrp, KeTickCount, KeBugCheckEx, KeWaitForSingleObject, memset, KeInitializeEvent, IoAllocateWorkItem, ExAllocatePoolWithTag, wcschr, wcsncmp, RtlUnwind( 0 exports )TrID : File type identificationWin32 Executable Generic (51.1%)Win16/32 Executable Delphi generic (12.4%)Clipper DOS Executable (12.1%)Generic Win/DOS Executable (12.0%)DOS Executable Generic (12.0%)ssdeep: 1536:8U4Oixbo45Bj5+tusgw0l+ZIRqalYC9hbVPoKUYVfFxdrN9:Naatusgj/RqIZTPsYVfBPEiD : -RDS : NSRL Reference Data Set-ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.Scan another file Link to post Share on other sites More sharing options...
Gerald Leech Posted October 7, 2009 Author ID:139114 Share Posted October 7, 2009 combofix logComboFix 09-10-06.03 - Gerry 07/10/2009 18:43.2.2 - NTFSx86Running from: c:\documents and settings\Gerry\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Gerry\Desktop\CFScript.txtAV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}FW: Avira Firewall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6} * Created a new restore pointFILE ::"c:\docume~1\Gerry\LOCALS~1\Temp\AU.exe""c:\docume~1\Gerry\LOCALS~1\Temp\KJDXDKLPILSK.exe""c:\docume~1\Gerry\LOCALS~1\Temp\MIMI.exe""c:\windows\system32\F.tmp".((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\program files\bpslzqvnc:\program files\bpslzqvn\bpslzqvn.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_AU-------\Legacy_DIAGNOSTICSCAN-------\Legacy_KJDXDKLPILSK-------\Legacy_MEMSWEEP2-------\Legacy_MIMI-------\Legacy_START1DRIVER-------\Service_AU-------\Service_DiagnosticScan-------\Service_KJDXDKLPILSK-------\Service_MEMSWEEP2-------\Service_MIMI-------\Service_Start1Driver((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 ))))))))))))))))))))))))))))))).2009-10-06 06:16 . 2009-10-06 06:16 -------- d-----w- c:\program files\Meta Tags Retriever2009-10-06 05:56 . 2009-10-06 06:14 -------- d-----w- c:\program files\Easy Submit Website2009-10-05 06:55 . 2009-10-05 06:55 -------- d-----w- c:\program files\1Trend Micro2009-10-05 06:37 . 2009-10-05 06:49 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware62009-10-03 11:44 . 2009-10-03 11:44 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware52009-10-03 11:30 . 2009-10-03 11:27 123904 ----a-w- c:\documents and settings\Gerry\MbrFix.exe2009-10-03 08:29 . 2009-10-03 08:29 -------- d-----w- c:\program files\PrevxCSI2009-10-03 07:51 . 2009-10-03 07:51 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys2009-10-03 07:51 . 2009-10-03 07:51 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys2009-10-03 07:51 . 2009-10-03 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI2009-10-02 11:57 . 2009-10-02 11:57 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware42009-10-02 07:00 . 2009-10-02 07:00 -------- d-----w- c:\program files\Sophos2009-10-01 13:15 . 2009-10-01 13:16 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware32009-09-29 20:44 . 2009-09-29 20:44 -------- d-----w- c:\program files\Market Samurai2009-09-27 17:03 . 2009-09-27 17:05 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware22009-09-25 07:16 . 2009-09-25 07:16 -------- d-----w- c:\documents and settings\Gerry\Local Settings\Application Data\Yahoo!2009-09-23 13:44 . 2009-09-23 13:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}2009-09-23 13:41 . 2009-09-23 13:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}2009-09-20 15:31 . 2009-09-20 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\GRETECH2009-09-20 08:10 . 2009-09-20 08:10 61440 ----a-w- c:\windows\system32\ScanAtStartup.dll2009-09-20 08:03 . 2009-09-20 08:03 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache2009-09-20 07:56 . 2009-03-13 20:48 5120 ----a-w- c:\windows\system32\drivers\Start1Driver.SYS2009-09-20 07:34 . 2009-09-20 07:34 -------- d-----w- C:\!KillBox2009-09-20 07:02 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-20 07:02 . 2009-09-27 16:56 -------- d-----w- c:\program files\1Malwarebytes' Anti-Malware2009-09-20 07:02 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-09-20 06:19 . 2009-09-20 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure2009-09-20 05:19 . 2009-09-20 05:19 -------- d-----w- c:\documents and settings\Gerry\Application Data\Avira2009-09-19 08:36 . 2009-05-08 04:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys2009-09-19 08:36 . 2009-03-30 00:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys2009-09-19 08:36 . 2009-02-24 03:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys2009-09-19 08:36 . 2009-02-13 02:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2009-09-19 08:36 . 2009-02-13 02:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2009-09-19 08:36 . 2009-09-19 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-09-19 08:36 . 2009-09-19 08:36 -------- d-----w- c:\program files\Avira2009-09-19 08:23 . 2009-09-19 08:23 -------- d-----w- c:\windows\system32\Search2009-09-19 07:15 . 2009-10-03 11:48 -------- d-----w- c:\program files\Trend Micro2009-09-19 03:49 . 2009-09-27 17:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-09-19 03:44 . 2009-09-19 03:44 -------- d-----w- c:\documents and settings\Gerry\Local Settings\Application Data\Apple_Inc2009-09-19 03:41 . 2009-09-19 03:41 -------- d-----w- c:\documents and settings\Gerry\Application Data\Malwarebytes2009-09-19 03:41 . 2009-09-19 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2009-09-19 02:49 . 2000-01-23 20:01 453632 ----a-w- c:\windows\system32\stdvcl40.dll2009-09-19 02:49 . 2009-09-19 02:50 -------- d-----w- c:\program files\Web CEO2009-09-17 07:30 . 2009-09-17 07:30 -------- d-----w- c:\program files\iPhone Configuration Utility2009-09-11 08:09 . 2009-09-11 08:09 -------- d-----w- c:\documents and settings\Gerry\Local Settings\Application Data\PCHealth2009-09-08 08:11 . 2009-09-08 08:11 -------- d-----w- c:\documents and settings\Gerry\Local Settings\Application Data\ArchonMedia2009-09-08 08:10 . 2009-09-08 08:10 -------- d-----w- c:\program files\CommentKahuna.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-10-07 07:52 . 2009-06-29 07:56 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs2009-10-07 07:32 . 2008-10-16 08:33 -------- d-----w- c:\documents and settings\Gerry\Application Data\uTorrent2009-10-05 08:04 . 2009-08-12 11:55 -------- d-----w- c:\program files\Mozilla Thunderbird2009-10-05 07:03 . 2009-09-02 07:21 1687664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat2009-10-03 08:11 . 2008-11-29 07:43 -------- d-----w- c:\program files\Badongo2009-09-28 06:27 . 2008-11-19 00:56 -------- d-----w- c:\documents and settings\Gerry\Application Data\Canon2009-09-27 04:37 . 2009-08-30 04:55 -------- d-----w- c:\documents and settings\Gerry\Application Data\ZoomBrowser EX2009-09-27 04:14 . 2009-08-30 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser2009-09-25 20:39 . 2009-06-05 11:54 -------- d-----w- c:\program files\Google2009-09-25 15:11 . 2008-11-14 02:34 -------- d-----w- c:\program files\HyperVRE2009-09-23 13:45 . 2008-10-16 07:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{1DC85608-1717-479C-A3DD-EB460E4D4F9C}2009-09-23 13:45 . 2008-10-16 05:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{856E04B3-8FD3-40EB-AE55-65BD0321FC59}2009-09-23 13:44 . 2008-10-16 05:10 -------- d-----w- c:\program files\Uniblue2009-09-23 13:39 . 2008-10-16 07:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner2009-09-20 14:33 . 2009-02-14 13:00 664 ----a-w- c:\windows\system32\d3d9caps.dat2009-09-20 07:26 . 2008-11-07 16:06 411368 ----a-w- c:\windows\system32\deploytk.dll2009-09-17 07:27 . 2008-10-16 00:09 -------- d-----w- c:\documents and settings\Gerry\Application Data\Skype2009-09-17 07:27 . 2008-10-16 00:10 -------- d-----w- c:\documents and settings\Gerry\Application Data\skypePM2009-09-16 14:01 . 2008-10-20 13:55 2035 ----a-w- c:\documents and settings\Gerry\Application Data\SAS7_000.DAT2009-09-16 14:00 . 2008-10-16 05:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2009-09-16 13:06 . 2009-04-12 13:06 -------- d-----w- c:\program files\PokerStars2009-09-09 17:09 . 2008-10-16 01:15 -------- d-----w- c:\program files\Microsoft Silverlight2009-09-08 08:35 . 2008-10-28 09:23 -------- d-----w- c:\program files\IncredibleCharts2009-09-02 17:39 . 2009-09-02 17:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\Smart-Shopper2009-09-01 01:56 . 2009-08-18 07:38 -------- d-----w- c:\documents and settings\Gerry\Application Data\vlc2009-08-31 12:17 . 2009-08-17 13:15 -------- d-----w- c:\program files\WebsiteContentWizard2009-08-30 05:06 . 2009-08-30 05:06 -------- d-----w- c:\documents and settings\Gerry\Application Data\HDRsoft2009-08-30 04:45 . 2008-11-18 21:43 -------- d-----w- c:\program files\Canon2009-08-30 04:41 . 2009-02-15 12:04 -------- d-----w- c:\program files\Common Files\Canon2009-08-30 04:22 . 2009-08-30 04:22 -------- d-----w- c:\program files\PhotomatixPro32009-08-29 02:45 . 2009-08-29 01:22 -------- d-----w- c:\program files\Visual Thesaurus 32009-08-29 01:22 . 2009-08-29 01:22 -------- d--h--w- c:\program files\Zero G Registry2009-08-28 08:41 . 2009-08-27 11:08 -------- d-----w- c:\program files\MassArticleCreator2009-08-27 13:38 . 2009-08-27 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet2009-08-27 13:26 . 2008-10-21 07:20 -------- d-----w- c:\program files\Common Files\Adobe2009-08-27 13:14 . 2009-08-27 13:14 -------- d-----w- c:\program files\Common Files\Macrovision Shared2009-08-27 11:08 . 2009-08-27 11:08 -------- d-----w- c:\program files\Mass Article Submitter2009-08-26 07:43 . 2009-08-26 07:34 -------- d-----w- c:\program files\Nitro PDF2009-08-25 08:51 . 2009-08-25 08:49 -------- d-----w- c:\documents and settings\Gerry\Application Data\KompoZer2009-08-24 11:40 . 2009-08-24 07:46 -------- d-----w- c:\documents and settings\Gerry\Application Data\Nvu2009-08-24 09:20 . 2009-05-29 07:25 -------- d-----w- c:\program files\DU Meter2009-08-24 07:45 . 2009-08-24 07:45 -------- d-----w- c:\program files\Nvu2009-08-22 00:55 . 2008-10-15 23:04 -------- d-----w- c:\program files\ARLT2009-08-18 08:42 . 2009-08-17 20:37 -------- d-----w- c:\documents and settings\Gerry\Application Data\StrategyOnline2009-08-18 07:24 . 2009-08-18 07:24 -------- d-----w- c:\documents and settings\Gerry\Application Data\Talkback2009-08-15 15:37 . 2009-08-15 15:37 -------- d-----w- c:\program files\Seesmic Desktop2009-08-12 11:55 . 2009-08-12 11:55 -------- d-----w- c:\documents and settings\Gerry\Application Data\Thunderbird2009-08-10 15:00 . 2009-05-26 13:15 -------- d-----w- c:\documents and settings\Gerry\Application Data\AVS4YOU2009-08-10 07:35 . 2009-08-10 07:35 -------- d-----w- c:\program files\GNU2009-08-10 07:27 . 2009-08-10 07:27 -------- d-----w- c:\program files\WMV9_VCM2009-08-10 07:23 . 2009-05-26 13:13 -------- d-----w- c:\program files\AVS4YOU2009-08-05 09:01 . 2006-04-04 22:31 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-28 06:33 . 2009-05-17 20:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-07-17 19:01 . 2006-04-04 22:30 58880 ----a-w- c:\windows\system32\atl.dll2009-07-13 00:08 . 2006-04-04 22:31 286720 ----a-w- c:\windows\system32\wmpdxm.dll2009-07-09 04:30 . 2009-07-09 04:30 4637952 ----a-w- c:\program files\Common Files\lpuninstall.exe2007-12-17 11:31 . 2008-10-15 22:25 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll2008-02-22 15:38 . 2008-10-15 22:25 125840 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll.((((((((((((((((((((((((((((( SnapShot@2009-10-06_12.07.43 ))))))))))))))))))))))))))))))))))))))))).+ 2009-10-07 07:53 . 2009-10-07 07:53 16384 c:\windows\temp\Perflib_Perfdata_1a4.dat+ 2009-10-07 07:53 . 2009-10-07 07:53 16384 c:\windows\system32\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_c34.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}"= "c:\program files\IsoBuster\tbIso0.dll" [2009-08-26 2215960][HKEY_CLASSES_ROOT\clsid\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}]2009-08-26 07:52 2215960 ----a-w- c:\program files\IsoBuster\tbIso0.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2009-04-02 09:50 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}"= "c:\program files\IsoBuster\tbIso0.dll" [2009-08-26 2215960]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864][HKEY_CLASSES_ROOT\clsid\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}][HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{266FCDCA-7BB3-4DA7-B3BF-F845DEA2EBD6}"= "c:\program files\IsoBuster\tbIso0.dll" [2009-08-26 2215960]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864][HKEY_CLASSES_ROOT\clsid\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}][HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Google Update"="c:\documents and settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-07 133104]"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-08-07 2647064]"NokiaPCInternetAccess"="c:\program files\Nokia\PC Internet Access\NPCIA.exe" [2008-09-29 536576]"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2009-06-30 2893064]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2005-06-29 126976]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-08 761947]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-20 177472]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-14 7340032]"00THotkey"="c:\windows\system32\00THotkey.exe" [2005-03-01 245760]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-20 149280]"Malwarebytes Anti-Malware (reboot)"="c:\program files\1Malwarebytes' Anti-Malware6\mbam.exe" [2009-09-10 1312080]"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-14 88203]"NDSTray.exe"="NDSTray.exe" [bU]"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-12-07 315392]"CFSServ.exe"="CFSServ.exe" [bU]c:\documents and settings\Gerry\Start Menu\Programs\Startup\Check for TWS Updates.lnk - c:\jts\WiseUpdt.exe [2008-11-1 194775]c:\documents and settings\Administrator\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2009-7-9 4637952]Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2009-7-9 4637952]c:\documents and settings\All Users\Start Menu\Programs\Startup\NetComm Wireless Utility.lnk - c:\program files\NetComm\Common\RaUI.exe [2009-6-12 1601536][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]2006-02-24 00:49 40448 ----a-w- c:\windows\system32\psqlpwd.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli psqlpwd[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\IncredibleCharts\\IncredibleCharts.exe"="c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\Quantum Quinn\\Day Bank Station\\daybankstation.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\eMule\\eMule.exe"=R2 CSIScanner;CSIScanner;c:\program files\bpslzqvn\bpslzqvn.exe [x]R2 gupdate1c9e5d46c404ab0;Google Update Service (gupdate1c9e5d46c404ab0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-07 133104]R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]R3 ttv400x;TOSHIBA PCI DVB-T/Analog Hybrid Tuner;c:\windows\system32\drivers\ttv400x.sys [2005-09-21 173696]S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2009-10-03 22024]S0 pxsec;pxsec;c:\windows\System32\drivers\pxsec.sys [2009-10-03 27656]S1 avfwot;avfwot;c:\windows\system32\DRIVERS\avfwot.sys [2009-05-08 97608]S2 AntiVirFirewallService;Avira Firewall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [2009-05-11 388865]S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-05-11 194817]S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-05-12 434945]S2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [2009-08-07 1387544]S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-02-24 13568]S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-02-24 33024]S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\NetComm\Common\RegistryWriter.exe [2008-05-13 69632]S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [2006-02-24 3456]S2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\DRIVERS\thdudf.sys [2006-04-19 66944]S2 TOS_SPS;TOSHIBA SPS Driver;c:\program files\TOSHIBA\TMP2VDec\TOS_SPS.sys [2005-12-21 169216]S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys [2009-02-24 69632]S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2008-06-10 580096]S3 ttv500x;TOSHIBA PCI TV Tuner(x86);c:\windows\system32\drivers\ttv500x.sys [2006-07-18 287360][HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP.Contents of the 'Scheduled Tasks' folder2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]2009-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-05 12:39]2009-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-05 12:39]2009-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-545241005-3319204467-2019157939-1005Core.job- c:\documents and settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-07 12:27]2009-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-545241005-3319204467-2019157939-1005UA.job- c:\documents and settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-07 12:27]2009-10-06 c:\windows\Tasks\OGADaily.job- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]2009-10-07 c:\windows\Tasks\OGALogon.job- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]2009-10-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 09:50]..------- Supplementary Scan -------.uStart Page = hxxp://au.yahoo.com/mStart Page = uInternet Settings,ProxyOverride = *.localIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpassIE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillformsLSP: c:\program files\Avira\AntiVir Desktop\avsda.dllFF - ProfilePath - c:\documents and settings\Gerry\Application Data\Mozilla\Firefox\Profiles\gbagrzk7.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://au.yahoo.com/FF - prefs.js: network.proxy.type - 4FF - component: c:\documents and settings\Gerry\Application Data\Mozilla\Firefox\Profiles\gbagrzk7.default\extensions\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}\components\FFExternalAlert.dllFF - component: c:\documents and settings\Gerry\Application Data\Mozilla\Firefox\Profiles\gbagrzk7.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dllFF - plugin: c:\documents and settings\Gerry\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dllFF - plugin: c:\documents and settings\Gerry\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dllFF - plugin: c:\program files\Common-Use Signing Interface\bin\npCsiPlugin.dllFF - plugin: c:\program files\Dassault Systemes\3DVIA Shape\intel_a\code\bin\NPShapePlugin.dllFF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dllFF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\.- - - - ORPHANS REMOVED - - - -AddRemove-PCSI - c:\program files\bpslzqvn\bpslzqvn.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-10-07 18:54Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]"Enabled"=dword:00000001[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]@Denied: (A 2) (Everyone)@="IFlashBroker3"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1656)c:\windows\system32\psqlpwd.dllc:\program files\Protector Suite QL\infra.dllc:\program files\Protector Suite QL\homefus2.dllc:\windows\system32\biologon.dllc:\program files\Protector Suite QL\homepass.dllc:\program files\Protector Suite QL\bio.dllc:\program files\Protector Suite QL\remote.dll- - - - - - - > 'lsass.exe'(1712)c:\windows\system32\psqlpwd.dllc:\program files\Protector Suite QL\infra.dllc:\program files\Protector Suite QL\homefus2.dll- - - - - - - > 'explorer.exe'(3020)c:\windows\system32\WININET.dllc:\windows\system32\Audiodev.dllc:\windows\system32\WMVCore.DLLc:\windows\system32\WMASF.DLLc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\TPwrCfg.DLLc:\windows\system32\TPwrReg.dllc:\windows\system32\TPSTrace.DLL.------------------------ Other Running Processes ------------------------.c:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\windows\system32\agrsmsvc.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Toshiba\ConfigFree\CFSvcs.exec:\windows\system32\DVDRAMSV.exec:\windows\ehome\ehrecvr.exec:\windows\ehome\ehSched.exec:\windows\ehome\ehrec.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exec:\windows\system32\nvsvc32.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\program files\SigmaTel\C-Major Audio\WDM\STACSV.EXEc:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exec:\windows\system32\searchindexer.exec:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exec:\program files\Canon\CAL\CALMAIN.exec:\windows\system32\searchprotocolhost.exec:\program files\Toshiba\ConfigFree\NDSTray.exec:\program files\Synaptics\SynTP\Toshiba.exec:\program files\Toshiba\ConfigFree\CFSServ.exec:\windows\system32\TPSBattM.exec:\program files\PC Connectivity Solution\ServiceLayer.exec:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exec:\program files\PC Connectivity Solution\Transports\NclRSSrv.exec:\program files\PC Connectivity Solution\Transports\NclToBTSrv.exec:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exec:\program files\Toshiba\ConfigFree\CFXFER.exec:\windows\system32\wscntfy.exec:\windows\system32\searchfilterhost.exe.**************************************************************************.Completion time: 2009-10-07 19:00 - machine was rebootedComboFix-quarantined-files.txt 2009-10-07 08:00ComboFix2.txt 2009-10-06 12:14Pre-Run: 27,503,218,688 bytes freePost-Run: 27,493,433,344 bytes free403 --- E O F --- 2009-10-06 16:00 Link to post Share on other sites More sharing options...
Gerald Leech Posted October 7, 2009 Author ID:139115 Share Posted October 7, 2009 hijackthis logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 7:01:13 PM, on 7/10/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\Program Files\DU Meter\DUMeterSvc.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\NetComm\Common\RegistryWriter.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exeC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Avira\AntiVir Desktop\avmailc.exeC:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXEC:\WINDOWS\system32\SearchProtocolHost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\TOSHIBA\TouchED\TouchED.ExeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Synaptics\SynTP\Toshiba.exeC:\Program Files\TOSHIBA\ConfigFree\CFSServ.exeC:\WINDOWS\system32\TPSBattM.exeC:\WINDOWS\system32\00THotkey.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Nokia\PC Internet Access\NPCIA.exeC:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exeC:\Program Files\TechSmith\Jing\Jing.exeC:\Program Files\NetComm\Common\RaUI.exeC:\Program Files\PC Connectivity Solution\ServiceLayer.exeC:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclToBTSrv.exeC:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exeC:\Program Files\TOSHIBA\ConfigFree\CFXFER.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\1Trend Micro\HijackThis1\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso0.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso0.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dllO2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dllO2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso0.dllO3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dllO4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.ExeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClientO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\1Malwarebytes' Anti-Malware6\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exeO4 - HKCU\..\Run: [NokiaPCInternetAccess] "C:\Program Files\Nokia\PC Internet Access\NPCIA.exe" /bO4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytrayO4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exeO4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [Google Update] "C:\Documents and Settings\Gerry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [NokiaPCInternetAccess] "C:\Program Files\Nokia\PC Internet Access\NPCIA.exe" /b (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray (User '?')O4 - HKUS\S-1-5-21-545241005-3319204467-2019157939-1005\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe (User '?')O4 - S-1-5-21-545241005-3319204467-2019157939-1005 Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User '?')O4 - S-1-5-18 Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User '?')O4 - .DEFAULT Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'Default user')O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exeO4 - Global Startup: NetComm Wireless Utility.lnk = C:\Program Files\NetComm\Common\RaUI.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O8 - Extra context menu item: LastPass - file://C:\Program Files\LastPass\context.html?cmd=lastpassO8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files\LastPass\context.html?cmd=fillformsO9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1224119822453O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dllO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exeO23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exeO23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exeO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXEO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: CSIScanner - Unknown owner - C:\Program Files\bpslzqvn\bpslzqvn.exe (file missing)O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeO23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Update Service (gupdate1c9e5d46c404ab0) (gupdate1c9e5d46c404ab0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exeO23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeO23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\NetComm\Common\RegistryWriter.exeO23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeO23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe--End of file - 13312 bytes Link to post Share on other sites More sharing options...
Staff screen317 Posted October 7, 2009 Staff ID:139503 Share Posted October 7, 2009 Hi, If you were using the PrevX CSI Scanner before, please reinstall it.Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.Click Start Scanning.You should get a notification bar (on top) to install the ActiveX control. Click on it and select to install the ActiveX.Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.In case you are having problems with installing the ActiveX/starting the scan, please read here.Click the Full System Scan button.It will start to download scanner components and databases. This can take a while.The main scan will start.Once the scan has finished scanning, click the Automatic cleaning (recommended) buttonIt could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.The cleaning can take a while, so please be patient.Then click the Show report button and Copy/Paste what is present under results in your next reply.Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
Gerald Leech Posted October 8, 2009 Author ID:139786 Share Posted October 8, 2009 f-secure logScanning ReportFriday, October 9, 2009 23:57:24 - 01:10:27Computer name: QOSMIOScanning type: Scan system for malware, spyware and rootkitsTarget: C:\ D:\ G:\7 malware foundTrackingCookie.2o7 (spyware) * System (Disinfected) TrackingCookie.Atdmt (spyware) * System (Disinfected) TrackingCookie.Doubleclick (spyware) * System (Disinfected) TrackingCookie.Revsci (spyware) * System (Disinfected) TrackingCookie.Mediaplex (spyware) * System (Disinfected) TrackingCookie.Statcounter (spyware) * System (Disinfected) TrackingCookie.Yieldmanager (spyware) * System (Disinfected) StatisticsScanned: * Files: 82762 * System: 4745 * Not scanned: 25 Actions: * Disinfected: 7 * Renamed: 0 * Deleted: 0 * Not cleaned: 0 * Submitted: 0 Files not scanned: * C:\HIBERFIL.SYS * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\FBADF956B1F29CD6CC8927434DDBC900\UPDATE\UPDATE.EXE * C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\C263092DCCC247F68A43CFEE93ECC72D\UPDATE\UPDATE.EXE * C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPSVC.EXE * C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE * C:\RECYCLER\S-1-5-21-545241005-3319204467-2019157939-1005\DC20\DRIVERSCANNER.EXE * C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS1\HIJACKTHIS.EXE * C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE * C:\PROGRAM FILES\TREND MICRO\1HIJACKTHIS\HIJACKTHIS.EXE * C:\PROGRAM FILES\PREVXCSI\PREVXCSI.EXE * C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAM.EXE * C:\PROGRAM FILES\1MALWAREBYTES' ANTI-MALWARE5\MBAM.EXE * C:\PROGRAM FILES\1MALWAREBYTES' ANTI-MALWARE4\MBAM.EXE * C:\PROGRAM FILES\1MALWAREBYTES' ANTI-MALWARE3\MBAM.COM * C:\PROGRAM FILES\1MALWAREBYTES' ANTI-MALWARE2\MBAM1.EXE * C:\PROGRAM FILES\1MALWAREBYTES' ANTI-MALWARE\MBAM.EXE * C:\DOCUMENTS AND SETTINGS\GERRY\LOCAL SETTINGS\TEMP\ETILQS_5G7DF57PTIGCVEYZUOGS * C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_1141916478_4980736_33446 * C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_1141916478_7077888_32465 OptionsScanning engines:Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use advanced heuristics Link to post Share on other sites More sharing options...
Gerald Leech Posted October 8, 2009 Author ID:139788 Share Posted October 8, 2009 Results of screen317's Security Check version 0.99.0 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! Avira Premium Security Suite Antivirus up to date! `````````````````````````````` Anti-malware/Other Utilities Check: CA Yahoo! Anti-Spy (remove only) Sophos Anti-Rootkit 1.5.0 HijackThis 2.0.2 Java 6 Update 16 Adobe Flash Player 10 Adobe Reader 9.1.3 `````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe Avira Antivir avguard.exe system32 fsonlinescanner.exe -?- ``````````````````````````````DNS Vulnerability Check: Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?) `````````End of Log``````````` Link to post Share on other sites More sharing options...
Gerald Leech Posted October 8, 2009 Author ID:139789 Share Posted October 8, 2009 Thankyou for all your help sorting this out. Everything that i had notices that was wrong is now fixed but i have since dicovered that when i right clik on the 'my computer' icon and click properties i am sent to the my network places window and not the my computer hardwear cofiguration window. any ideas? I can not say for sure if this is a new thing or it is leftover from my previous problems.Gerry Link to post Share on other sites More sharing options...
Staff screen317 Posted October 10, 2009 Staff ID:140798 Share Posted October 10, 2009 Are you sure you're not right-clicking My Network Places instead of My Computer (or maybe someone accidentally renamed it at one point)? Could you post a screenshot of what the icon looks like?Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /uThis uninstalls all of ComboFix's components.Delete SecurityCheck.Restart your computer and let me know what issues remain.-screen317 Link to post Share on other sites More sharing options...
Gerald Leech Posted October 11, 2009 Author ID:141250 Share Posted October 11, 2009 You were right I was on the wrong icon. every thing seems fine now thankyou Link to post Share on other sites More sharing options...
Staff screen317 Posted October 11, 2009 Staff ID:141525 Share Posted October 11, 2009 Hi,Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE.6) Be sure to update your Antivirus and Antispyware programs often!Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?Safe surfing,-screen317 Link to post Share on other sites More sharing options...
Gerald Leech Posted October 12, 2009 Author ID:142047 Share Posted October 12, 2009 Thanks for all your help Link to post Share on other sites More sharing options...
Staff screen317 Posted October 12, 2009 Staff ID:142080 Share Posted October 12, 2009 You're welcome. Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts