Pennyforthem Posted November 13, 2010 ID:344306 Share Posted November 13, 2010 HiI've had this virus for 4 days now and nothing seems to remove it. I've used MBAM, Avg, Avira and have now downloaded Hijack this to see if you can help. I am not PC literate with the inner workings. This is the hijack this report.Logfile of Trend Micro HijackThis v2.0.4Scan saved at 10:46:04, on 13/11/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.17091)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Avira\AntiVir Desktop\avshadow.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\AVG\AVG9\avgemc.exeC:\Program Files\AVG\AVG9\avgnsx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\S3trayp.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\AVG\AVG9\avgtray.exeC:\Program Files\Canon\MyPrinter\BJMyPrt.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.acC:\Program Files\Windows Desktop Search\WindowsSearch.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\mshta.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\msiexec.exeC:\WINDOWS\system32\SearchProtocolHost.exeC:\Program Files\Trend Micro\HiJackThis\HiJackThis.exeC:\WINDOWS\System32\svchost.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [s3Trayp] S3trayp.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exeO4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logonO4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logonO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.htmlO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dllO20 - AppInit_DLLs: wghwfr.dllO20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exeO23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)--End of file - 8807 bytes Link to post Share on other sites More sharing options...
kahdah Posted November 13, 2010 ID:344359 Share Posted November 13, 2010 Hello PennyforthemWelcome to Malwarebytes.=====================Download OTL to your desktop.Double click on OTL to run it.When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Check the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.====================Please download Rootkit Unhooker and save it to your desktop.Note since it is in rar format and if you do not have anyhting that will open it then you can download 7 zip and use it to extract the data it can be found here: Right click on the .rar file and choose extract files.Double-click RKUnhookerLE.exe to run it.Click the Report tab, then click ScanCheck Drivers, Stealth Code, Files, and Code HooksUncheck the rest, then click OKWhen prompted to Select Disks for Scan, make sure C:\ is checked and click OKWait till the scanner has finished then go File > Save ReportSave the report somewhere you can find it, typically your desktop. Click CloseCopy the entire contents of the report and paste it in your next reply.Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!It is recommended to remove parasite, okay?" Link to post Share on other sites More sharing options...
Pennyforthem Posted November 13, 2010 Author ID:344458 Share Posted November 13, 2010 Hello PennyforthemWelcome to Malwarebytes.=====================Download OTL to your desktop.Double click on OTL to run it.When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Check the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.====================Please download Rootkit Unhooker and save it to your desktop.Note since it is in rar format and if you do not have anyhting that will open it then you can download 7 zip and use it to extract the data it can be found here: Right click on the .rar file and choose extract files.Double-click RKUnhookerLE.exe to run it.Click the Report tab, then click ScanCheck Drivers, Stealth Code, Files, and Code HooksUncheck the rest, then click OKWhen prompted to Select Disks for Scan, make sure C:\ is checked and click OKWait till the scanner has finished then go File > Save ReportSave the report somewhere you can find it, typically your desktop. Click CloseCopy the entire contents of the report and paste it in your next reply.Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!It is recommended to remove parasite, okay?"Thanks kahdahThis the OTL OTL Extras logfile created on: 13/11/2010 14:54:07 - Run 1OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\DesktopWindows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 7.0.5730.13)Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File freePaging file location(s): C:\pagefile.sys 2046 4092 [binary data]%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 232.88 Gb Total Space | 209.26 Gb Free Space | 89.86% Space Free | Partition Type: NTFSComputer Name: USER-CC002C0461 | User Name: User | Logged in as Administrator.Boot Mode: Normal | Scan Mode: Current userCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days========== Extra Registry (SafeList) ==================== File Associations ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]========== Shell Spawning ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]batfile [open] -- "%1" %*cmdfile [open] -- "%1" %*comfile [open] -- "%1" %*exefile [open] -- "%1" %*piffile [open] -- "%1" %*regfile [merge] -- Reg Error: Key error.scrfile [config] -- "%1"scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)scrfile [open] -- "%1" /Stxtfile [edit] -- Reg Error: Key error.Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)========== Security Center Settings ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]"FirstRunDisabled" = 1"AntiVirusDisableNotify" = 0"FirewallDisableNotify" = 0"UpdatesDisableNotify" = 0"AntiVirusOverride" = 0"FirewallOverride" = 0[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]========== System Restore Settings ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]"DisableSR" = 1[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]"Start" = 4[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]"Start" = 2========== Firewall Settings ==========[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]"EnableFirewall" = 1[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]"EnableFirewall" = 1"DoNotAllowExceptions" = 0[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008"1043:TCP" = 1043:TCP:*:Enabled:Akamai NetSession Interface"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface========== Authorized Applications List ==========[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)========== HKEY_LOCAL_MACHINE Uninstall List ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help"{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}" = PlayStation®Store"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP560_series" = Canon MP560 series MP Drivers"{162B71B8-8464-4680-A086-601D555B331D}" = Apple Mobile Device Support"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 20"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java 6 Update 4"{33BEE6F3-9987-4F98-A069-97A64EC8321A}" = Microsoft Works Suite Add-in for Microsoft Word"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis"{497A1721-088F-41EF-8876-B43C9DA5528B}" = ArcSoft Software Suite"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86"{66EBD70F-A42C-475F-AEDF-277378151033}" = Nero 7 Essentials"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0"{B2F25F71-D920-4288-A548-54CD253DEF14}" = SILKYPIX Developer Studio 3.0 SE"{B6659DD8-00A7-4A24-BBFB-C1F6982E5D66}" = PlayStation®Network Downloader"{B9966F27-9678-4620-9579-925E3084647E}" = Microsoft Works"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2"{C26B06A9-27BB-45B0-9873-9C623EC2BA38}" = iTunes"{CA9A3609-3ECC-4574-8824-A8161A71A603}" = Canon MP150"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86"{DBA8B9E1-C6FF-4624-9598-73D3B41A0903}" = Microsoft Picture It! Photo Standard 9"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX"AVG9Uninstall" = AVG Free 9.0"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus"Canon MP560 series User Registration" = Canon MP560 series User Registration"CanonMyPrinter" = Canon Utilities My Printer"CanonSolutionMenu" = Canon Utilities Solution Menu"CCleaner" = CCleaner"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help"Chrome9HC" = VIA Chrome9 HC IGP Family Display 6.14.10.0137"Coupon Printer2.0" = Coupon Printer"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs"ie7" = Windows Internet Explorer 7"InstallShield_{B2F25F71-D920-4288-A548-54CD253DEF14}" = SILKYPIX Developer Studio 3.0 SE"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1"MP Navigator 2.0" = Canon MP Navigator 2.0"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs"Picasa 3" = Picasa 3"PictureIt_v9" = Microsoft Picture It! Photo Standard 9"PrintMaster Gold 3.00" = PrintMaster Gold 3.00"Shockwave" = Shockwave"WIC" = Windows Imaging Component"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner"Windows Media Format Runtime" = Windows Media Format 11 runtime"Windows Media Player" = Windows Media Player 11"Windows XP Service Pack" = Windows XP Service Pack 3"WMFDist11" = Windows Media Format 11 runtime"wmp11" = Windows Media Player 11"Works2004Setup" = Microsoft Works 2004 Setup Launcher"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0========== Last 10 Event Log Errors ==========Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!< End of report >OTL logfile created on: 13/11/2010 14:54:07 - Run 1OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\DesktopWindows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 7.0.5730.13)Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File freePaging file location(s): C:\pagefile.sys 2046 4092 [binary data]%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 232.88 Gb Total Space | 209.26 Gb Free Space | 89.86% Space Free | Partition Type: NTFSComputer Name: USER-CC002C0461 | User Name: User | Logged in as Administrator.Boot Mode: Normal | Scan Mode: Current userCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days========== Processes (SafeList) ==========PRC - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)PRC - C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)PRC - C:\WINDOWS\system32\VTTimer.exe (S3 Graphics, Inc.)PRC - C:\WINDOWS\system32\S3Trayp.exe (S3 Graphics Co., Ltd.)PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)PRC - C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe (ScanSoft, Inc.)========== Modules (SafeList) ==========MOD - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)MOD - C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll (ScanSoft, Inc.)========== Win32 Services (SafeList) ==========SRV - (Spooler) -- C:\WINDOWS\System32\spoolsv.exe File not foundSRV - (avg9emc) -- C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)========== Driver Services (SafeList) ==========DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)DRV - (S3GIGP) -- C:\WINDOWS\system32\drivers\S3gIGPm.sys (S3 Graphics Co., Ltd.)DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)========== Standard Registry (All) ==================== Internet Explorer ==========IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-onsIE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htmIE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRiskIE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htmIE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htmIE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htmIE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearchIE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blankIE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)IE - HKCU\..\URLSearchHook: CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not foundIE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.localFF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/03 02:00:34 | 000,000,000 | ---D | M]FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/08/03 11:12:02 | 000,000,000 | ---D | M]O1 HOSTS File: ([2004/08/12 13:19:39 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hostsO1 - Hosts: 127.0.0.1 localhostO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft Link to post Share on other sites More sharing options...
Pennyforthem Posted November 13, 2010 Author ID:344471 Share Posted November 13, 2010 I can't find RKUnhookerLE.exe kahdah. Link to post Share on other sites More sharing options...
kahdah Posted November 13, 2010 ID:344624 Share Posted November 13, 2010 You have to download it from the link in my first post to you.If you cannot download it hen please let me know. Link to post Share on other sites More sharing options...
Pennyforthem Posted November 13, 2010 Author ID:344669 Share Posted November 13, 2010 Found it in my docs, no idea how it got there. RkUnhooker report generator v0.7==============================================Rootkit Unhooker kernel version: 3.7.300.509==============================================Windows Major Version: 5Windows Minor Version: 1Windows Build Number: 2600==============================================>DriversDriver: C:\WINDOWS\system32\drivers\RtkHDAud.sysAddress: 0xB7C40000Size: 4911104 bytesDriver: C:\WINDOWS\System32\s3ginv.dllAddress: 0xBF0B0000Size: 2875392 bytesDriver: C:\WINDOWS\system32\ntkrnlpa.exeAddress: 0x804D7000Size: 2066816 bytesDriver: PnpManagerAddress: 0x804D7000Size: 2066816 bytesDriver: RAWAddress: 0x804D7000Size: 2066816 bytesDriver: WMIxWDMAddress: 0x804D7000Size: 2066816 bytesDriver: Win32kAddress: 0xBF800000Size: 1855488 bytesDriver: C:\WINDOWS\System32\win32k.sysAddress: 0xBF800000Size: 1855488 bytesDriver: C:\WINDOWS\System32\S3gIGP.dllAddress: 0xBF012000Size: 647168 bytesDriver: C:\WINDOWS\system32\DRIVERS\S3gIGPm.sysAddress: 0xB9231000Size: 630784 bytesDriver: Ntfs.sysAddress: 0xB9E47000Size: 577536 bytesDriver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sysAddress: 0xAA985000Size: 458752 bytesDriver: C:\WINDOWS\system32\DRIVERS\update.sysAddress: 0xB90F8000Size: 385024 bytesDriver: C:\WINDOWS\system32\DRIVERS\tcpip.sysAddress: 0xB4B32000Size: 364544 bytesDriver: C:\WINDOWS\system32\DRIVERS\srv.sysAddress: 0x992A1000Size: 360448 bytesDriver: C:\WINDOWS\System32\ATMFD.DLLAddress: 0xBFFA0000Size: 286720 bytesDriver: C:\WINDOWS\System32\Drivers\HTTP.sysAddress: 0x98AF3000Size: 266240 bytesDriver: C:\WINDOWS\System32\Drivers\avgtdix.sysAddress: 0xB4AF8000Size: 237568 bytesDriver: C:\WINDOWS\System32\Drivers\avgldx86.sysAddress: 0xAA92E000Size: 212992 bytesDriver: C:\WINDOWS\system32\DRIVERS\rdpdr.sysAddress: 0xB9156000Size: 196608 bytesDriver: ACPI.sysAddress: 0xB9F79000Size: 188416 bytesDriver: C:\WINDOWS\system32\DRIVERS\mrxdav.sysAddress: 0x99411000Size: 184320 bytesDriver: NDIS.sysAddress: 0xB9E1A000Size: 184320 bytesDriver: C:\WINDOWS\system32\DRIVERS\rdbss.sysAddress: 0xAA9F5000Size: 176128 bytesDriver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sysAddress: 0xB91AE000Size: 163840 bytesDriver: C:\WINDOWS\system32\DRIVERS\netbt.sysAddress: 0xAAA42000Size: 163840 bytesDriver: dmio.sysAddress: 0xB9F23000Size: 155648 bytesDriver: C:\WINDOWS\system32\DRIVERS\ipnat.sysAddress: 0xAF09B000Size: 155648 bytesDriver: C:\WINDOWS\system32\drivers\portcls.sysAddress: 0xB7C1C000Size: 147456 bytesDriver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYSAddress: 0xB91D6000Size: 147456 bytesDriver: C:\WINDOWS\system32\DRIVERS\avipbb.sysAddress: 0xAA962000Size: 143360 bytesDriver: C:\WINDOWS\system32\DRIVERS\ks.sysAddress: 0xB91FA000Size: 143360 bytesDriver: C:\WINDOWS\System32\drivers\afd.sysAddress: 0xAAA20000Size: 139264 bytesDriver: ACPI_HALAddress: 0x806D0000Size: 131840 bytesDriver: C:\WINDOWS\system32\hal.dllAddress: 0x806D0000Size: 131840 bytesDriver: fltmgr.sysAddress: 0xB9EEB000Size: 131072 bytesDriver: ftdisk.sysAddress: 0xB9F49000Size: 126976 bytesDriver: Mup.sysAddress: 0xB9E00000Size: 106496 bytesDriver: atapi.sysAddress: 0xB9F0B000Size: 98304 bytesDriver: C:\WINDOWS\System32\Drivers\dump_atapi.sysAddress: 0xAA916000Size: 98304 bytesDriver: KSecDD.sysAddress: 0xB9ED4000Size: 94208 bytesDriver: C:\WINDOWS\system32\DRIVERS\ndiswan.sysAddress: 0xB9197000Size: 94208 bytesDriver: C:\WINDOWS\system32\DRIVERS\avgntflt.sysAddress: 0x9957E000Size: 86016 bytesDriver: C:\WINDOWS\system32\drivers\wdmaud.sysAddress: 0x99214000Size: 86016 bytesDriver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYSAddress: 0xB921D000Size: 81920 bytesDriver: C:\WINDOWS\system32\DRIVERS\ipsec.sysAddress: 0xB4B8B000Size: 77824 bytesDriver: C:\WINDOWS\System32\drivers\dxg.sysAddress: 0xBF000000Size: 73728 bytesDriver: pci.sysAddress: 0xB9F68000Size: 69632 bytesDriver: C:\WINDOWS\system32\DRIVERS\psched.sysAddress: 0xB9186000Size: 69632 bytesDriver: C:\WINDOWS\System32\Drivers\Cdfs.SYSAddress: 0xB4C16000Size: 65536 bytesDriver: C:\WINDOWS\system32\DRIVERS\cdrom.sysAddress: 0xBA2B8000Size: 65536 bytesDriver: C:\WINDOWS\system32\drivers\drmk.sysAddress: 0xB9605000Size: 61440 bytesDriver: C:\WINDOWS\system32\DRIVERS\redbook.sysAddress: 0xBA2C8000Size: 61440 bytesDriver: C:\WINDOWS\system32\drivers\sysaudio.sysAddress: 0xAAD52000Size: 61440 bytesDriver: C:\WINDOWS\system32\DRIVERS\usbhub.sysAddress: 0xBA278000Size: 61440 bytesDriver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYSAddress: 0xBA0E8000Size: 53248 bytesDriver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sysAddress: 0xBA2D8000Size: 53248 bytesDriver: VolSnap.sysAddress: 0xBA0C8000Size: 53248 bytesDriver: C:\WINDOWS\system32\DRIVERS\raspptp.sysAddress: 0xBA2F8000Size: 49152 bytesDriver: C:\WINDOWS\System32\Drivers\Fips.SYSAddress: 0xAB8D0000Size: 45056 bytesDriver: C:\WINDOWS\system32\DRIVERS\imapi.sysAddress: 0xBA2A8000Size: 45056 bytesDriver: MountMgr.sysAddress: 0xBA0B8000Size: 45056 bytesDriver: C:\WINDOWS\system32\DRIVERS\raspppoe.sysAddress: 0xBA2E8000Size: 45056 bytesDriver: uagp35.sysAddress: 0xBA108000Size: 45056 bytesDriver: isapnp.sysAddress: 0xBA0A8000Size: 40960 bytesDriver: C:\WINDOWS\System32\Drivers\NDProxy.SYSAddress: 0xB95F5000Size: 40960 bytesDriver: C:\WINDOWS\system32\DRIVERS\termdd.sysAddress: 0xBA318000Size: 40960 bytesDriver: disk.sysAddress: 0xBA0D8000Size: 36864 bytesDriver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYSAddress: 0xB406A000Size: 36864 bytesDriver: C:\WINDOWS\system32\DRIVERS\msgpc.sysAddress: 0xBA308000Size: 36864 bytesDriver: C:\WINDOWS\system32\DRIVERS\netbios.sysAddress: 0xAB8E0000Size: 36864 bytesDriver: C:\WINDOWS\system32\DRIVERS\processr.sysAddress: 0xBA298000Size: 36864 bytesDriver: PxHelp20.sysAddress: 0xBA0F8000Size: 36864 bytesDriver: C:\WINDOWS\system32\DRIVERS\wanarp.sysAddress: 0xB407A000Size: 36864 bytesDriver: C:\WINDOWS\system32\drivers\Afc.sysAddress: 0xBA3C8000Size: 32768 bytesDriver: C:\WINDOWS\System32\Drivers\Npfs.SYSAddress: 0xBA3C0000Size: 32768 bytesDriver: C:\WINDOWS\system32\DRIVERS\usbccgp.sysAddress: 0xB4422000Size: 32768 bytesDriver: C:\WINDOWS\system32\DRIVERS\usbehci.sysAddress: 0xBA3E0000Size: 32768 bytesDriver: C:\WINDOWS\system32\DRIVERS\fdc.sysAddress: 0xBA3F0000Size: 28672 bytesDriver: C:\WINDOWS\system32\DRIVERS\fetnd5.sysAddress: 0xBA3E8000Size: 28672 bytesDriver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYSAddress: 0xBA3A8000Size: 28672 bytesDriver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYSAddress: 0xBA328000Size: 28672 bytesDriver: C:\WINDOWS\system32\DRIVERS\usbprint.sysAddress: 0xB5962000Size: 28672 bytesDriver: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYSAddress: 0xBA3A0000Size: 28672 bytesDriver: C:\WINDOWS\System32\Drivers\avgmfx86.sysAddress: 0xB484D000Size: 24576 bytesDriver: C:\WINDOWS\system32\DRIVERS\kbdclass.sysAddress: 0xBA410000Size: 24576 bytesDriver: C:\WINDOWS\system32\DRIVERS\mouclass.sysAddress: 0xBA418000Size: 24576 bytesDriver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYSAddress: 0xBA4A8000Size: 24576 bytesDriver: C:\WINDOWS\system32\DRIVERS\ssmdrv.sysAddress: 0xB4855000Size: 24576 bytesDriver: C:\WINDOWS\system32\DRIVERS\usbuhci.sysAddress: 0xBA3D8000Size: 24576 bytesDriver: C:\WINDOWS\System32\drivers\vga.sysAddress: 0xBA3B0000Size: 24576 bytesDriver: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sysAddress: 0xBA3D0000Size: 20480 bytesDriver: C:\WINDOWS\System32\Drivers\Msfs.SYSAddress: 0xBA3B8000Size: 20480 bytesDriver: PartMgr.sysAddress: 0xBA330000Size: 20480 bytesDriver: C:\WINDOWS\system32\DRIVERS\ptilink.sysAddress: 0xBA400000Size: 20480 bytesDriver: C:\WINDOWS\system32\DRIVERS\raspti.sysAddress: 0xBA408000Size: 20480 bytesDriver: C:\WINDOWS\system32\DRIVERS\TDI.SYSAddress: 0xBA3F8000Size: 20480 bytesDriver: C:\WINDOWS\System32\watchdog.sysAddress: 0xB5972000Size: 20480 bytesDriver: C:\WINDOWS\system32\DRIVERS\kbdhid.sysAddress: 0xAC5B9000Size: 16384 bytesDriver: C:\WINDOWS\system32\DRIVERS\mssmbios.sysAddress: 0xBA540000Size: 16384 bytesDriver: C:\WINDOWS\system32\DRIVERS\ndisuio.sysAddress: 0xB44E4000Size: 16384 bytesDriver: C:\WINDOWS\system32\DRIVERS\usbscan.sysAddress: 0x98177000Size: 16384 bytesDriver: C:\WINDOWS\system32\BOOTVID.dllAddress: 0xBA4BC000Size: 12288 bytesDriver: C:\WINDOWS\System32\drivers\Dxapi.sysAddress: 0xAB639000Size: 12288 bytesDriver: C:\WINDOWS\system32\DRIVERS\hidusb.sysAddress: 0xB44DC000Size: 12288 bytesDriver: C:\WINDOWS\system32\KDCOM.DLLAddress: 0x89BAA000Size: 12288 bytesDriver: C:\WINDOWS\system32\DRIVERS\mouhid.sysAddress: 0xB44CC000Size: 12288 bytesDriver: C:\WINDOWS\system32\DRIVERS\ndistapi.sysAddress: 0xB9DC8000Size: 12288 bytesDriver: C:\WINDOWS\system32\DRIVERS\rasacd.sysAddress: 0xB7C10000Size: 12288 bytesDriver: C:\Program Files\Avira\AntiVir Desktop\avgio.sysAddress: 0xBA606000Size: 8192 bytesDriver: C:\WINDOWS\System32\Drivers\Beep.SYSAddress: 0xBA60A000Size: 8192 bytesDriver: dmload.sysAddress: 0xBA5AC000Size: 8192 bytesDriver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYSAddress: 0xBA614000Size: 8192 bytesDriver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYSAddress: 0xBA608000Size: 8192 bytesDriver: C:\WINDOWS\System32\Drivers\mnmdd.SYSAddress: 0xBA60C000Size: 8192 bytesDriver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sysAddress: 0xBA60E000Size: 8192 bytesDriver: C:\WINDOWS\system32\DRIVERS\swenum.sysAddress: 0xBA5D4000Size: 8192 bytesDriver: C:\WINDOWS\system32\DRIVERS\USBD.SYSAddress: 0xBA604000Size: 8192 bytesDriver: viaide.sysAddress: 0xBA5AA000Size: 8192 bytesDriver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYSAddress: 0xBA5A8000Size: 8192 bytesDriver: C:\WINDOWS\system32\DRIVERS\audstub.sysAddress: 0xBA7BD000Size: 4096 bytesDriver: C:\WINDOWS\System32\drivers\dxgthk.sysAddress: 0xB0825000Size: 4096 bytesDriver: C:\WINDOWS\System32\Drivers\Null.SYSAddress: 0xBA701000Size: 4096 bytesDriver: pciide.sysAddress: 0xBA670000Size: 4096 bytes!!!!!!!!!!!Hidden driver: ?_empty_?Loaded from: Address: 0x89BC0292Size: 3438 bytes==============================================>Stealth==============================================>FilesSuspect File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0YCM83TM\k;key=key1+key2+key3+key4;grp=[group];adiframe=y;rdclick=;sub1=1000-1001;sub2=xaukrb200;sub3=dv;sub4=xaukrb200-p1302540-v5991762-sl548739;autoMute=true[1]2 Status: HiddenSuspect File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0YCM83TM\YPE+AND+NOT%20MATCH%7BView%20all%20Brands%7D_PRODUCTTYPE&combine=FieldCheck&maxresults=10&minscore=30&sort=reverserelevance&DatabaseMatch=Prod_Unit[1].txtf Status: HiddenSuspect File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\B3G69116\b365;ord=1WGNXHM78N3CN6B1824G;s=i0;s=i1;s=i2;s=i4;s=i5;s=i6;s=i7;s=i8;s=i9;s=81;s=36;s=281;s=95;s=u5;s=u15;s=m1;s=u9;s=m4;s=u8;z=820;z=847;z=810;tile=1[1]0 Status: HiddenSuspect File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\B3G69116\oSehAqoAwHoA7gB6AMi6AOZCegDA_UDAIAABA%26num%3D1%26sig%3DAGiWqtz5faHuGZgl9ZMIn1ZcK5B5ZToUFQ%26client%3Dca-pub-8225102170299886%26adurl%3D;ord=1289668119[1]0 Status: HiddenSuspect File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LI9SJNW8\554d81a7e72f59774fe62f;ord=0P6WNHR56ZX7SG3ZZQB4;s=i0;s=i1;s=i2;s=i4;s=i5;s=i6;s=i7;s=i8;s=i9;s=36;s=m1;s=u15;s=u5;s=u9;s=m4;s=u8;z=825;z=810;tile=2[1].htm0 Status: Hidden==============================================>Hooksntkrnlpa.exe+0x0006AA9A, Type: Inline - RelativeJump at address 0x80541A9A hook handler located in [ntkrnlpa.exe][1048]wuauclt.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump at address 0x7C90E47C hook handler located in [unknown_code_page][1048]wuauclt.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x7C90D6EE hook handler located in [unknown_code_page][1048]wuauclt.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x7C90DFAE hook handler located in [unknown_code_page][1140]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump at address 0x7C90E47C hook handler located in [unknown_code_page][1140]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x7C90D6EE hook handler located in [unknown_code_page][1140]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x7C90DFAE hook handler located in [unknown_code_page][1140]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump at address 0x7E42974E hook handler located in [unknown_code_page][1260]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump at address 0x7C810E27 hook handler located in [mssrch.dll][1260]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2C hook handler located in [unknown_code_page][1260]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2D hook handler located in [unknown_code_page][2056]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll][2056]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump at address 0x7C90E47C hook handler located in [unknown_code_page][2056]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x7C90D6EE hook handler located in [unknown_code_page][2056]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x7C90DFAE hook handler located in [unknown_code_page][3736]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0040111C hook handler located in [shimeng.dll][3736]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401060 hook handler located in [aclayers.dll][3736]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x004010B8 hook handler located in [aclayers.dll][3736]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x00401078 hook handler located in [aclayers.dll][3736]iexplore.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump at address 0x7C90E47C hook handler located in [unknown_code_page][3736]iexplore.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x7C90D6EE hook handler located in [unknown_code_page][3736]iexplore.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x7C90DFAE hook handler located in [unknown_code_page][3736]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump at address 0x7E456D7D hook handler located in [ieframe.dll][3736]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump at address 0x7E432072 hook handler located in [ieframe.dll][3736]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump at address 0x7E43B144 hook handler located in [ieframe.dll][3736]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump at address 0x7E4247AB hook handler located in [ieframe.dll][3736]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump at address 0x7E45085C hook handler located in [ieframe.dll][3736]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump at address 0x7E450838 hook handler located in [ieframe.dll][3736]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump at address 0x7E43A082 hook handler located in [ieframe.dll][3736]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump at address 0x7E4664D5 hook handler located in [ieframe.dll] Link to post Share on other sites More sharing options...
kahdah Posted November 13, 2010 ID:344687 Share Posted November 13, 2010 One or more of the identified infections is a backdoor trojan or rootkit.This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.If you still want to clean it please do the following===================Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop.Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. ========Download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Link to post Share on other sites More sharing options...
Pennyforthem Posted November 13, 2010 Author ID:344699 Share Posted November 13, 2010 I take on board all you say kahdah, just a few questions. I have a PC which was previously infected (about two years ago). It hasn't been used on the net since, and it's had a system restore, would this be ok to use for changing passwords and such?Also, I store my photos in Picasa and wonder if it would be ok to put them to disk for use on other PC.Thank you for your help, I will follow your instructions for clean up. Link to post Share on other sites More sharing options...
kahdah Posted November 13, 2010 ID:344712 Share Posted November 13, 2010 Yes using that pc as long as a full system recovery has been done then it is clean and yes you can use it for that purpose.Yes that will be fine to put the pictures on disk.It is not a file infector so the only thing to worry about would be password breaches. Link to post Share on other sites More sharing options...
Pennyforthem Posted November 13, 2010 Author ID:344731 Share Posted November 13, 2010 Thanks kahdah.Have done TDSSKiller and it rebooted but I can't find the report. Only doc it brings up is a license. Shall I carry on with combofix? Link to post Share on other sites More sharing options...
kahdah Posted November 13, 2010 ID:344736 Share Posted November 13, 2010 Should be here > C:\Tdss*.txt where the * is for Time and date you ran it.If it is not there run it again and let it produce a log. Link to post Share on other sites More sharing options...
Pennyforthem Posted November 13, 2010 Author ID:344739 Share Posted November 13, 2010 Husband doesn't call me Dolly daydreams for nothing 2010/11/13 22:36:06.0656 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:222010/11/13 22:36:06.0656 ================================================================================2010/11/13 22:36:06.0656 SystemInfo:2010/11/13 22:36:06.0656 2010/11/13 22:36:06.0656 OS Version: 5.1.2600 ServicePack: 3.02010/11/13 22:36:06.0656 Product type: Workstation2010/11/13 22:36:06.0656 ComputerName: USER-CC002C04612010/11/13 22:36:06.0656 UserName: User2010/11/13 22:36:06.0656 Windows directory: C:\WINDOWS2010/11/13 22:36:06.0656 System windows directory: C:\WINDOWS2010/11/13 22:36:06.0656 Processor architecture: Intel x862010/11/13 22:36:06.0656 Number of processors: 12010/11/13 22:36:06.0656 Page size: 0x10002010/11/13 22:36:06.0656 Boot type: Normal boot2010/11/13 22:36:06.0656 ================================================================================2010/11/13 22:36:07.0078 Initialize success2010/11/13 22:36:12.0500 ================================================================================2010/11/13 22:36:12.0500 Scan started2010/11/13 22:36:12.0500 Mode: Manual; 2010/11/13 22:36:12.0500 ================================================================================2010/11/13 22:36:14.0062 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys2010/11/13 22:36:14.0140 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys2010/11/13 22:36:14.0281 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys2010/11/13 22:36:14.0390 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys2010/11/13 22:36:14.0484 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys2010/11/13 22:36:15.0000 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys2010/11/13 22:36:15.0093 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys2010/11/13 22:36:15.0203 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys2010/11/13 22:36:15.0296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys2010/11/13 22:36:15.0562 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys2010/11/13 22:36:15.0656 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys2010/11/13 22:36:15.0750 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys2010/11/13 22:36:15.0796 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys2010/11/13 22:36:15.0906 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys2010/11/13 22:36:16.0015 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys2010/11/13 22:36:16.0109 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys2010/11/13 22:36:16.0203 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys2010/11/13 22:36:16.0328 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys2010/11/13 22:36:16.0437 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys2010/11/13 22:36:16.0484 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys2010/11/13 22:36:16.0859 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys2010/11/13 22:36:16.0968 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys2010/11/13 22:36:17.0031 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys2010/11/13 22:36:17.0093 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys2010/11/13 22:36:17.0187 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys2010/11/13 22:36:17.0375 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys2010/11/13 22:36:17.0531 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys2010/11/13 22:36:17.0609 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys2010/11/13 22:36:17.0687 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys2010/11/13 22:36:17.0781 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys2010/11/13 22:36:17.0843 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys2010/11/13 22:36:17.0937 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys2010/11/13 22:36:18.0031 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys2010/11/13 22:36:18.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys2010/11/13 22:36:18.0171 GEARAspiWDM (df6e37b27a9a1a498c6d9f29995b7a03) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys2010/11/13 22:36:18.0234 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys2010/11/13 22:36:18.0328 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys2010/11/13 22:36:18.0437 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys2010/11/13 22:36:18.0609 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys2010/11/13 22:36:18.0781 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys2010/11/13 22:36:18.0875 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys2010/11/13 22:36:19.0203 IntcAzAudAddService (7ffe2751ae9b3082cd55bfcc2e9becdb) C:\WINDOWS\system32\drivers\RtkHDAud.sys2010/11/13 22:36:19.0468 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys2010/11/13 22:36:19.0562 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys2010/11/13 22:36:19.0640 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys2010/11/13 22:36:19.0734 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys2010/11/13 22:36:19.0828 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys2010/11/13 22:36:19.0906 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys2010/11/13 22:36:20.0000 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys2010/11/13 22:36:20.0046 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys2010/11/13 22:36:20.0125 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys2010/11/13 22:36:20.0234 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys2010/11/13 22:36:20.0328 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys2010/11/13 22:36:20.0500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys2010/11/13 22:36:20.0609 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys2010/11/13 22:36:20.0671 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys2010/11/13 22:36:20.0765 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys2010/11/13 22:36:20.0828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys2010/11/13 22:36:20.0937 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys2010/11/13 22:36:21.0031 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys2010/11/13 22:36:21.0171 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys2010/11/13 22:36:21.0234 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys2010/11/13 22:36:21.0296 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys2010/11/13 22:36:21.0343 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys2010/11/13 22:36:21.0421 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys2010/11/13 22:36:21.0500 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys2010/11/13 22:36:21.0656 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys2010/11/13 22:36:21.0687 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys2010/11/13 22:36:21.0765 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys2010/11/13 22:36:21.0859 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys2010/11/13 22:36:21.0953 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys2010/11/13 22:36:22.0015 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys2010/11/13 22:36:22.0078 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys2010/11/13 22:36:22.0234 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys2010/11/13 22:36:22.0296 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys2010/11/13 22:36:22.0421 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys2010/11/13 22:36:22.0484 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys2010/11/13 22:36:22.0546 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys2010/11/13 22:36:22.0640 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys2010/11/13 22:36:22.0687 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys2010/11/13 22:36:22.0734 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys2010/11/13 22:36:22.0796 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys2010/11/13 22:36:22.0921 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys2010/11/13 22:36:22.0984 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys2010/11/13 22:36:23.0390 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys2010/11/13 22:36:23.0468 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys2010/11/13 22:36:23.0546 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys2010/11/13 22:36:23.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys2010/11/13 22:36:23.0687 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys2010/11/13 22:36:23.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys2010/11/13 22:36:24.0031 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys2010/11/13 22:36:24.0109 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys2010/11/13 22:36:24.0156 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys2010/11/13 22:36:24.0234 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys2010/11/13 22:36:24.0312 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys2010/11/13 22:36:24.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys2010/11/13 22:36:24.0484 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys2010/11/13 22:36:24.0609 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys2010/11/13 22:36:24.0859 S3GIGP (a4b81a67a158c317a22b70208f85ddf1) C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys2010/11/13 22:36:25.0015 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys2010/11/13 22:36:25.0093 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys2010/11/13 22:36:25.0203 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys2010/11/13 22:36:25.0390 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys2010/11/13 22:36:25.0484 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys2010/11/13 22:36:25.0609 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys2010/11/13 22:36:25.0734 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys2010/11/13 22:36:25.0859 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys2010/11/13 22:36:25.0968 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys2010/11/13 22:36:26.0265 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys2010/11/13 22:36:26.0406 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys2010/11/13 22:36:26.0531 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys2010/11/13 22:36:26.0593 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys2010/11/13 22:36:26.0703 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys2010/11/13 22:36:26.0906 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys2010/11/13 22:36:26.0984 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys2010/11/13 22:36:27.0156 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys2010/11/13 22:36:27.0296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys2010/11/13 22:36:27.0359 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys2010/11/13 22:36:27.0421 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys2010/11/13 22:36:27.0500 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys2010/11/13 22:36:27.0562 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys2010/11/13 22:36:27.0640 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS2010/11/13 22:36:27.0703 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys2010/11/13 22:36:27.0765 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys2010/11/13 22:36:27.0859 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys2010/11/13 22:36:27.0906 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys2010/11/13 22:36:27.0984 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys2010/11/13 22:36:28.0156 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys2010/11/13 22:36:28.0468 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys2010/11/13 22:36:28.0531 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys2010/11/13 22:36:28.0656 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)2010/11/13 22:36:28.0656 ================================================================================2010/11/13 22:36:28.0656 Scan finished2010/11/13 22:36:28.0656 ================================================================================2010/11/13 22:36:28.0703 Detected object count: 12010/11/13 22:37:10.0171 \HardDisk0 - will be cured after reboot2010/11/13 22:37:10.0171 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure2010/11/13 22:37:40.0984 Deinitialize success Link to post Share on other sites More sharing options...
Pennyforthem Posted November 14, 2010 Author ID:344770 Share Posted November 14, 2010 ComboFix 10-11-12.06 - User 14/11/2010 0:05.1.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1153 [GMT 0:00]Running from: c:\documents and settings\User\Desktop\ComboFix.exeAV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\User\Application Data\installc:\windows\system32\yqovgbjv.inic:\windows\Tasks\At1.jobc:\windows\Tasks\At10.jobc:\windows\Tasks\At11.jobc:\windows\Tasks\At12.jobc:\windows\Tasks\At13.jobc:\windows\Tasks\At14.jobc:\windows\Tasks\At15.jobc:\windows\Tasks\At16.jobc:\windows\Tasks\At17.jobc:\windows\Tasks\At18.jobc:\windows\Tasks\At19.jobc:\windows\Tasks\At2.jobc:\windows\Tasks\At20.jobc:\windows\Tasks\At21.jobc:\windows\Tasks\At22.jobc:\windows\Tasks\At23.jobc:\windows\Tasks\At24.jobc:\windows\Tasks\At3.jobc:\windows\Tasks\At4.jobc:\windows\Tasks\At5.jobc:\windows\Tasks\At6.jobc:\windows\Tasks\At7.jobc:\windows\Tasks\At8.jobc:\windows\Tasks\At9.jobc:\windows\Tasks\qrzuasmj.jobInfected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe .((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 ))))))))))))))))))))))))))))))).2010-11-13 15:20 . 2010-11-13 15:20 -------- d-----w- c:\program files\7-Zip2010-11-13 10:45 . 2010-11-13 10:45 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe2010-11-13 10:45 . 2010-11-13 10:45 -------- d-----w- c:\program files\Trend Micro2010-11-12 11:02 . 2010-11-12 11:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2010-11-11 20:53 . 2010-11-11 20:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache2010-11-11 18:40 . 2010-11-11 18:40 -------- d-----w- c:\documents and settings\User\Application Data\Avira2010-11-11 18:37 . 2010-11-11 18:37 -------- d-sh--w- c:\documents and settings\User\PrivacIE2010-11-11 18:37 . 2010-11-11 18:37 -------- d-sh--w- c:\documents and settings\User\IECompatCache2010-11-11 18:31 . 2010-11-11 18:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache2010-11-11 18:29 . 2010-11-11 18:29 -------- d-sh--w- c:\documents and settings\User\IETldCache2010-11-11 18:25 . 2010-09-09 13:38 78336 ----a-w- c:\windows\system32\ieencode.dll2010-11-11 18:25 . 2010-09-09 13:38 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll2010-11-11 16:35 . 2010-08-02 16:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys2010-11-11 16:35 . 2010-08-02 16:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys2010-11-11 16:35 . 2010-06-17 15:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2010-11-11 16:35 . 2010-06-17 15:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2010-11-11 16:35 . 2010-11-11 16:35 -------- d-----w- c:\program files\Avira2010-11-11 16:35 . 2010-11-11 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2010-11-11 13:00 . 2010-11-11 13:01 -------- d-----w- c:\documents and settings\Administrator2010-11-06 06:58 . 2010-11-06 06:58 279896 ---ha-r- c:\windows\system32\cpnprtuk.cid2010-11-06 06:58 . 2010-11-06 06:58 398744 ---ha-r- c:\windows\system32\cpnprt2.cid2010-11-06 06:55 . 2010-11-06 06:55 -------- d-----w- c:\windows\Cache2010-11-06 06:55 . 2010-11-06 06:55 -------- d-----w- c:\program files\Coupon Printer2010-11-06 06:55 . 2010-11-06 06:55 31 ---ha-w- c:\windows\UKCpInfo.sys2010-11-04 12:11 . 2010-11-04 12:11 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-09-18 11:23 . 2004-08-12 13:21 974848 ----a-w- c:\windows\system32\mfc42u.dll2010-09-18 06:53 . 2004-08-12 13:21 974848 ----a-w- c:\windows\system32\mfc42.dll2010-09-18 06:53 . 2004-08-12 13:21 954368 ----a-w- c:\windows\system32\mfc40.dll2010-09-18 06:53 . 2004-08-12 13:21 953856 ----a-w- c:\windows\system32\mfc40u.dll2010-09-09 13:38 . 2004-08-12 13:33 832512 ----a-w- c:\windows\system32\wininet.dll2010-09-09 13:38 . 2004-08-12 13:20 1830912 ----a-w- c:\windows\system32\inetcpl.cpl2010-09-09 13:38 . 2004-08-12 13:18 17408 ----a-w- c:\windows\system32\corpol.dll2010-09-08 15:57 . 2004-08-12 13:19 389120 ----a-w- c:\windows\system32\html.iec2010-09-01 11:51 . 2004-08-12 13:17 285824 ----a-w- c:\windows\system32\atmfd.dll2010-08-31 13:42 . 2004-08-12 13:33 1852800 ----a-w- c:\windows\system32\win32k.sys2010-08-27 08:02 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll2010-08-27 05:57 . 2004-08-12 13:30 99840 ----a-w- c:\windows\system32\srvsvc.dll2010-08-26 13:39 . 2004-08-12 13:30 357248 ----a-w- c:\windows\system32\drivers\srv.sys2010-08-26 12:52 . 2009-04-15 16:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll2010-08-23 16:12 . 2004-08-12 13:17 617472 ----a-w- c:\windows\system32\comctl32.dll2010-08-16 08:45 . 2004-08-12 13:27 590848 ----a-w- c:\windows\system32\rpcrt4.dll.------- Sigcheck -------[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe[7] 2004-08-12 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exec:\windows\System32\spoolsv.exe ... is missing !!.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]"VTTimer"="VTTimer.exe" [2008-09-10 81920]"S3Trayp"="S3trayp.exe" [2008-09-10 200704]"RTHDCPL"="RTHDCPL.EXE" [2008-05-13 16862720]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 50688]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-11-10 2069856]"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 1983816]"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2010-07-17 00:18 12536 ----a-w- c:\windows\system32\avgrsstx.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\AVG\\AVG9\\avgemc.exe"="c:\\Program Files\\AVG\\AVG9\\avgupd.exe"="c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"1043:TCP"= 1043:TCP:Akamai NetSession Interface"5000:UDP"= 5000:UDP:Akamai NetSession InterfaceR1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/10/2008 13:42 216400]R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/10/2008 13:42 243024]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2010 16:35 135336]R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [17/07/2010 00:17 921952]R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 00:18 308136]S3 rkhdrv40;Rootkit Unhooker Driver; [x].Contents of the 'Scheduled Tasks' folder2010-11-14 c:\windows\Tasks\User_Feed_Synchronization-{2B1572A8-695E-4DC3-B037-F9A7A08CC279}.job- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]..------- Supplementary Scan -------.uStart Page = about:blankuInternet Settings,ProxyOverride = *.localIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html.- - - - ORPHANS REMOVED - - - -URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)HKCU-Run-AdobeBridge - (no file)**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-11-14 00:41Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(2456)c:\windows\system32\WININET.dllc:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dllc:\program files\Windows Desktop Search\deskbar.dllc:\program files\Windows Desktop Search\en-us\dbres.dll.muic:\program files\Windows Desktop Search\dbres.dllc:\program files\Windows Desktop Search\wordwheel.dllc:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.muic:\program files\Windows Desktop Search\msnlExtRes.dllc:\program files\Common Files\Ahead\Lib\NeroSearchBar.dllc:\program files\Common Files\Ahead\Lib\MFC71U.DLLc:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dllc:\windows\system32\msi.dllc:\windows\system32\ieframe.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\AVG\AVG9\avgchsvx.exec:\program files\AVG\AVG9\avgrsx.exec:\program files\AVG\AVG9\avgcsrvx.exec:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Avira\AntiVir Desktop\avshadow.exec:\windows\system32\SearchIndexer.exec:\program files\AVG\AVG9\avgnsx.exec:\program files\AVG\AVG9\avgcsrvx.exec:\windows\system32\VTTimer.exec:\windows\system32\S3trayp.exec:\windows\RTHDCPL.EXEc:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.acc:\program files\Common Files\Ahead\Lib\NMIndexingService.exec:\program files\iPod\bin\iPodService.exec:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe.**************************************************************************.Completion time: 2010-11-14 00:46:51 - machine was rebootedComboFix-quarantined-files.txt 2010-11-14 00:46Pre-Run: 224,496,218,112 bytes freePost-Run: 224,741,855,232 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect- - End Of File - - 25D756CA1FFF4B774F7C8BCD3D995744 Link to post Share on other sites More sharing options...
kahdah Posted November 14, 2010 ID:344788 Share Posted November 14, 2010 1. Please open Notepad Click Start , then Runtype in notepad in the Run Box then hit ok.2. Now copy/paste the entire content of the codebox below into the Notepad window:FCopy::c:\windows\system32\dllcache\spoolsv.exe|c:\windows\System32\spoolsv.exeDriver::rkhdrv40DDS::uInternet Settings,ProxyOverride = *.local3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:Combofix.txt =============Update Run MalwarebytesPlease update\run Malwarebytes' Anti-Malware.Double Click the Malwarebytes Anti-Malware icon to run the application.Click on the update tab then click on Check for updates.If an update is found, it will download and install the latest version.Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.=====* Go here to run an online scannner from ESET.Note: You will need to use Internet explorer for this scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartCheck next options: Remove found threats and Scan unwanted applications.Click ScanWait for the scan to finishUse notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txtCopy and paste that log as a reply to this topic Link to post Share on other sites More sharing options...
Pennyforthem Posted November 14, 2010 Author ID:344796 Share Posted November 14, 2010 combofix is asking me to uninstall AVG kahdah, where do I uninstall it from? Add and renove? Link to post Share on other sites More sharing options...
kahdah Posted November 14, 2010 ID:344801 Share Posted November 14, 2010 Yes go to Start > Control Panel > Add\Remove Programs. Link to post Share on other sites More sharing options...
Pennyforthem Posted November 14, 2010 Author ID:344805 Share Posted November 14, 2010 Did that kahdah and it stopped atLocal machine: installation failed Installation: Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key.... Access is denied. Link to post Share on other sites More sharing options...
kahdah Posted November 14, 2010 ID:344812 Share Posted November 14, 2010 Please download the removal tool from here Link to post Share on other sites More sharing options...
Pennyforthem Posted November 14, 2010 Author ID:344829 Share Posted November 14, 2010 ComboFix 10-11-12.06 - User 14/11/2010 2:32.2.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1282 [GMT 0:00]Running from: c:\documents and settings\User\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\User\Desktop\CFScript.txtAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..--------------- FCopy ---------------c:\windows\system32\dllcache\spoolsv.exe --> c:\windows\System32\spoolsv.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_RKHDRV40-------\Service_rkhdrv40((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 ))))))))))))))))))))))))))))))).2010-11-14 02:32 . 2010-08-17 13:17 58880 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe2010-11-14 02:32 . 2010-08-17 13:17 58880 ----a-w- c:\windows\system32\spoolsv.exe2010-11-13 15:20 . 2010-11-13 15:20 -------- d-----w- c:\program files\7-Zip2010-11-13 10:45 . 2010-11-13 10:45 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe2010-11-13 10:45 . 2010-11-13 10:45 -------- d-----w- c:\program files\Trend Micro2010-11-12 11:02 . 2010-11-12 11:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2010-11-11 20:53 . 2010-11-11 20:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache2010-11-11 18:40 . 2010-11-11 18:40 -------- d-----w- c:\documents and settings\User\Application Data\Avira2010-11-11 18:37 . 2010-11-11 18:37 -------- d-sh--w- c:\documents and settings\User\PrivacIE2010-11-11 18:37 . 2010-11-11 18:37 -------- d-sh--w- c:\documents and settings\User\IECompatCache2010-11-11 18:31 . 2010-11-11 18:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache2010-11-11 18:29 . 2010-11-11 18:29 -------- d-sh--w- c:\documents and settings\User\IETldCache2010-11-11 18:25 . 2010-09-09 13:38 78336 ----a-w- c:\windows\system32\ieencode.dll2010-11-11 18:25 . 2010-09-09 13:38 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll2010-11-11 16:35 . 2010-08-02 16:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys2010-11-11 16:35 . 2010-08-02 16:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys2010-11-11 16:35 . 2010-06-17 15:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2010-11-11 16:35 . 2010-06-17 15:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2010-11-11 16:35 . 2010-11-11 16:35 -------- d-----w- c:\program files\Avira2010-11-11 16:35 . 2010-11-11 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2010-11-11 13:00 . 2010-11-11 13:01 -------- d-----w- c:\documents and settings\Administrator2010-11-06 06:58 . 2010-11-06 06:58 279896 ---ha-r- c:\windows\system32\cpnprtuk.cid2010-11-06 06:58 . 2010-11-06 06:58 398744 ---ha-r- c:\windows\system32\cpnprt2.cid2010-11-06 06:55 . 2010-11-06 06:55 -------- d-----w- c:\windows\Cache2010-11-06 06:55 . 2010-11-06 06:55 -------- d-----w- c:\program files\Coupon Printer2010-11-06 06:55 . 2010-11-06 06:55 31 ---ha-w- c:\windows\UKCpInfo.sys2010-11-04 12:11 . 2010-11-04 12:11 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-09-18 11:23 . 2004-08-12 13:21 974848 ----a-w- c:\windows\system32\mfc42u.dll2010-09-18 06:53 . 2004-08-12 13:21 974848 ----a-w- c:\windows\system32\mfc42.dll2010-09-18 06:53 . 2004-08-12 13:21 954368 ----a-w- c:\windows\system32\mfc40.dll2010-09-18 06:53 . 2004-08-12 13:21 953856 ----a-w- c:\windows\system32\mfc40u.dll2010-09-09 13:38 . 2004-08-12 13:33 832512 ----a-w- c:\windows\system32\wininet.dll2010-09-09 13:38 . 2004-08-12 13:20 1830912 ----a-w- c:\windows\system32\inetcpl.cpl2010-09-09 13:38 . 2004-08-12 13:18 17408 ----a-w- c:\windows\system32\corpol.dll2010-09-08 15:57 . 2004-08-12 13:19 389120 ----a-w- c:\windows\system32\html.iec2010-09-01 11:51 . 2004-08-12 13:17 285824 ----a-w- c:\windows\system32\atmfd.dll2010-08-31 13:42 . 2004-08-12 13:33 1852800 ----a-w- c:\windows\system32\win32k.sys2010-08-27 08:02 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll2010-08-27 05:57 . 2004-08-12 13:30 99840 ----a-w- c:\windows\system32\srvsvc.dll2010-08-26 13:39 . 2004-08-12 13:30 357248 ----a-w- c:\windows\system32\drivers\srv.sys2010-08-26 12:52 . 2009-04-15 16:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll2010-08-23 16:12 . 2004-08-12 13:17 617472 ----a-w- c:\windows\system32\comctl32.dll2010-08-16 08:45 . 2004-08-12 13:27 590848 ----a-w- c:\windows\system32\rpcrt4.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]"VTTimer"="VTTimer.exe" [2008-09-10 81920]"S3Trayp"="S3trayp.exe" [2008-09-10 200704]"RTHDCPL"="RTHDCPL.EXE" [2008-05-13 16862720]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 50688]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 1983816]"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"1043:TCP"= 1043:TCP:Akamai NetSession Interface"5000:UDP"= 5000:UDP:Akamai NetSession InterfaceR2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2010 16:35 135336].Contents of the 'Scheduled Tasks' folder2010-11-14 c:\windows\Tasks\User_Feed_Synchronization-{2B1572A8-695E-4DC3-B037-F9A7A08CC279}.job- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]..------- Supplementary Scan -------.uStart Page = about:blankIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html.- - - - ORPHANS REMOVED - - - -Notify-avgrsstarter - avgrsstx.dll**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-11-14 02:42Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(3372)c:\windows\system32\WININET.dllc:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dllc:\program files\Windows Desktop Search\deskbar.dllc:\program files\Windows Desktop Search\en-us\dbres.dll.muic:\program files\Windows Desktop Search\dbres.dllc:\program files\Windows Desktop Search\wordwheel.dllc:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.muic:\program files\Windows Desktop Search\msnlExtRes.dllc:\program files\Common Files\Ahead\Lib\NeroSearchBar.dllc:\program files\Common Files\Ahead\Lib\MFC71U.DLLc:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dllc:\windows\system32\ieframe.dllc:\windows\system32\msi.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Avira\AntiVir Desktop\avshadow.exec:\windows\system32\SearchIndexer.exec:\windows\system32\VTTimer.exec:\windows\system32\S3trayp.exec:\windows\RTHDCPL.EXEc:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.acc:\program files\Common Files\Ahead\Lib\NMIndexingService.exec:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2010-11-14 02:47:40 - machine was rebootedComboFix-quarantined-files.txt 2010-11-14 02:47ComboFix2.txt 2010-11-14 00:46Pre-Run: 224,995,708,928 bytes freePost-Run: 224,936,669,184 bytes free- - End Of File - - 6F28FFDE932494D11E2299491A5241EB Link to post Share on other sites More sharing options...
Pennyforthem Posted November 14, 2010 Author ID:344842 Share Posted November 14, 2010 Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 5111Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.1314/11/2010 03:06:49mbam-log-2010-11-14 (03-06-49).txtScan type: Quick scanObjects scanned: 146876Time elapsed: 11 minute(s), 17 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Pennyforthem Posted November 14, 2010 Author ID:344847 Share Posted November 14, 2010 Not sure if my machine is clean yet kahdah, need your say so for that, but I'd like to thank you so very much for the time and trouble you've gone to over the last day and night, I really appreciate it. Hope you don't mind me asking you a few questions because, as already stated, I'm not computer literate. I will not take your answers as a 100% gaurantee but it would be helpful to know the views of a professional.I have Malwarebytes AM, CCleaner, Avira and did have AVG. What else would you recommend that I need to help prevent my computer being attacked again? Is it worth buying Norton?Which browser do you believe to be the safest?I use my PC for many things like banking, bill paying, shopping, and as I can't afford a new one would you suggest I reformat. Not sure I can because I didn't get a Windows CD with it. Any advice you can give would be appreciated.And lastly, what should I do with all of these little notepad reports on my desktop? Can I delte them? Link to post Share on other sites More sharing options...
kahdah Posted November 14, 2010 ID:344957 Share Posted November 14, 2010 I have Malwarebytes AM, CCleaner, Avira and did have AVG. What else would you recommend that I need to help prevent my computer being attacked again? Is it worth buying Norton? Well you can if you want but I see people infected with any type of antivirus so really it does not matter what you buy you could always get infected.I personally use Kaspersky for all of the computers in my household of 3 computers and really have had no complaints.Which browser do you believe to be the safest? Any one will do I prefer google chrome but not saying it is the safest I think they are all one in the same to be honest I see no difference in the infection rate from IE,Firefox,Chrome,Opera etc... browsers.I use my PC for many things like banking, bill paying, shopping, and as I can't afford a new one would you suggest I reformat. Not sure I can because I didn't get a Windows CD with it. Any advice you can give would be appreciated. If you do not want to reformat that is fine the threat has been removed and typically it is only a danger if the infection is active.You can use the recovery partition that is usually shipped with computers or you can order a set of recovery disks from the manufacturer.Yes you can delete the text files on your desktop.Please proceed with the eset scan and post that log and we will wrap it up.Instructions were under the mbam update\run. Link to post Share on other sites More sharing options...
Pennyforthem Posted November 14, 2010 Author ID:344994 Share Posted November 14, 2010 Thanks for the advice kahdah. The ESET scan is disappointing. Can I download a firewall or is it best to wait until the machine is clean?ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OK# version=7# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)# OnlineScanner.ocx=1.0.0.6211# api_version=3.0.2# EOSSerial=0f2f5a5c45e5694db793d28a08d64050# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2010-11-14 02:20:28# local_time=2010-11-14 02:20:28 (+0000, GMT Standard Time)# country="United Kingdom"# lang=9# osver=5.1.2600 NT Service Pack 3# compatibility_mode=512 16777215 100 0 100776 100776 0 0# compatibility_mode=1797 16775141 100 93 159216 26271625 151679 0# compatibility_mode=8192 67108863 100 0 3891 3891 0 0# compatibility_mode=9217 16777214 0 9 47349344 58030418 0 0# scanned=58024# found=3# cleaned=3# scan_time=2153C:\Qoobox\Quarantine\C\WINDOWS\system32\yqovgbjv.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{FDD8DD0C-139E-4893-8CF1-D4D1D8F05F86}\RP1\A0000017.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\WINDOWS\system32\234.js JS/TrojanDownloader.Agent.NWG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C Link to post Share on other sites More sharing options...
kahdah Posted November 14, 2010 ID:344997 Share Posted November 14, 2010 Ahh those are not bad just leftovers nothing to worry about.Sure you can install a firewall if you want.Open OTL and click on Run scan at the top.Let me know of any remaining problems please. Link to post Share on other sites More sharing options...
Pennyforthem Posted November 14, 2010 Author ID:345001 Share Posted November 14, 2010 OTL logfile created on: 14/11/2010 14:36:23 - Run 2OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\DesktopWindows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 7.0.5730.13)Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File freePaging file location(s): C:\pagefile.sys 2046 4092 [binary data]%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 232.88 Gb Total Space | 209.38 Gb Free Space | 89.91% Space Free | Partition Type: NTFSComputer Name: USER-CC002C0461 | User Name: User | Logged in as Administrator.Boot Mode: Normal | Scan Mode: Current userCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days========== Processes (SafeList) ==========PRC - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)PRC - C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe ()PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)PRC - C:\WINDOWS\system32\VTTimer.exe (S3 Graphics, Inc.)PRC - C:\WINDOWS\system32\S3Trayp.exe (S3 Graphics Co., Ltd.)PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)PRC - C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe (ScanSoft, Inc.)========== Modules (SafeList) ==========MOD - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)MOD - C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll (ScanSoft, Inc.)========== Win32 Services (SafeList) ==========SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)========== Driver Services (SafeList) ==========DRV - (catchme) -- C:\ComboFix\catchme.sys File not foundDRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)DRV - (S3GIGP) -- C:\WINDOWS\system32\drivers\S3gIGPm.sys (S3 Graphics Co., Ltd.)DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)========== Standard Registry (SafeList) ==================== Internet Explorer ==========IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htmIE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blankIE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0O1 HOSTS File: ([2010/11/14 02:42:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hostsO1 - Hosts: 127.0.0.1 localhostO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)O4 - HKLM..\Run: [s3Trayp] C:\WINDOWS\System32\S3Trayp.exe (S3 Graphics Co., Ltd.)O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)O24 - Desktop WallPaper: C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmpO24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmpO28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)O32 - HKLM CDRom: AutoRun - 1O32 - AutoRun File - [2008/10/28 11:12:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]O34 - HKLM BootExecute: (autocheck autochk *) - File not foundO35 - HKLM\..comfile [open] -- "%1" %*O35 - HKLM\..exefile [open] -- "%1" %*O37 - HKLM\...com [@ = ComFile] -- "%1" %*O37 - HKLM\...exe [@ = exefile] -- "%1" %*========== Files/Folders - Created Within 30 Days ==========[2010/11/14 13:39:45 | 000,000,000 | ---D | C] -- C:\Program Files\ESET[2010/11/14 02:32:10 | 000,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\spoolsv.exe[2010/11/14 02:20:17 | 001,086,304 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\User\Desktop\avg_remover_stf_x86_2011_1165.exe[2010/11/14 00:03:37 | 000,000,000 | RHSD | C] -- C:\cmdcons[2010/11/13 23:58:58 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe[2010/11/13 23:58:58 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe[2010/11/13 23:58:58 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe[2010/11/13 23:58:58 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe[2010/11/13 23:58:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT[2010/11/13 23:58:07 | 000,000,000 | ---D | C] -- C:\Qoobox[2010/11/13 22:35:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\tdsskiller[2010/11/13 20:40:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\20071210_182632_rku37300509[2010/11/13 15:20:24 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip[2010/11/13 14:52:40 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe[2010/11/13 10:45:00 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro[2010/11/13 00:54:29 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\User\Recent[2010/11/12 11:02:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe[2010/11/11 18:40:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Avira[2010/11/11 18:37:12 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\User\PrivacIE[2010/11/11 18:37:06 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\User\IECompatCache[2010/11/11 18:29:44 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\User\IETldCache[2010/11/11 18:25:39 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll[2010/11/11 18:25:39 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieencode.dll[2010/11/11 16:35:48 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys[2010/11/11 16:35:47 | 000,126,856 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys[2010/11/11 16:35:47 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys[2010/11/11 16:35:47 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys[2010/11/11 16:35:47 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys[2010/11/11 16:35:45 | 000,000,000 | ---D | C] -- C:\Program Files\Avira[2010/11/11 16:35:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira[2010/11/10 18:33:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia[2010/11/10 18:33:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe[2010/11/10 11:04:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia[2010/11/10 11:04:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe[2010/11/08 10:55:10 | 001,330,776 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\User\Desktop\TDSSKiller.exe[2010/11/06 06:58:12 | 000,279,896 | RH-- | C] (Couponstar LTD) -- C:\WINDOWS\System32\cpnprtuk.cid[2010/11/06 06:58:05 | 000,398,744 | RH-- | C] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid[2010/11/06 06:55:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\Cache[2010/11/06 06:55:46 | 000,000,000 | ---D | C] -- C:\Program Files\Coupon Printer[2010/11/04 12:11:57 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ][1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]========== Files - Modified Within 30 Days ==========[2010/11/14 14:24:27 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2B1572A8-695E-4DC3-B037-F9A7A08CC279}.job[2010/11/14 10:06:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl[2010/11/14 10:04:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat[2010/11/14 02:42:32 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts[2010/11/14 02:20:17 | 001,086,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\User\Desktop\avg_remover_stf_x86_2011_1165.exe[2010/11/14 00:03:44 | 000,000,327 | RHS- | M] () -- C:\boot.ini[2010/11/13 23:50:55 | 003,909,080 | R--- | M] () -- C:\Documents and Settings\User\Desktop\ComboFix.exe[2010/11/13 22:35:22 | 001,330,776 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\User\Desktop\TDSSKiller.exe[2010/11/13 22:33:26 | 001,215,581 | ---- | M] () -- C:\Documents and Settings\User\Desktop\tdsskiller.zip[2010/11/13 15:23:36 | 000,087,354 | ---- | M] () -- C:\Documents and Settings\User\Desktop\20071210_182632_rku37300509.rar[2010/11/13 15:17:55 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\User\Desktop\7z465.exe[2010/11/13 14:52:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe[2010/11/13 10:45:42 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\User\Desktop\HiJackThis.lnk[2010/11/12 19:54:20 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk[2010/11/11 16:36:03 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk[2010/11/11 10:24:23 | 000,023,200 | ---- | M] () -- C:\Documents and Settings\User\Application Data\wklnhst.dat[2010/11/11 10:24:02 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cv done2.doc[2010/11/10 14:25:50 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cv done.doc[2010/11/10 10:15:05 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cv.doc[2010/11/09 18:34:51 | 000,115,200 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cartoons.doc[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe[2010/11/06 06:58:14 | 000,398,744 | RH-- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid[2010/11/06 06:58:12 | 000,279,896 | RH-- | M] (Couponstar LTD) -- C:\WINDOWS\System32\cpnprtuk.cid[2010/11/06 06:55:46 | 000,000,031 | -H-- | M] () -- C:\WINDOWS\UKCpInfo.sys[2010/11/02 16:25:02 | 000,477,262 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat[2010/11/02 16:25:02 | 000,084,292 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat[2010/10/31 00:54:04 | 000,103,424 | ---- | M] () -- C:\Documents and Settings\User\My Documents\The King and Rafa.doc[2010/10/30 01:09:26 | 000,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI[2010/10/28 12:01:04 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini[2010/10/28 11:25:20 | 000,000,077 | ---- | M] () -- C:\Documents and Settings\User\default.pls[2010/10/27 21:52:28 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\User\My Documents\carra and gerrard.doc[2010/10/27 06:00:42 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Hiya Claire.doc[2010/10/25 05:49:05 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Bacon Roly Poly.doc[2010/10/25 04:11:26 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\User\My Documents\spreads.doc[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ][1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]========== Files Created - No Company Name ==========[2010/11/14 00:03:44 | 000,000,211 | ---- | C] () -- C:\Boot.bak[2010/11/14 00:03:42 | 000,260,272 | RHS- | C] () -- C:\cmldr[2010/11/13 23:58:58 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe[2010/11/13 23:58:58 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe[2010/11/13 23:58:58 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe[2010/11/13 23:58:58 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe[2010/11/13 23:58:58 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe[2010/11/13 23:50:46 | 003,909,080 | R--- | C] () -- C:\Documents and Settings\User\Desktop\ComboFix.exe[2010/11/13 22:33:24 | 001,215,581 | ---- | C] () -- C:\Documents and Settings\User\Desktop\tdsskiller.zip[2010/11/13 20:40:59 | 000,095,744 | ---- | C] () -- C:\Documents and Settings\User\Desktop\rku37300509.exe[2010/11/13 15:12:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\User\Desktop\7z465.exe[2010/11/13 15:10:46 | 000,087,354 | ---- | C] () -- C:\Documents and Settings\User\Desktop\20071210_182632_rku37300509.rar[2010/11/13 10:45:00 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\User\Desktop\HiJackThis.lnk[2010/11/11 18:37:05 | 000,000,420 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2B1572A8-695E-4DC3-B037-F9A7A08CC279}.job[2010/11/11 16:36:02 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk[2010/11/11 10:24:01 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cv done2.doc[2010/11/10 13:50:07 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cv done.doc[2010/11/10 10:15:04 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cv.doc[2010/11/09 18:34:50 | 000,115,200 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cartoons.doc[2010/11/06 06:55:46 | 000,000,031 | -H-- | C] () -- C:\WINDOWS\UKCpInfo.sys[2010/10/31 00:54:04 | 000,103,424 | ---- | C] () -- C:\Documents and Settings\User\My Documents\The King and Rafa.doc[2010/10/27 21:52:28 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\User\My Documents\carra and gerrard.doc[2010/10/23 09:01:32 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Hiya Claire.doc[2010/06/11 17:45:07 | 000,000,021 | ---- | C] () -- C:\WINDOWS\progman.ini[2010/05/22 07:33:04 | 000,000,026 | ---- | C] () -- C:\WINDOWS\month.ini[2010/05/22 07:33:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI[2010/05/22 07:32:55 | 000,000,104 | ---- | C] () -- C:\WINDOWS\OAMSHELL.INI[2009/07/25 08:57:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI[2009/06/03 08:32:44 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini[2009/01/25 09:46:53 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI[2009/01/24 11:25:51 | 000,023,200 | ---- | C] () -- C:\Documents and Settings\User\Application Data\wklnhst.dat[2009/01/24 11:13:19 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI[2009/01/19 12:20:59 | 000,000,110 | ---- | C] () -- C:\WINDOWS\PhEdit.INI[2009/01/19 12:03:14 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini[2008/12/28 11:50:24 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini[2008/12/28 10:22:05 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7K.DLL[2008/12/28 10:17:22 | 000,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI[2008/10/28 10:44:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini< End of report > Link to post Share on other sites More sharing options...
Recommended Posts