Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Help! Malware in winlogon.exe and explorer.exe


Recommended Posts

Hi there

Never attempted to solve a problem via this kinda method before cos often browsing them has proved helpful! Not this time. I've followed your step by step guide to get logs of what's going on so here goes.

AVG is flagging explorer.exe and winlogon.exe as infected with Win32/Patched.Fr and Win32/Patched.Fs. I'm also getting Google redirected to Gala and Mozilla Thunderbird and iTunes seem to have been shot down aswell. I've run Spybot S&D, Malwarebytes, Housecall, etc but nothing seems to be able to get to the heart of it, particularly I guess cos these are critical system files. It almost sounds like I know what I'm talking about there...

Any help, all help, sincerely appreciated and best explained in simple terms every step of the way. I'm at the end of my tether! Thanks in advance.

Malware Log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5012

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

08/11/2010 14:58:49

mbam-log-2010-11-08 (14-58-49).txt

Scan type: Quick scan

Objects scanned: 158227

Time elapsed: 20 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\watermark.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Microsoft\watermark.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Here's the DDS bit:

DDS (Ver_10-11-08.01) - NTFSx86

Run by Nick at 18:10:14.54 on 08/11/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1058 [GMT 0:00]

AV: Smart Engine *On-access scanning enabled* (Updated) {57A7B0DC-CE10-47BD-B77B-3DD48B93DAED}

AV: AVG Anti-Virus 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Smart Engine *enabled* {92C36DC1-2E4D-425F-B3AE-66AACFD23545}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\WINDOWS\system32\TCtrlIOHook.exe

C:\WINDOWS\system32\TDispVol.exe

C:\WINDOWS\system32\ZoomingHook.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Synaptics\SynTP\SynToshiba.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Nick\Application Data\Dropbox\bin\Dropbox.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

svchost.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\TODDSrv.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\AVG\AVG10\avgam.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\AVG\AVG10\avgemcx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Nick\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

mStart Page = hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d

uInternet Settings,ProxyOverride = *.local

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - No File

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRun: [Google Update] "c:\documents and settings\nick\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe

mRun: [sVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL

mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe

mRun: [TPSMain] TPSMain.exe

mRun: [TCtryIOHook] TCtrlIOHook.exe

mRun: [TDispVol] TDispVol.exe

mRun: [Zooming] ZoomingHook.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [NDSTray.exe] NDSTray.exe

mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [uSBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\nick\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\nick\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\nick\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: hsbc.co.uk\www

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.5.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} - hxxps://bis.eu.blackberry.com/html/web/client_tools/TOImport.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

IFEO: image file execution options - svchost.exe

Hosts: 74.125.45.100 4-open-davinci.com

Hosts: 74.125.45.100 securitysoftwarepayments.com

Hosts: 74.125.45.100 privatesecuredpayments.com

Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]

R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-7 517448]

S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\drivers\tpchoice.sys --> c:\windows\system32\drivers\TpChoice.sys [?]

S3 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2010-9-29 582424]

=============== Created Last 30 ================

2010-11-08 13:21:49 -------- d--h--w- c:\windows\PIF

2010-11-08 12:52:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-11-07 20:57:13 -------- d--h--w- C:\$AVG

2010-11-07 20:56:16 -------- d-----w- c:\docume~1\nick\applic~1\AVG10

2010-11-07 20:47:38 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2010-11-07 20:47:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar

2010-11-07 20:46:06 -------- d-----w- c:\windows\system32\drivers\AVG

2010-11-07 20:46:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10

2010-11-07 20:44:51 -------- d-----w- c:\program files\AVG

2010-11-07 20:39:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

2010-11-07 20:34:54 -------- d-----w- c:\program files\TweetDeck

2010-11-07 12:38:08 -------- d-----w- c:\docume~1\nick\applic~1\Ybsyo

2010-11-07 12:38:08 -------- d-----w- c:\docume~1\nick\applic~1\Adihc

2010-11-07 05:59:38 -------- d-----w- c:\program files\temp

2010-11-06 13:20:31 -------- d-----w- c:\docume~1\nick\applic~1\Duweo

2010-11-06 13:20:31 -------- d-----w- c:\docume~1\nick\applic~1\Apup

2010-11-06 10:28:45 -------- d-----w- c:\docume~1\nick\applic~1\Ugwyi

2010-11-06 10:28:45 -------- d-----w- c:\docume~1\nick\applic~1\Loxyle

2010-11-05 15:29:37 -------- d-----w- c:\docume~1\nick\applic~1\Povut

2010-11-05 15:29:37 -------- d-----w- c:\docume~1\nick\applic~1\Lawu

2010-11-02 15:52:25 -------- d-----w- c:\docume~1\nick\applic~1\Cebeqo

2010-11-02 15:52:19 -------- d-----w- c:\program files\windows

2010-11-01 14:34:39 -------- d-----w- c:\docume~1\nick\applic~1\Ymobis

2010-11-01 12:34:02 -------- d-----w- c:\docume~1\nick\applic~1\Malwarebytes

2010-11-01 12:33:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-01 12:33:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-01 12:33:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 12:33:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-01 09:28:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\FrontLine Registry Cleaner

2010-10-30 17:18:48 -------- d-----w- c:\program files\Frontline Registry Cleaner

2010-10-30 16:31:46 -------- d-----w- c:\program files\common files\ParetoLogic

2010-10-30 16:31:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic

2010-10-30 16:31:45 -------- d-----w- c:\program files\common files\XoftSpySE

2010-10-30 16:31:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE

2010-10-30 16:31:38 -------- d-----w- c:\program files\XoftSpySE6

2010-10-30 16:20:20 -------- d-----w- c:\docume~1\nick\locals~1\applic~1\Threat Expert

2010-10-30 15:32:58 -------- d-sh--w- c:\docume~1\nick\applic~1\Smart Engine

2010-10-30 15:32:57 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\SMGFE

2010-10-30 15:32:29 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\842305

2010-10-30 15:11:41 -------- d-----w- c:\docume~1\nick\locals~1\applic~1\Temp

2010-10-30 15:11:39 -------- d-----w- c:\docume~1\nick\locals~1\applic~1\Google

2010-10-30 15:11:27 -------- d-----w- c:\docume~1\nick\locals~1\applic~1\Deployment

2010-10-30 14:48:03 -------- d-----w- c:\docume~1\nick\locals~1\applic~1\AskToolbar

2010-10-30 14:42:45 -------- d-----w- c:\program files\Ask.com

2010-10-30 14:42:23 -------- d-----w- c:\program files\Glary Registry Repair

2010-10-30 14:42:23 -------- d-----w- c:\docume~1\nick\applic~1\GlarySoft

2010-10-30 14:39:54 -------- d-----w- c:\docume~1\nick\applic~1\ElevatedDiagnostics

2010-10-30 11:45:51 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-10-30 11:45:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-10-30 11:44:50 -------- d-----w- c:\program files\CCleaner

2010-10-29 19:33:53 -------- d-----w- c:\program files\tmp

2010-10-29 17:26:20 -------- d-----w- c:\program files\iPod

2010-10-29 17:21:32 -------- d-----w- c:\program files\Bonjour

2010-10-27 16:19:04 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys

2010-10-27 16:19:04 51200 ----a-w- c:\windows\system32\drivers\msdv.sys

2010-10-27 16:19:00 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys

2010-10-27 16:19:00 38912 ----a-w- c:\windows\system32\drivers\avc.sys

2010-10-27 16:18:57 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys

2010-10-27 16:18:57 48128 ----a-w- c:\windows\system32\drivers\61883.sys

2010-10-15 15:18:00 -------- d-----w- c:\docume~1\nick\applic~1\Dropbox

2010-10-13 09:12:23 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-13 09:12:23 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2010-10-13 09:12:23 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-13 09:12:16 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 18:10:37.73 ===============

DeFogger just told me this:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 15:55 on 08/11/2010 (Nick)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Attach.zip

Link to post
Share on other sites

:P

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Done. Supposedly nothing found by TDSS but AVG still flagging issues so I'm aware we're not there yet. Here's the TDSS log as requested... Thank you.

TDSS Log

2010/11/09 09:22:14.0890 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22

2010/11/09 09:22:14.0890 ================================================================================

2010/11/09 09:22:14.0890 SystemInfo:

2010/11/09 09:22:14.0890

2010/11/09 09:22:14.0890 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/09 09:22:14.0890 Product type: Workstation

2010/11/09 09:22:14.0890 ComputerName: YOUR-27CAB14060

2010/11/09 09:22:14.0890 UserName: Nick

2010/11/09 09:22:14.0890 Windows directory: C:\WINDOWS

2010/11/09 09:22:14.0890 System windows directory: C:\WINDOWS

2010/11/09 09:22:14.0890 Processor architecture: Intel x86

2010/11/09 09:22:14.0890 Number of processors: 2

2010/11/09 09:22:14.0890 Page size: 0x1000

2010/11/09 09:22:14.0890 Boot type: Normal boot

2010/11/09 09:22:14.0890 ================================================================================

2010/11/09 09:22:15.0562 Initialize success

2010/11/09 09:22:17.0703 ================================================================================

2010/11/09 09:22:17.0703 Scan started

2010/11/09 09:22:17.0703 Mode: Manual;

2010/11/09 09:22:17.0703 ================================================================================

2010/11/09 09:22:18.0093 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys

2010/11/09 09:22:18.0296 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/09 09:22:18.0984 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/11/09 09:22:19.0140 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/09 09:22:19.0343 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/09 09:22:19.0437 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/11/09 09:22:20.0078 AR5211 (78e15866befe8b940046c36ba92f9eb6) C:\WINDOWS\system32\DRIVERS\ar5211.sys

2010/11/09 09:22:20.0203 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/09 09:22:20.0593 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/09 09:22:20.0656 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/09 09:22:20.0984 ati2mtag (871f673f7838249f0bf12ff070385ef5) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/11/09 09:22:21.0140 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/09 09:22:21.0234 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/09 09:22:21.0343 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys

2010/11/09 09:22:21.0484 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys

2010/11/09 09:22:21.0609 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys

2010/11/09 09:22:21.0718 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys

2010/11/09 09:22:21.0859 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys

2010/11/09 09:22:21.0968 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\WINDOWS\system32\DRIVERS\avgldx86.sys

2010/11/09 09:22:22.0093 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys

2010/11/09 09:22:22.0171 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys

2010/11/09 09:22:22.0312 Avgtdix (2fd3e3a57fb90679a3a83eeed0360cfd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys

2010/11/09 09:22:22.0437 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/09 09:22:22.0515 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/09 09:22:22.0625 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/11/09 09:22:22.0750 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/09 09:22:22.0843 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/09 09:22:22.0937 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/09 09:22:23.0140 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/11/09 09:22:23.0343 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/11/09 09:22:23.0687 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/09 09:22:23.0796 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/09 09:22:24.0046 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/09 09:22:24.0125 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/09 09:22:24.0203 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/09 09:22:24.0359 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/09 09:22:24.0437 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/09 09:22:24.0546 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/11/09 09:22:24.0687 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/09 09:22:24.0750 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/11/09 09:22:24.0843 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/09 09:22:24.0890 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/09 09:22:24.0937 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/09 09:22:25.0015 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/11/09 09:22:25.0171 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/09 09:22:25.0296 HdAudAddService (56bf27d7a539f9e6bbc1de201aba0edf) C:\WINDOWS\system32\drivers\AtiHdAud.sys

2010/11/09 09:22:25.0390 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/09 09:22:25.0484 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/09 09:22:25.0703 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/09 09:22:26.0000 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/09 09:22:26.0062 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\drivers\iaStor.sys

2010/11/09 09:22:26.0171 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/09 09:22:26.0609 IntcAzAudAddService (8c65fcf7ab3389e7c224ea2ec4456f2d) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/11/09 09:22:26.0796 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/09 09:22:26.0921 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/09 09:22:27.0078 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/09 09:22:27.0156 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/09 09:22:27.0234 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/09 09:22:27.0296 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/09 09:22:27.0515 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/09 09:22:27.0671 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/09 09:22:27.0718 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/09 09:22:27.0781 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/09 09:22:27.0843 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/09 09:22:28.0328 MarvinBus (a3e700d78eec390f1208098cdca5c6b6) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys

2010/11/09 09:22:28.0468 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/09 09:22:28.0562 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/09 09:22:28.0609 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/09 09:22:28.0703 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/09 09:22:28.0796 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/09 09:22:28.0984 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/09 09:22:29.0125 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/09 09:22:29.0234 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys

2010/11/09 09:22:29.0359 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/09 09:22:29.0515 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/09 09:22:29.0593 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/09 09:22:29.0656 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/09 09:22:29.0718 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/09 09:22:29.0843 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/11/09 09:22:30.0000 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/09 09:22:30.0078 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/11/09 09:22:30.0156 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/09 09:22:30.0281 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/11/09 09:22:30.0390 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/09 09:22:30.0546 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/09 09:22:30.0609 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/09 09:22:30.0687 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/09 09:22:30.0750 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/09 09:22:30.0843 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/09 09:22:30.0921 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys

2010/11/09 09:22:31.0218 NETw4x32 (e9d78fdf7ed53bc789cfeed1d3f15ef2) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys

2010/11/09 09:22:31.0390 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/09 09:22:31.0500 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/09 09:22:31.0562 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/09 09:22:31.0765 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/09 09:22:31.0859 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/09 09:22:31.0968 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/09 09:22:32.0093 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/09 09:22:32.0156 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2010/11/09 09:22:32.0359 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/09 09:22:32.0453 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/09 09:22:32.0531 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/09 09:22:32.0625 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/09 09:22:32.0718 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/11/09 09:22:33.0265 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/09 09:22:33.0406 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/09 09:22:33.0484 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/09 09:22:33.0796 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/09 09:22:34.0000 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/09 09:22:34.0046 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/09 09:22:34.0140 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/09 09:22:34.0203 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/09 09:22:34.0265 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/09 09:22:34.0453 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/09 09:22:34.0531 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/09 09:22:34.0640 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/09 09:22:34.0781 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys

2010/11/09 09:22:34.0937 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2010/11/09 09:22:35.0062 RTLE8023xp (bb0ae2171f08129f4f3ff9df20ffbf89) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys

2010/11/09 09:22:35.0234 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/11/09 09:22:35.0328 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/09 09:22:35.0500 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2010/11/09 09:22:35.0562 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys

2010/11/09 09:22:35.0625 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys

2010/11/09 09:22:35.0703 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/09 09:22:35.0875 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/11/09 09:22:36.0093 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/09 09:22:36.0156 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/09 09:22:36.0296 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/09 09:22:36.0453 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/11/09 09:22:36.0640 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/09 09:22:36.0718 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/09 09:22:37.0171 SynTP (b02703203ff94cf4c785e1d8d6ee2596) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/11/09 09:22:37.0328 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/09 09:22:37.0453 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/09 09:22:37.0515 tdcmdpst (2f8bfbdb5824c71f672779b4b8cf8b01) C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys

2010/11/09 09:22:37.0625 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/09 09:22:37.0812 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/09 09:22:37.0859 tdudf (f56a9327c58ff985616c5e197472932c) C:\WINDOWS\system32\DRIVERS\tdudf.sys

2010/11/09 09:22:38.0031 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/09 09:22:38.0218 tifm21 (e4c85c291ddb3dc5e4a2f227ca465ba6) C:\WINDOWS\system32\drivers\tifm21.sys

2010/11/09 09:22:38.0484 tosrfec (5c4103544612e5011ef46301b93d1aa6) C:\WINDOWS\system32\DRIVERS\tosrfec.sys

2010/11/09 09:22:38.0625 TPwSav (9ffffb4c5b06c7b75e8159f1106006ac) C:\WINDOWS\system32\drivers\TPwSav.sys

2010/11/09 09:22:38.0687 trudf (3f9ba8878aa26d0831116733f9bc53ff) C:\WINDOWS\system32\DRIVERS\trudf.sys

2010/11/09 09:22:38.0765 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/09 09:22:39.0000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/09 09:22:39.0140 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/11/09 09:22:39.0265 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/11/09 09:22:39.0359 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/09 09:22:39.0562 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/09 09:22:39.0609 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/09 09:22:39.0703 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/09 09:22:39.0765 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/09 09:22:39.0859 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/09 09:22:39.0953 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/09 09:22:40.0171 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2010/11/09 09:22:40.0234 UVCFTR (3b929a72aaea96dc0150d3a6da268c89) C:\WINDOWS\system32\Drivers\UVCFTR_S.SYS

2010/11/09 09:22:40.0312 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/09 09:22:40.0453 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/09 09:22:40.0640 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/09 09:22:40.0718 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2010/11/09 09:22:40.0906 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/09 09:22:41.0046 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/11/09 09:22:41.0234 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/09 09:22:41.0296 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/09 09:22:41.0625 ================================================================================

2010/11/09 09:22:41.0625 Scan finished

2010/11/09 09:22:41.0625 ================================================================================

2010/11/09 09:22:56.0296 Deinitialize success

Link to post
Share on other sites

AV: Smart Engine *On-access scanning enabled* (Updated) {57A7B0DC-CE10-47BD-B77B-3DD48B93DAED}

AV: AVG Anti-Virus 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Smart Engine *enabled* {92C36DC1-2E4D-425F-B3AE-66AACFD23545}

You show 2 anti-virus programs running.

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

Please do not delete anything unless instructed to.

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove either:

Smart Engine

AVG Anti-Virus 2011

Reboot and post a new DDS log

Link to post
Share on other sites

Smart Engine is part of the rogue software! I thought you might have known that as I believe it's part of the infection in the first place - a Google search can tell you that. Hence it doesnt show as a removal program in the list. AVG is the only antivirus I have.

Assuming there's no point posting another DDS log that will effectively be the same as I've not been able to change anything? (except delete a Smart Engine shortcut that was on my desktop!)

Link to post
Share on other sites

Smart Engine is part of the rogue software!
That's what happens when I get in a hurry.

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Oh gawd. Trying to uninstall AVG as that's what ComboFix says needs to happen but it cant find some .dll file to begin the uninstall process. Am trying to find a way to do it and in the meantime, a program called PrettyMay I had seems to have had crucial operation files deleted, WMP has disappeared and iTunes isnt working. Operational speed is slow aswell. Damn virus is winning - hope we can kick its ass.

Link to post
Share on other sites

Here's the ComboFix log. It said it's sorted the winlogon and explorer infections which I'm already smiling about. A few issues remain...

iTunes isnt starting because QTCF.dll was not found - I can probably reinstall from Apple.com

Mozilla Thunderbird is crashing on open which only started happening once the virus really took hold - not sure how to rectify this one, maybe downloading/reinstalling I guess.

Tweetdeck has disappeared. Can redownload and install.

WMP has disappeared too. Tried downloading this while I had the virus and it didnt work at all.

Those are all of the problems I'm aware of for now that were all fine before infection. Here's the log. Enormously appreciate your help and advice - a Paypal donation will be forthcoming.

ComboFix 10-11-07.A2 - Nick 09/11/2010 17:37:26.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1409 [GMT 0:00]

Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\842305

c:\documents and settings\All Users\Application Data\842305\256.mof

c:\documents and settings\All Users\Application Data\842305\BackUp\Dropbox.lnk

c:\documents and settings\All Users\Application Data\842305\BackUp\OpenOffice.org 3.2.lnk

c:\documents and settings\All Users\Application Data\842305\ebb4e56869c80e7b69e0b313233c65b5.ocx

c:\documents and settings\All Users\Application Data\842305\sfcfkl6gl2p45e7tm9q01u8sn.dll

c:\documents and settings\All Users\Application Data\842305\SME.ico

c:\documents and settings\All Users\Application Data\xp

c:\documents and settings\Nick\Application Data\Smart Engine

c:\documents and settings\Nick\Application Data\Smart Engine\Instructions.ini

c:\documents and settings\Nick\Recent\PrettyMay Call Recorder for Skype - Professional.url

c:\windows\struct~.ini

c:\windows\system32\dmlconf.dat

D:\install.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.

((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))

.

2010-11-08 13:21 . 2010-11-08 13:21 -------- d--h--w- c:\windows\PIF

2010-11-08 12:52 . 2010-11-08 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-11-07 20:57 . 2010-11-07 20:57 -------- d-----w- C:\$AVG

2010-11-07 20:56 . 2010-11-07 20:56 -------- d-----w- c:\documents and settings\Nick\Application Data\AVG10

2010-11-07 20:47 . 2010-11-07 20:47 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-11-07 20:47 . 2010-11-09 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-11-07 20:39 . 2010-11-07 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-07 20:34 . 2010-11-07 23:37 -------- d-----w- c:\program files\TweetDeck

2010-11-07 12:38 . 2010-11-07 23:03 -------- d-----w- c:\documents and settings\Nick\Application Data\Ybsyo

2010-11-07 12:38 . 2010-11-07 21:14 -------- d-----w- c:\documents and settings\Nick\Application Data\Adihc

2010-11-07 05:59 . 2010-11-07 23:37 -------- d-----w- c:\program files\temp

2010-11-06 13:20 . 2010-11-07 21:30 -------- d-----w- c:\documents and settings\Nick\Application Data\Duweo

2010-11-06 13:20 . 2010-11-07 06:31 -------- d-----w- c:\documents and settings\Nick\Application Data\Apup

2010-11-06 10:28 . 2010-11-07 21:30 -------- d-----w- c:\documents and settings\Nick\Application Data\Loxyle

2010-11-06 10:28 . 2010-11-06 10:59 -------- d-----w- c:\documents and settings\Nick\Application Data\Ugwyi

2010-11-05 15:29 . 2010-11-07 21:30 -------- d-----w- c:\documents and settings\Nick\Application Data\Lawu

2010-11-05 15:29 . 2010-11-05 16:00 -------- d-----w- c:\documents and settings\Nick\Application Data\Povut

2010-11-02 15:52 . 2010-11-04 16:44 -------- d-----w- c:\documents and settings\Nick\Application Data\Cebeqo

2010-11-02 15:52 . 2010-11-07 20:35 -------- d-----w- c:\program files\windows

2010-11-01 14:34 . 2010-11-01 17:35 -------- d-----w- c:\documents and settings\Nick\Application Data\Ymobis

2010-11-01 12:34 . 2010-11-01 12:34 -------- d-----w- c:\documents and settings\Nick\Application Data\Malwarebytes

2010-11-01 12:33 . 2010-04-29 15:39 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-01 12:33 . 2010-11-01 12:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 12:33 . 2010-11-01 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-01 12:33 . 2010-04-29 15:39 20952 ------w- c:\windows\system32\drivers\mbam.sys

2010-11-01 09:28 . 2010-11-01 09:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner

2010-10-30 17:18 . 2010-11-01 09:28 -------- d-----w- c:\program files\Frontline Registry Cleaner

2010-10-30 16:31 . 2010-10-30 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2010-10-30 16:20 . 2010-10-30 16:20 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\Threat Expert

2010-10-30 15:52 . 2010-11-04 15:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-10-30 15:32 . 2010-10-30 15:32 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SMGFE

2010-10-30 15:11 . 2010-11-07 06:18 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\Temp

2010-10-30 15:11 . 2010-10-30 15:13 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\Google

2010-10-30 15:11 . 2010-10-30 15:11 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\Deployment

2010-10-30 14:48 . 2010-10-30 14:51 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\AskToolbar

2010-10-30 14:42 . 2010-10-30 14:42 -------- d-----w- c:\program files\Ask.com

2010-10-30 14:42 . 2010-10-30 14:42 -------- d-----w- c:\program files\Glary Registry Repair

2010-10-30 14:42 . 2010-10-30 14:42 -------- d-----w- c:\documents and settings\Nick\Application Data\GlarySoft

2010-10-30 14:39 . 2010-10-30 14:39 -------- d-----w- c:\documents and settings\Nick\Application Data\ElevatedDiagnostics

2010-10-30 11:45 . 2010-11-09 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-10-30 11:45 . 2010-11-09 16:41 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-10-30 11:44 . 2010-10-30 11:44 -------- d-----w- c:\program files\CCleaner

2010-10-29 19:34 . 2010-10-29 19:34 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache

2010-10-29 19:33 . 2010-11-07 23:37 -------- d-----w- c:\program files\tmp

2010-10-29 17:26 . 2010-10-29 17:26 -------- d-----w- c:\program files\iPod

2010-10-29 17:21 . 2010-10-29 17:21 -------- d-----w- c:\program files\Bonjour

2010-10-27 16:19 . 2008-04-13 17:46 51200 -c----w- c:\windows\system32\dllcache\msdv.sys

2010-10-27 16:19 . 2008-04-13 17:46 51200 ------w- c:\windows\system32\drivers\msdv.sys

2010-10-27 16:19 . 2008-04-13 17:46 38912 -c----w- c:\windows\system32\dllcache\avc.sys

2010-10-27 16:19 . 2008-04-13 17:46 38912 ------w- c:\windows\system32\drivers\avc.sys

2010-10-27 16:18 . 2008-04-13 17:46 48128 -c----w- c:\windows\system32\dllcache\61883.sys

2010-10-27 16:18 . 2008-04-13 17:46 48128 ------w- c:\windows\system32\drivers\61883.sys

2010-10-15 15:18 . 2010-11-09 17:43 -------- d-----w- c:\documents and settings\Nick\Application Data\Dropbox

2010-10-13 09:12 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-13 09:12 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2010-10-13 09:12 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-13 09:12 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 11:23 . 2007-11-07 12:37 974848 ------w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2007-11-07 12:37 974848 ------w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2007-11-07 12:37 954368 ------w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2007-11-07 12:37 953856 ------w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2007-11-07 12:37 916480 ------w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2007-11-07 12:37 43520 ------w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2007-11-07 12:37 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-08 10:17 . 2010-09-08 10:17 94208 ------w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 10:17 . 2010-09-08 10:17 69632 ------w- c:\windows\system32\QuickTime.qts

2010-09-01 11:51 . 2007-11-07 12:37 285824 ------w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2007-11-07 12:37 1852800 ------w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2007-11-07 12:37 119808 ------w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2007-11-07 12:37 99840 ------w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2007-11-07 12:37 357248 ------w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-12-31 11:54 5120 ------w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2007-11-07 12:37 617472 ------w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2007-11-07 12:37 58880 ------w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2007-11-07 12:37 590848 ------w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-11-18 17:40 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-18 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-18 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2010-11-04 65536]

"Google Update"="c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-30 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2010-11-04 651264]

"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2006-05-25 65536]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2010-11-04 53248]

"TPSMain"="TPSMain.exe" [2005-08-11 266240]

"TCtryIOHook"="TCtrlIOHook.exe" [2007-06-30 28672]

"TDispVol"="TDispVol.exe" [2005-12-27 73728]

"Zooming"="ZoomingHook.exe" [2005-06-06 24576]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2010-11-04 143360]

"NDSTray.exe"="NDSTray.exe" [bU]

"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2010-11-04 495616]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-11-04 888832]

"RTHDCPL"="RTHDCPL.EXE" [2007-11-20 16841216]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-02 202256]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Nick\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Nick\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\PrettyMay\\PrettyMay.exe"=

"c:\\Documents and Settings\\Nick\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]

R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]

S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys --> c:\windows\system32\DRIVERS\TpChoice.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-11-01 c:\windows\Tasks\FrontLine Registry Cleaner Scheduled Scan - Nick.job

- c:\program files\Frontline Registry Cleaner\FrontlineRegistryCleaner.exe [2010-05-11 21:20]

2010-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2175893795-3781602434-600136029-1005Core.job

- c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-30 15:11]

2010-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2175893795-3781602434-600136029-1005UA.job

- c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-30 15:11]

2010-11-09 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]

2010-11-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2175893795-3781602434-600136029-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2175893795-3781602434-600136029-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-09 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-11-18 17:40]

2010-11-09 c:\windows\Tasks\User_Feed_Synchronization-{D8F3510B-12C0-4FAF-ADC1-4A87645373A8}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

mStart Page = hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: hsbc.co.uk\www

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-09 17:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(984)

c:\windows\system32\WININET.dll

c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\windows\system32\TDispVol.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\TODDSrv.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\windows\system32\TCtrlIOHook.exe

c:\windows\system32\TDispVol.exe

c:\windows\system32\ZoomingHook.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

c:\windows\RTHDCPL.EXE

c:\program files\Synaptics\SynTP\SynToshiba.exe

c:\windows\system32\wscntfy.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-11-09 17:48:33 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-09 17:48

Pre-Run: 36,992,991,232 bytes free

Post-Run: 37,173,334,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F90DEAF0D955C3049291F03D87ABFAB5

Link to post
Share on other sites

You have a bunch of newly created folders.

Do you know what they are?

2010-11-07 12:38 . 2010-11-07 23:03 -------- d-----w- c:\documents and settings\Nick\Application Data\Ybsyo

2010-11-07 12:38 . 2010-11-07 21:14 -------- d-----w- c:\documents and settings\Nick\Application Data\Adihc

2010-11-06 13:20 . 2010-11-07 21:30 -------- d-----w- c:\documents and settings\Nick\Application Data\Duweo

2010-11-06 13:20 . 2010-11-07 06:31 -------- d-----w- c:\documents and settings\Nick\Application Data\Apup

2010-11-06 10:28 . 2010-11-07 21:30 -------- d-----w- c:\documents and settings\Nick\Application Data\Loxyle

2010-11-06 10:28 . 2010-11-06 10:59 -------- d-----w- c:\documents and settings\Nick\Application Data\Ugwyi

2010-11-05 15:29 . 2010-11-07 21:30 -------- d-----w- c:\documents and settings\Nick\Application Data\Lawu

2010-11-05 15:29 . 2010-11-05 16:00 -------- d-----w- c:\documents and settings\Nick\Application Data\Povut

2010-11-02 15:52 . 2010-11-04 16:44 -------- d-----w- c:\documents and settings\Nick\Application Data\Cebeqo

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Folder::
c:\documents and settings\Nick\Application Data\Ybsyo
c:\documents and settings\Nick\Application Data\Adihc
c:\documents and settings\Nick\Application Data\Duweo
c:\documents and settings\Nick\Application Data\Apup
c:\documents and settings\Nick\Application Data\Loxyle
c:\documents and settings\Nick\Application Data\Ugwyi
c:\documents and settings\Nick\Application Data\Lawu
c:\documents and settings\Nick\Application Data\Povut
c:\documents and settings\Nick\Application Data\Cebeqo
c:\documents and settings\Nick\Application Data\Ymobis
c:\documents and settings\Nick\Local Settings\Application Data\AskToolbar
c:\program files\Ask.com

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

How we looking now?

ComboFix 10-11-07.A2 - Nick 09/11/2010 18:24:43.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1395 [GMT 0:00]

Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Nick\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Nick\Application Data\Apup

c:\documents and settings\Nick\Application Data\Apup\iwyd.yka

c:\documents and settings\Nick\Local Settings\Application Data\AskToolbar

c:\documents and settings\Nick\Local Settings\Application Data\AskToolbar\cache.dat

c:\documents and settings\Nick\Local Settings\Application Data\AskToolbar\config.xml

c:\documents and settings\Nick\Local Settings\Application Data\AskToolbar\Downloaded Program Files\xaddon.dll

c:\documents and settings\Nick\Local Settings\Application Data\AskToolbar\Downloaded Program Files\xaddon.inf

c:\documents and settings\Nick\Local Settings\Application Data\AskToolbar\xaddon.cab

c:\program files\Ask.com

c:\program files\Ask.com\cobrand.ico

c:\program files\Ask.com\config.xml

c:\program files\Ask.com\favicon.ico

c:\program files\Ask.com\GenericAskToolbar.dll

c:\program files\Ask.com\mupcfg.xml

c:\program files\Ask.com\SaUpdate.exe

c:\program files\Ask.com\UpdateTask.exe

.

((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))

.

2010-11-08 13:21 . 2010-11-08 13:21 -------- d--h--w- c:\windows\PIF

2010-11-08 12:52 . 2010-11-08 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-11-07 20:57 . 2010-11-07 20:57 -------- d-----w- C:\$AVG

2010-11-07 20:56 . 2010-11-07 20:56 -------- d-----w- c:\documents and settings\Nick\Application Data\AVG10

2010-11-07 20:47 . 2010-11-07 20:47 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-11-07 20:47 . 2010-11-09 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-11-07 20:39 . 2010-11-07 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-07 20:34 . 2010-11-07 23:37 -------- d-----w- c:\program files\TweetDeck

2010-11-07 05:59 . 2010-11-07 23:37 -------- d-----w- c:\program files\temp

2010-11-02 15:52 . 2010-11-07 20:35 -------- d-----w- c:\program files\windows

2010-11-01 12:34 . 2010-11-01 12:34 -------- d-----w- c:\documents and settings\Nick\Application Data\Malwarebytes

2010-11-01 12:33 . 2010-04-29 15:39 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-01 12:33 . 2010-11-01 12:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 12:33 . 2010-11-01 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-01 12:33 . 2010-04-29 15:39 20952 ------w- c:\windows\system32\drivers\mbam.sys

2010-11-01 09:28 . 2010-11-01 09:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner

2010-10-30 17:18 . 2010-11-01 09:28 -------- d-----w- c:\program files\Frontline Registry Cleaner

2010-10-30 16:31 . 2010-10-30 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2010-10-30 16:20 . 2010-10-30 16:20 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\Threat Expert

2010-10-30 15:52 . 2010-11-04 15:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-10-30 15:32 . 2010-10-30 15:32 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SMGFE

2010-10-30 15:11 . 2010-11-07 06:18 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\Temp

2010-10-30 15:11 . 2010-10-30 15:13 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\Google

2010-10-30 15:11 . 2010-10-30 15:11 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\Deployment

2010-10-30 14:42 . 2010-10-30 14:42 -------- d-----w- c:\program files\Glary Registry Repair

2010-10-30 14:42 . 2010-10-30 14:42 -------- d-----w- c:\documents and settings\Nick\Application Data\GlarySoft

2010-10-30 14:39 . 2010-10-30 14:39 -------- d-----w- c:\documents and settings\Nick\Application Data\ElevatedDiagnostics

2010-10-30 11:45 . 2010-11-09 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-10-30 11:45 . 2010-11-09 16:41 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-10-30 11:44 . 2010-10-30 11:44 -------- d-----w- c:\program files\CCleaner

2010-10-29 19:34 . 2010-10-29 19:34 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache

2010-10-29 19:33 . 2010-11-07 23:37 -------- d-----w- c:\program files\tmp

2010-10-29 17:26 . 2010-10-29 17:26 -------- d-----w- c:\program files\iPod

2010-10-29 17:21 . 2010-10-29 17:21 -------- d-----w- c:\program files\Bonjour

2010-10-27 16:19 . 2008-04-13 17:46 51200 -c----w- c:\windows\system32\dllcache\msdv.sys

2010-10-27 16:19 . 2008-04-13 17:46 51200 ------w- c:\windows\system32\drivers\msdv.sys

2010-10-27 16:19 . 2008-04-13 17:46 38912 -c----w- c:\windows\system32\dllcache\avc.sys

2010-10-27 16:19 . 2008-04-13 17:46 38912 ------w- c:\windows\system32\drivers\avc.sys

2010-10-27 16:18 . 2008-04-13 17:46 48128 -c----w- c:\windows\system32\dllcache\61883.sys

2010-10-27 16:18 . 2008-04-13 17:46 48128 ------w- c:\windows\system32\drivers\61883.sys

2010-10-15 15:18 . 2010-11-09 18:32 -------- d-----w- c:\documents and settings\Nick\Application Data\Dropbox

2010-10-13 09:12 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-13 09:12 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2010-10-13 09:12 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-13 09:12 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 11:23 . 2007-11-07 12:37 974848 ------w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2007-11-07 12:37 974848 ------w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2007-11-07 12:37 954368 ------w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2007-11-07 12:37 953856 ------w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2007-11-07 12:37 916480 ------w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2007-11-07 12:37 43520 ------w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2007-11-07 12:37 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-08 10:17 . 2010-09-08 10:17 94208 ------w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 10:17 . 2010-09-08 10:17 69632 ------w- c:\windows\system32\QuickTime.qts

2010-09-01 11:51 . 2007-11-07 12:37 285824 ------w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2007-11-07 12:37 1852800 ------w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2007-11-07 12:37 119808 ------w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2007-11-07 12:37 99840 ------w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2007-11-07 12:37 357248 ------w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-12-31 11:54 5120 ------w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2007-11-07 12:37 617472 ------w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2007-11-07 12:37 58880 ------w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2007-11-07 12:37 590848 ------w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2010-11-04 65536]

"Google Update"="c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-30 136176]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2010-11-04 651264]

"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2006-05-25 65536]

"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2010-11-04 53248]

"TPSMain"="TPSMain.exe" [2005-08-11 266240]

"TCtryIOHook"="TCtrlIOHook.exe" [2007-06-30 28672]

"TDispVol"="TDispVol.exe" [2005-12-27 73728]

"Zooming"="ZoomingHook.exe" [2005-06-06 24576]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2010-11-04 143360]

"NDSTray.exe"="NDSTray.exe" [bU]

"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2010-11-04 495616]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-11-04 888832]

"RTHDCPL"="RTHDCPL.EXE" [2007-11-20 16841216]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-02 202256]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Nick\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Nick\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\PrettyMay\\PrettyMay.exe"=

"c:\\Documents and Settings\\Nick\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]

R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]

S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys --> c:\windows\system32\DRIVERS\TpChoice.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-11-01 c:\windows\Tasks\FrontLine Registry Cleaner Scheduled Scan - Nick.job

- c:\program files\Frontline Registry Cleaner\FrontlineRegistryCleaner.exe [2010-05-11 21:20]

2010-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2175893795-3781602434-600136029-1005Core.job

- c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-30 15:11]

2010-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2175893795-3781602434-600136029-1005UA.job

- c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-30 15:11]

2010-11-09 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]

2010-11-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2175893795-3781602434-600136029-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2175893795-3781602434-600136029-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-09 c:\windows\Tasks\User_Feed_Synchronization-{D8F3510B-12C0-4FAF-ADC1-4A87645373A8}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

mStart Page = hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: hsbc.co.uk\www

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

.

- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-09 18:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3080)

c:\windows\system32\WININET.dll

c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\windows\system32\TDispVol.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\TODDSrv.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\TCtrlIOHook.exe

c:\windows\system32\TDispVol.exe

c:\windows\system32\ZoomingHook.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

c:\windows\RTHDCPL.EXE

c:\program files\Synaptics\SynTP\SynToshiba.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

.

**************************************************************************

.

Completion time: 2010-11-09 18:35:58 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-09 18:35

ComboFix2.txt 2010-11-09 17:48

Pre-Run: 36,915,408,896 bytes free

Post-Run: 36,936,241,152 bytes free

- - End Of File - - 5CA745EF60D59ACD24784393FE629B17

Link to post
Share on other sites

So far so good...

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5012

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

09/11/2010 19:19:23

mbam-log-2010-11-09 (19-19-23).txt

Scan type: Quick scan

Objects scanned: 147748

Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Good job :thumbup:

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :lol:

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

Link to post
Share on other sites

I'm gonna do some universal password changing. Not convinced some bastard hasnt nabbed something or other.

I'm normally pretty good. I got the virus from opening an online .pdf attachment (or so I thought) that was a golf scorecard. And there was me thinking it was just porn that would cause me problems!

Donation coming now. Thanks so much for your help.

Link to post
Share on other sites

Hmm... hoping you might notice this reply cos I'm back again. So... I still get redirected to Gala Search from the small Google search toolbar within IE. Also, despite reinstalling iTunes several times, after restart I continue to get iTunesHelper.exe - Unable to Locate Component and iTunes wont open.

Also a prompt for 'Toshiba Power Saver' comes up, 'Fatal error has occured, program will be terminated. code: 0x0'.

Any thoughts?

Link to post
Share on other sites

Nothing showing here...

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5012

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/11/2010 11:44:11

mbam-log-2010-11-11 (11-44-11).txt

Scan type: Quick scan

Objects scanned: 159697

Time elapsed: 19 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.