BleepingComputer.com: Do i have a virus?

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Do i have a virus? Computer keeps crashing and very slow performance

#1 User is offline   d3ell84 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 11-January 11

Posted 10 October 2011 - 08:00 AM

Could you please have a look at my files as the computer im using is doing some very strange things and is running very slow.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Colin at 12:04:38 on 2011-10-10
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.393 [GMT 1:00]
.
AV: Sophos Anti-Virus *Enabled/Outdated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\Kaseya\KSAASP42944940446000\AgentMon.exe
C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Kaseya\KSAASP42944940446000\KaUsrTsk.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\Colin\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFIE.EXE
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://companyweb
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [SansaDispatch] c:\documents and settings\colin\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [\\BELLSERVER\EPSON SX510W Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifie.exe /fu "c:\docume~1\colin\locals~1\temp\E_S2A3.tmp" /EF "HKCU"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Rqimop] rundll32.exe "c:\windows\idinegifo.dll",Startup
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [KASHKSAASP42944940446000] "c:\program files\kaseya\ksaasp42944940446000\KaUsrTsk.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\colin\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sophos~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {7B43048F-DA7A-458F-AF35-D825BDBB6816} - hxxp://192.168.2.23/codebase/NetVideoOCX.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.2.2
TCP: Interfaces\{F5699187-B514-4DEC-B0AE-425BAC374A01} : DhcpNameServer = 192.168.2.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli imefsc32.dll
mASetup: {F0173905-8498-4452-A4BD-EC689AFA6B3A} - "%ProgramFiles%\Common Files\Sage SBD\ForceEIRRegistration.exe"
.
============= SERVICES / DRIVERS ===============
.
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-6-16 152192]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-6-16 24064]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-9-16 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-9-16 234888]
R2 KAKSAASP42944940446000;Kaseya IT Toolkit;c:\program files\kaseya\ksaasp42944940446000\AgentMon.exe [2010-6-22 835584]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-4-7 47640]
R2 Sage SData Service;Sage SData Service;c:\program files\common files\sage sdata\Sage.SData.Service.exe [2009-12-16 49152]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2010-6-16 104488]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2010-6-16 93736]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2010-6-22 278528]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-2-3 175144]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2010-6-22 802816]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.sys [2010-6-22 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9bd037d4c1d48;Google Update Service (gupdate1c9bd037d4c1d48);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-3-29 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-3-29 8320]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2010-6-16 23928]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-6-16 14976]
.
=============== Created Last 30 ================
.
2011-09-13 11:02:33 -------- d-----w- c:\documents and settings\all users\application data\Fronius
2011-09-13 10:51:18 -------- d-----w- c:\documents and settings\colin\local settings\application data\FRONIUS_International_Gmb
2011-09-13 10:51:12 -------- d-----w- c:\documents and settings\all users\Fronius International
2011-09-13 09:47:00 -------- d-----w- c:\program files\common files\Fronius
2011-09-13 09:35:09 -------- d-----w- c:\documents and settings\colin\local settings\application data\Fronius Konfigurator
2011-09-13 09:34:38 -------- d-----w- c:\program files\Fronius Austria
.
==================== Find3M ====================
.
2011-07-16 06:41:31 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-16 06:41:31 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-07-16 06:41:30 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-16 06:41:30 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-11-10 11:10:54 1105920 ------w- c:\program files\sg50Doctor.dll
2010-11-10 11:04:14 696320 ------w- c:\program files\sg50Nominal.dll
2010-10-07 14:49:06 1130496 ------w- c:\program files\sg50Bank.dll
2010-10-04 10:40:54 2232320 ------w- c:\program files\sg50Convert.dll
2010-10-04 10:22:28 958464 ------w- c:\program files\Sage.Integration.Accounts50.SDO.Adapter.GCRM.Feeds.dll
2010-10-04 10:15:02 5685248 ------w- c:\program files\sg50BusinessObjects.dll
2010-09-10 08:38:28 225280 ------w- c:\program files\sg50File.dll
2010-08-19 10:08:16 32768 ------w- c:\program files\Sage.Expressions.Line50.dll
2010-08-18 15:27:22 3346432 ------w- c:\program files\sg50Wizards.dll
2010-08-18 15:19:02 180224 ------w- c:\program files\sg50AccountantsLink.dll
2010-07-13 10:40:30 40984 ----a-w- c:\program files\SGScrnPop.exe
2010-07-13 10:40:28 323608 ----a-w- c:\program files\Sage.exe
2010-07-13 10:39:42 81920 ----a-w- c:\program files\ACCREP.DLL.Conversion.dll
2010-07-13 10:39:38 98304 ----a-w- c:\program files\Sage.Query.Engine.DataProvider.Line50.dll
2010-07-13 10:39:28 364544 ----a-w- c:\program files\sg50ProjectCosting.dll
2010-07-13 10:39:16 212992 ----a-w- c:\program files\sg50PurchaseOrders.dll
2010-07-13 10:37:44 479232 ----a-w- c:\program files\sg50Stock.dll
2010-07-13 10:37:32 118784 ----a-w- c:\program files\sg50Modal.dll
2010-07-13 10:37:24 57344 ----a-w- c:\program files\sg50Memorised.dll
2010-07-13 10:37:20 200704 ----a-w- c:\program files\sg50SalesOrders.dll
2010-07-13 10:37:10 98304 ----a-w- c:\program files\sg50User.dll
2010-07-13 10:36:52 110592 ----a-w- c:\program files\sg50Launcher.exe
2010-07-13 10:36:48 110592 ----a-w- c:\program files\sg50TaskLauncher2011.dll
2010-07-13 10:36:42 692224 ----a-w- c:\program files\sg50Invoicing.dll
2010-07-13 10:36:24 126976 ----a-w- c:\program files\sg50Intrastat.dll
2010-07-13 10:36:18 118784 ----a-w- c:\program files\sg50FixedAssets.dll
2010-07-13 10:31:38 4767744 ----a-w- c:\program files\sg50Application.dll
2010-07-13 10:30:24 610304 ----a-w- c:\program files\sg50Tasks.dll
2010-07-13 10:30:08 131072 ----a-w- c:\program files\sg50Departments.dll
2010-07-13 10:30:00 167936 ----a-w- c:\program files\sg50Budgets.dll
2010-07-13 10:29:48 512000 ----a-w- c:\program files\sg50Financials.dll
2010-07-13 10:29:22 270336 ----a-w- c:\program files\sg50End.dll
2010-07-13 10:29:08 217088 ----a-w- c:\program files\sg50ConfigEditor.dll
2010-07-13 10:28:58 151552 ----a-w- c:\program files\sg50Data.dll
2010-07-13 10:28:20 196608 ----a-w- c:\program files\sg50Import.dll
2010-07-13 10:28:12 86016 ----a-w- c:\program files\sg50EBankingRecordNotify.dll
2010-07-13 10:27:42 274432 ----a-w- c:\program files\sg50CashFlow.dll
2010-07-13 10:27:12 184320 ----a-w- c:\program files\sg50Assistance.dll
2010-07-13 10:27:04 397312 ----a-w- c:\program files\sg50Customers.dll
2010-07-13 10:26:52 356352 ----a-w- c:\program files\sg50PriceLists.dll
2010-07-13 10:26:36 24064 ----a-w- c:\program files\sg50MFCLibrary.dll
2010-07-13 10:26:32 573440 ----a-w- c:\program files\sg50Suppliers.dll
2010-07-13 10:26:16 233472 ----a-w- c:\program files\sg50Calendar.dll
2010-07-13 10:25:52 454656 ----a-w- c:\program files\sg50HMRCSubmission.dll
2010-07-13 10:25:28 200704 ----a-w- c:\program files\sg50AccountsReporting.dll
2010-07-13 10:25:28 200704 ----a-w- c:\program files\accrep32.dll
2010-07-13 10:25:12 712704 ----a-w- c:\program files\sg50Accounts.dll
2010-07-13 10:24:56 151552 ----a-w- c:\program files\sg50Addresses.dll
2010-07-13 10:24:50 184320 ----a-w- c:\program files\sg50RecurringInvoices.dll
2010-07-13 10:24:40 802816 ----a-w- c:\program files\sg50Dialog.dll
2010-07-13 10:24:10 135168 ----a-w- c:\program files\sg50CompanyLimit.dll
2010-07-13 10:24:06 184320 ----a-w- c:\program files\sg50Reporting.dll
2010-07-13 10:23:50 507904 ----a-w- c:\program files\sg50Filter.dll
2010-07-13 10:23:42 229376 ----a-w- c:\program files\sg50Sync.dll
2010-07-13 10:23:34 303104 ----a-w- c:\program files\sg50Outlook.dll
2010-07-13 10:23:26 565248 ----a-w- c:\program files\sg50Common.dll
2010-07-13 10:22:52 344064 ----a-w- c:\program files\sg50DEntry.dll
2010-07-13 10:22:38 126976 ----a-w- c:\program files\sg50Grid.dll
2010-07-13 10:22:34 696320 ----a-w- c:\program files\sg50Bitmaps.dll
2010-07-13 10:22:30 163840 ----a-w- c:\program files\sg50Controls.dll
2010-07-13 10:19:28 3174400 ----a-w- c:\program files\sg50DataObjects.dll
2010-07-13 10:19:10 10752 ----a-w- c:\program files\sg50Globvar.dll
2010-07-13 10:19:08 196608 ----a-w- c:\program files\sg50Excel.dll
2010-07-13 10:19:02 18944 ----a-w- c:\program files\sg50Network.dll
2010-07-13 10:19:00 339968 ----a-w- c:\program files\sg50DataFramework.dll
2010-07-13 10:18:42 253952 ----a-w- c:\program files\sg50Registration.dll
2010-07-13 10:18:20 151552 ----a-w- c:\program files\sg50Utils.dll
2010-07-13 10:18:00 335872 ----a-w- c:\program files\Sage.SBD.Utils.dll
2010-06-28 11:51:52 651264 ----a-w- c:\program files\Convertreports.exe
2008-08-19 15:34:38 1961984 ----a-w- c:\program files\Calendar1122vc80.dll
2007-04-23 13:46:12 90112 ----a-r- c:\program files\Sage.Accounts.InstallHelper.dll
2006-08-29 20:14:16 5556616 ----a-w- c:\program files\mdac_typ.exe
2006-05-12 17:02:02 118784 ----a-w- c:\program files\implodelib.dll
2005-01-20 14:58:44 36864 ----a-w- c:\program files\CrypKeys.exe
1999-07-13 14:26:50 70656 ----a-w- c:\program files\polspell.dll
.
============= FINISH: 12:06:03.80 ===============

Attached File(s)

  • Attached File  attach.txt (17.19K)
    Number of downloads: 2
  • Attached File  ark.txt (133.72K)
    Number of downloads: 2

#2 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 14 October 2011 - 05:24 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#3 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 20 October 2011 - 07:31 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#4 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 01 November 2011 - 04:58 PM

This topic has been re-opened at the request of the person who originally posted.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#5 User is offline   d3ell84 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 11-January 11

Posted 02 November 2011 - 07:34 AM

Thanks for re-opening for me.

I have done as requested and below is the log file from combofix

Attached File(s)

  • Attached File  log.txt (22.87K)
    Number of downloads: 1

#6 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 02 November 2011 - 05:57 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DirLook::
c:\documents and settings\Colin\Local Settings\Application Data\{62FE1C67-1742-45D6-82F7-AEEABC53D1A6}

ClearJavaCache::


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

This post has been edited by CatByte: 02 November 2011 - 06:06 PM

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#7 User is offline   d3ell84 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 11-January 11

Posted 03 November 2011 - 09:01 AM

Hi,

As requested i have done what you asked!

The 3 reports are below

1 - combofix report

ComboFix 11-11-03.01 - Colin 03/11/2011 7:54.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.281 [GMT 0:00]
Running from: c:\documents and settings\Colin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Colin\Desktop\CFScript.txt
AV: Sophos Anti-Virus *Disabled/Outdated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-03 to 2011-11-03 )))))))))))))))))))))))))))))))
.
.
2011-11-03 07:47 . 2011-11-03 07:47 -------- d--h--w- c:\windows\PIF
2011-11-01 15:44 . 2008-04-14 04:42 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2011-11-01 15:44 . 2008-04-14 04:42 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-11-01 14:36 . 2011-11-01 14:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 12:51 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-11-01 12:51 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-11-01 12:51 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-10-24 09:00 . 2011-10-24 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Splashtop
2011-10-24 09:00 . 2011-10-24 09:00 -------- d-----w- c:\program files\Splashtop
2011-10-24 08:59 . 2011-10-24 08:59 -------- d-----w- c:\documents and settings\Colin\Local Settings\Application Data\{62FE1C67-1742-45D6-82F7-AEEABC53D1A6}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 10:41 . 2008-07-29 18:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-11-10 11:10 . 2010-07-13 10:36 1105920 ------w- c:\program files\sg50Doctor.dll
2010-11-10 11:04 . 2010-07-13 10:28 696320 ------w- c:\program files\sg50Nominal.dll
2010-10-07 14:49 . 2010-07-13 10:35 1130496 ------w- c:\program files\sg50Bank.dll
2010-10-04 10:40 . 2010-07-13 10:28 2232320 ------w- c:\program files\sg50Convert.dll
2010-10-04 10:22 . 2011-03-10 14:14 958464 ------w- c:\program files\Sage.Integration.Accounts50.SDO.Adapter.GCRM.Feeds.dll
2010-10-04 10:15 . 2010-07-13 10:22 5685248 ------w- c:\program files\sg50BusinessObjects.dll
2010-09-10 08:38 . 2010-07-13 10:18 225280 ------w- c:\program files\sg50File.dll
2010-08-19 10:08 . 2011-03-10 14:14 32768 ------w- c:\program files\Sage.Expressions.Line50.dll
2010-08-18 15:27 . 2010-07-13 10:35 3346432 ------w- c:\program files\sg50Wizards.dll
2010-08-18 15:19 . 2010-07-13 10:23 180224 ------w- c:\program files\sg50AccountantsLink.dll
2010-07-13 10:40 . 2010-07-13 10:40 40984 ----a-w- c:\program files\SGScrnPop.exe
2010-07-13 10:40 . 2010-07-13 10:40 323608 ----a-w- c:\program files\Sage.exe
2010-07-13 10:39 . 2010-07-13 10:39 81920 ----a-w- c:\program files\ACCREP.DLL.Conversion.dll
2010-07-13 10:39 . 2010-07-13 10:39 98304 ----a-w- c:\program files\Sage.Query.Engine.DataProvider.Line50.dll
2010-07-13 10:39 . 2010-07-13 10:39 364544 ----a-w- c:\program files\sg50ProjectCosting.dll
2010-07-13 10:39 . 2010-07-13 10:39 212992 ----a-w- c:\program files\sg50PurchaseOrders.dll
2010-07-13 10:37 . 2010-07-13 10:37 479232 ----a-w- c:\program files\sg50Stock.dll
2010-07-13 10:37 . 2010-07-13 10:37 118784 ----a-w- c:\program files\sg50Modal.dll
2010-07-13 10:37 . 2010-07-13 10:37 57344 ----a-w- c:\program files\sg50Memorised.dll
2010-07-13 10:37 . 2010-07-13 10:37 200704 ----a-w- c:\program files\sg50SalesOrders.dll
2010-07-13 10:37 . 2010-07-13 10:37 98304 ----a-w- c:\program files\sg50User.dll
2010-07-13 10:36 . 2010-07-13 10:36 110592 ----a-w- c:\program files\sg50Launcher.exe
2010-07-13 10:36 . 2010-07-13 10:36 110592 ----a-w- c:\program files\sg50TaskLauncher2011.dll
2010-07-13 10:36 . 2010-07-13 10:36 692224 ----a-w- c:\program files\sg50Invoicing.dll
2010-07-13 10:36 . 2010-07-13 10:36 126976 ----a-w- c:\program files\sg50Intrastat.dll
2010-07-13 10:36 . 2010-07-13 10:36 118784 ----a-w- c:\program files\sg50FixedAssets.dll
2010-07-13 10:31 . 2010-07-13 10:31 4767744 ----a-w- c:\program files\sg50Application.dll
2010-07-13 10:30 . 2010-07-13 10:30 610304 ----a-w- c:\program files\sg50Tasks.dll
2010-07-13 10:30 . 2010-07-13 10:30 131072 ----a-w- c:\program files\sg50Departments.dll
2010-07-13 10:30 . 2010-07-13 10:30 167936 ----a-w- c:\program files\sg50Budgets.dll
2010-07-13 10:29 . 2010-07-13 10:29 512000 ----a-w- c:\program files\sg50Financials.dll
2010-07-13 10:29 . 2010-07-13 10:29 270336 ----a-w- c:\program files\sg50End.dll
2010-07-13 10:29 . 2010-07-13 10:29 217088 ----a-w- c:\program files\sg50ConfigEditor.dll
2010-07-13 10:28 . 2010-07-13 10:28 151552 ----a-w- c:\program files\sg50Data.dll
2010-07-13 10:28 . 2010-07-13 10:28 196608 ----a-w- c:\program files\sg50Import.dll
2010-07-13 10:28 . 2010-07-13 10:28 86016 ----a-w- c:\program files\sg50EBankingRecordNotify.dll
2010-07-13 10:27 . 2010-07-13 10:27 274432 ----a-w- c:\program files\sg50CashFlow.dll
2010-07-13 10:27 . 2010-07-13 10:27 184320 ----a-w- c:\program files\sg50Assistance.dll
2010-07-13 10:27 . 2010-07-13 10:27 397312 ----a-w- c:\program files\sg50Customers.dll
2010-07-13 10:26 . 2010-07-13 10:26 356352 ----a-w- c:\program files\sg50PriceLists.dll
2010-07-13 10:26 . 2010-07-13 10:26 24064 ----a-w- c:\program files\sg50MFCLibrary.dll
2010-07-13 10:26 . 2010-07-13 10:26 573440 ----a-w- c:\program files\sg50Suppliers.dll
2010-07-13 10:26 . 2010-07-13 10:26 233472 ----a-w- c:\program files\sg50Calendar.dll
2010-07-13 10:25 . 2010-07-13 10:25 454656 ----a-w- c:\program files\sg50HMRCSubmission.dll
2010-07-13 10:25 . 2010-07-13 10:25 200704 ----a-w- c:\program files\sg50AccountsReporting.dll
2010-07-13 10:25 . 2010-07-13 10:25 200704 ----a-w- c:\program files\accrep32.dll
2010-07-13 10:25 . 2010-07-13 10:25 712704 ----a-w- c:\program files\sg50Accounts.dll
2010-07-13 10:24 . 2010-07-13 10:24 151552 ----a-w- c:\program files\sg50Addresses.dll
2010-07-13 10:24 . 2010-07-13 10:24 184320 ----a-w- c:\program files\sg50RecurringInvoices.dll
2010-07-13 10:24 . 2010-07-13 10:24 802816 ----a-w- c:\program files\sg50Dialog.dll
2010-07-13 10:24 . 2010-07-13 10:24 135168 ----a-w- c:\program files\sg50CompanyLimit.dll
2010-07-13 10:24 . 2010-07-13 10:24 184320 ----a-w- c:\program files\sg50Reporting.dll
2010-07-13 10:23 . 2010-07-13 10:23 507904 ----a-w- c:\program files\sg50Filter.dll
2010-07-13 10:23 . 2010-07-13 10:23 229376 ----a-w- c:\program files\sg50Sync.dll
2010-07-13 10:23 . 2010-07-13 10:23 303104 ----a-w- c:\program files\sg50Outlook.dll
2010-07-13 10:23 . 2010-07-13 10:23 565248 ----a-w- c:\program files\sg50Common.dll
2010-07-13 10:22 . 2010-07-13 10:22 344064 ----a-w- c:\program files\sg50DEntry.dll
2010-07-13 10:22 . 2010-07-13 10:22 126976 ----a-w- c:\program files\sg50Grid.dll
2010-07-13 10:22 . 2010-07-13 10:22 696320 ----a-w- c:\program files\sg50Bitmaps.dll
2010-07-13 10:22 . 2010-07-13 10:22 163840 ----a-w- c:\program files\sg50Controls.dll
2010-07-13 10:19 . 2010-07-13 10:19 3174400 ----a-w- c:\program files\sg50DataObjects.dll
2010-07-13 10:19 . 2010-07-13 10:19 10752 ----a-w- c:\program files\sg50Globvar.dll
2010-07-13 10:19 . 2010-07-13 10:19 196608 ----a-w- c:\program files\sg50Excel.dll
2010-07-13 10:19 . 2010-07-13 10:19 18944 ----a-w- c:\program files\sg50Network.dll
2010-07-13 10:19 . 2010-07-13 10:19 339968 ----a-w- c:\program files\sg50DataFramework.dll
2010-07-13 10:18 . 2010-07-13 10:18 253952 ----a-w- c:\program files\sg50Registration.dll
2010-07-13 10:18 . 2010-07-13 10:18 151552 ----a-w- c:\program files\sg50Utils.dll
2010-07-13 10:18 . 2010-07-13 10:18 335872 ----a-w- c:\program files\Sage.SBD.Utils.dll
2010-07-13 10:02 . 2010-07-13 10:02 18319 ----a-w- c:\program files\COMMON10.JS
2010-06-28 11:51 . 2010-06-28 11:51 651264 ----a-w- c:\program files\Convertreports.exe
2008-08-19 15:34 . 2008-08-19 15:34 1961984 ----a-w- c:\program files\Calendar1122vc80.dll
2007-04-23 13:46 . 2007-04-23 13:46 90112 ----a-r- c:\program files\Sage.Accounts.InstallHelper.dll
2006-08-29 20:14 . 2006-08-29 20:14 5556616 ----a-w- c:\program files\mdac_typ.exe
2006-05-12 17:02 . 2006-05-12 17:02 118784 ----a-w- c:\program files\implodelib.dll
2005-01-20 14:58 . 2005-01-20 14:58 36864 ----a-w- c:\program files\CrypKeys.exe
1999-07-13 14:26 . 1999-07-13 14:26 70656 ----a-w- c:\program files\polspell.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Colin\Local Settings\Application Data\{62FE1C67-1742-45D6-82F7-AEEABC53D1A6} ----
.
2011-10-24 08:59 . 2011-10-24 08:59 22492 ----a-w- c:\documents and settings\Colin\Local Settings\Application Data\{62FE1C67-1742-45D6-82F7-AEEABC53D1A6}\0x0409.ini
2011-10-24 08:59 . 2011-10-24 08:59 13824 ----a-w- c:\documents and settings\Colin\Local Settings\Application Data\{62FE1C67-1742-45D6-82F7-AEEABC53D1A6}\1033.MST
2011-10-24 08:59 . 2011-10-24 08:59 8675840 ----a-w- c:\documents and settings\Colin\Local Settings\Application Data\{62FE1C67-1742-45D6-82F7-AEEABC53D1A6}\Splashtop Streamer.msi
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-01_16.23.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-03 08:03 . 2011-11-03 08:03 17024 c:\windows\SoftwareDistribution\EventCache\{6DC04C42-AB33-4556-A87D-2E682FB8EC12}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 11:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"\\BELLSERVER\EPSON SX510W Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIFIE.EXE" [2008-11-20 199680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"KASHKSAASP42944940446000"="c:\program files\Kaseya\KSAASP42944940446000\KaUsrTsk.exe" [2011-01-25 380928]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
.
c:\documents and settings\Colin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Sophos AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2010-2-3 429096]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-16 06:41 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KAKSAASP42944940446000]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\SRServer.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\DataProxy.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\inputserv.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\SRLogin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [16/06/2010 21:14 152192]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [16/06/2010 21:16 24064]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [16/09/2009 14:17 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [16/09/2009 14:18 234888]
R2 KAKSAASP42944940446000;Kaseya IT Toolkit;c:\program files\Kaseya\KSAASP42944940446000\AgentMon.exe [21/06/2010 23:31 835584]
R2 Sage SData Service;Sage SData Service;c:\program files\Common Files\Sage SData\Sage.SData.Service.exe [16/12/2009 20:09 49152]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [16/06/2010 21:14 104488]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [16/06/2010 21:16 93736]
R2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\Splashtop\Splashtop Remote\Server\SRService.exe [09/09/2011 10:13 518472]
R2 SSUService;Splashtop Software Updater Service;c:\program files\Splashtop\Splashtop Software Updater\SSUService.exe [21/09/2011 08:27 366408]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.sys [21/06/2010 23:31 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate1c9bd037d4c1d48;Google Update Service (gupdate1c9bd037d4c1d48);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2009 13:18 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/04/2009 13:18 133104]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [29/03/2010 07:49 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [29/03/2010 07:49 8320]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [16/06/2010 21:15 23928]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [16/06/2010 21:15 14976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F0173905-8498-4452-A4BD-EC689AFA6B3A}]
2010-05-14 11:02 73728 ----a-w- c:\program files\Common Files\Sage SBD\ForceEIRRegistration.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 13:18]
.
2011-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 13:18]
.
2011-11-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.2
DPF: {7B43048F-DA7A-458F-AF35-D825BDBB6816} - hxxp://192.168.2.23/codebase/NetVideoOCX.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-03 08:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\LMIinit.dll
c:\windows\system32\l3codeca.acm
.
- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(1008)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-11-03 08:11:36
ComboFix-quarantined-files.txt 2011-11-03 08:11
ComboFix2.txt 2011-11-01 16:31
.
Pre-Run: 112,094,785,536 bytes free
Post-Run: 112,097,787,904 bytes free
.
- - End Of File - - 83372BB2B9C14AFB69C23AC964B42B68

2 - MBAM REPORT

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8074

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/11/2011 10:45:58
mbam-log-2011-11-03 (10-45-58).txt

Scan type: Quick scan
Objects scanned: 248059
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\implodelib.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\program files\sage.accounts.installhelper.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.


3 - ESET Report

I:\MS OFFICE\MS Office 2007.iso probably a variant of Win32/Agent.FGHQVIS trojan

Is there anything i need to do next?!?

Thanks

#8 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 03 November 2011 - 04:44 PM

Hi,

The detection by ESET is a false positive

just a couple more things to do,

please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


Your installed programs list doesn't show that you have Java installed, most web sites use it, take a look and decide if you wish to install it

http://www.java.com/en/download/faq/whatis_java.xml


NEXT


please post a fresh DDS Log and advise how your computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#9 User is offline   d3ell84 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 13
  • Joined: 11-January 11

Posted 04 November 2011 - 04:08 AM

Hi Computer appears to be running a lot better now :)

also no errors upon startup.

I have attached the DDS below, let me know if there is anything else i need to do! Thanks.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Colin at 9:04:42 on 2011-11-04
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.286 [GMT 0:00]
.
AV: Sophos Anti-Virus *Disabled/Outdated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\KSAASP42944940446000\AgentMon.exe
C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe
C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Splashtop\Splashtop Remote\Server\SRServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Splashtop\Splashtop Remote\Server\DataProxy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Kaseya\KSAASP42944940446000\KaUsrTsk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [\\BELLSERVER\EPSON SX510W Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifie.exe /fu "c:\docume~1\colin\locals~1\temp\E_S2A3.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [KASHKSAASP42944940446000] "c:\program files\kaseya\ksaasp42944940446000\KaUsrTsk.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\colin\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sophos~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7B43048F-DA7A-458F-AF35-D825BDBB6816} - hxxp://192.168.2.23/codebase/NetVideoOCX.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.2.2
TCP: Interfaces\{F5699187-B514-4DEC-B0AE-425BAC374A01} : DhcpNameServer = 192.168.2.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {F0173905-8498-4452-A4BD-EC689AFA6B3A} - "%ProgramFiles%\Common Files\Sage SBD\ForceEIRRegistration.exe"
.
============= SERVICES / DRIVERS ===============
.
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-6-16 152192]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-6-16 24064]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-9-16 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-9-16 234888]
R2 KAKSAASP42944940446000;Kaseya IT Toolkit;c:\program files\kaseya\ksaasp42944940446000\AgentMon.exe [2010-6-21 835584]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-4-7 47640]
R2 Sage SData Service;Sage SData Service;c:\program files\common files\sage sdata\Sage.SData.Service.exe [2009-12-16 49152]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2010-6-16 104488]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2010-6-16 93736]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2010-6-22 278528]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-2-3 175144]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2010-6-22 802816]
R2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\splashtop\splashtop remote\server\SRService.exe [2011-9-9 518472]
R2 SSUService;Splashtop Software Updater Service;c:\program files\splashtop\splashtop software updater\SSUService.exe [2011-9-21 366408]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.sys [2010-6-21 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9bd037d4c1d48;Google Update Service (gupdate1c9bd037d4c1d48);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-3-29 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-3-29 8320]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2010-6-16 23928]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-6-16 14976]
.
=============== Created Last 30 ================
.
2011-11-04 08:50:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 08:50:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-04 08:45:49 -------- d-----w- c:\documents and settings\colin\local settings\application data\Solid State Networks
2011-11-03 11:00:13 -------- d-----w- c:\program files\ESET
2011-11-03 07:47:55 -------- d--h--w- c:\windows\PIF
2011-11-01 15:44:49 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2011-11-01 15:44:49 39424 ----a-w- c:\windows\system32\grpconv.exe
2011-11-01 15:04:38 -------- d-sha-r- C:\cmdcons
2011-11-01 14:59:50 208896 ----a-w- c:\windows\MBR.exe
2011-11-01 14:59:49 98816 ----a-w- c:\windows\sed.exe
2011-11-01 14:59:49 518144 ----a-w- c:\windows\SWREG.exe
2011-11-01 14:59:49 256000 ----a-w- c:\windows\PEV.exe
2011-11-01 14:36:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 12:51:54 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-11-01 12:51:53 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-11-01 12:51:45 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-10-24 09:00:42 -------- d-----w- c:\documents and settings\all users\application data\Splashtop
2011-10-24 09:00:17 -------- d-----w- c:\program files\Splashtop
2011-10-24 08:59:54 -------- d-----w- c:\documents and settings\colin\local settings\application data\{62FE1C67-1742-45D6-82F7-AEEABC53D1A6}
.
==================== Find3M ====================
.
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 17:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-11-10 11:10:54 1105920 ------w- c:\program files\sg50Doctor.dll
2010-11-10 11:04:14 696320 ------w- c:\program files\sg50Nominal.dll
2010-10-07 14:49:06 1130496 ------w- c:\program files\sg50Bank.dll
2010-10-04 10:40:54 2232320 ------w- c:\program files\sg50Convert.dll
2010-10-04 10:22:28 958464 ------w- c:\program files\Sage.Integration.Accounts50.SDO.Adapter.GCRM.Feeds.dll
2010-10-04 10:15:02 5685248 ------w- c:\program files\sg50BusinessObjects.dll
2010-09-10 08:38:28 225280 ------w- c:\program files\sg50File.dll
2010-08-19 10:08:16 32768 ------w- c:\program files\Sage.Expressions.Line50.dll
2010-08-18 15:27:22 3346432 ------w- c:\program files\sg50Wizards.dll
2010-08-18 15:19:02 180224 ------w- c:\program files\sg50AccountantsLink.dll
2010-07-13 10:40:30 40984 ----a-w- c:\program files\SGScrnPop.exe
2010-07-13 10:40:28 323608 ----a-w- c:\program files\Sage.exe
2010-07-13 10:39:42 81920 ----a-w- c:\program files\ACCREP.DLL.Conversion.dll
2010-07-13 10:39:38 98304 ----a-w- c:\program files\Sage.Query.Engine.DataProvider.Line50.dll
2010-07-13 10:39:28 364544 ----a-w- c:\program files\sg50ProjectCosting.dll
2010-07-13 10:39:16 212992 ----a-w- c:\program files\sg50PurchaseOrders.dll
2010-07-13 10:37:44 479232 ----a-w- c:\program files\sg50Stock.dll
2010-07-13 10:37:32 118784 ----a-w- c:\program files\sg50Modal.dll
2010-07-13 10:37:24 57344 ----a-w- c:\program files\sg50Memorised.dll
2010-07-13 10:37:20 200704 ----a-w- c:\program files\sg50SalesOrders.dll
2010-07-13 10:37:10 98304 ----a-w- c:\program files\sg50User.dll
2010-07-13 10:36:52 110592 ----a-w- c:\program files\sg50Launcher.exe
2010-07-13 10:36:48 110592 ----a-w- c:\program files\sg50TaskLauncher2011.dll
2010-07-13 10:36:42 692224 ----a-w- c:\program files\sg50Invoicing.dll
2010-07-13 10:36:24 126976 ----a-w- c:\program files\sg50Intrastat.dll
2010-07-13 10:36:18 118784 ----a-w- c:\program files\sg50FixedAssets.dll
2010-07-13 10:31:38 4767744 ----a-w- c:\program files\sg50Application.dll
2010-07-13 10:30:24 610304 ----a-w- c:\program files\sg50Tasks.dll
2010-07-13 10:30:08 131072 ----a-w- c:\program files\sg50Departments.dll
2010-07-13 10:30:00 167936 ----a-w- c:\program files\sg50Budgets.dll
2010-07-13 10:29:48 512000 ----a-w- c:\program files\sg50Financials.dll
2010-07-13 10:29:22 270336 ----a-w- c:\program files\sg50End.dll
2010-07-13 10:29:08 217088 ----a-w- c:\program files\sg50ConfigEditor.dll
2010-07-13 10:28:58 151552 ----a-w- c:\program files\sg50Data.dll
2010-07-13 10:28:20 196608 ----a-w- c:\program files\sg50Import.dll
2010-07-13 10:28:12 86016 ----a-w- c:\program files\sg50EBankingRecordNotify.dll
2010-07-13 10:27:42 274432 ----a-w- c:\program files\sg50CashFlow.dll
2010-07-13 10:27:12 184320 ----a-w- c:\program files\sg50Assistance.dll
2010-07-13 10:27:04 397312 ----a-w- c:\program files\sg50Customers.dll
2010-07-13 10:26:52 356352 ----a-w- c:\program files\sg50PriceLists.dll
2010-07-13 10:26:36 24064 ----a-w- c:\program files\sg50MFCLibrary.dll
2010-07-13 10:26:32 573440 ----a-w- c:\program files\sg50Suppliers.dll
2010-07-13 10:26:16 233472 ----a-w- c:\program files\sg50Calendar.dll
2010-07-13 10:25:52 454656 ----a-w- c:\program files\sg50HMRCSubmission.dll
2010-07-13 10:25:28 200704 ----a-w- c:\program files\sg50AccountsReporting.dll
2010-07-13 10:25:28 200704 ----a-w- c:\program files\accrep32.dll
2010-07-13 10:25:12 712704 ----a-w- c:\program files\sg50Accounts.dll
2010-07-13 10:24:56 151552 ----a-w- c:\program files\sg50Addresses.dll
2010-07-13 10:24:50 184320 ----a-w- c:\program files\sg50RecurringInvoices.dll
2010-07-13 10:24:40 802816 ----a-w- c:\program files\sg50Dialog.dll
2010-07-13 10:24:10 135168 ----a-w- c:\program files\sg50CompanyLimit.dll
2010-07-13 10:24:06 184320 ----a-w- c:\program files\sg50Reporting.dll
2010-07-13 10:23:50 507904 ----a-w- c:\program files\sg50Filter.dll
2010-07-13 10:23:42 229376 ----a-w- c:\program files\sg50Sync.dll
2010-07-13 10:23:34 303104 ----a-w- c:\program files\sg50Outlook.dll
2010-07-13 10:23:26 565248 ----a-w- c:\program files\sg50Common.dll
2010-07-13 10:22:52 344064 ----a-w- c:\program files\sg50DEntry.dll
2010-07-13 10:22:38 126976 ----a-w- c:\program files\sg50Grid.dll
2010-07-13 10:22:34 696320 ----a-w- c:\program files\sg50Bitmaps.dll
2010-07-13 10:22:30 163840 ----a-w- c:\program files\sg50Controls.dll
2010-07-13 10:19:28 3174400 ----a-w- c:\program files\sg50DataObjects.dll
2010-07-13 10:19:10 10752 ----a-w- c:\program files\sg50Globvar.dll
2010-07-13 10:19:08 196608 ----a-w- c:\program files\sg50Excel.dll
2010-07-13 10:19:02 18944 ----a-w- c:\program files\sg50Network.dll
2010-07-13 10:19:00 339968 ----a-w- c:\program files\sg50DataFramework.dll
2010-07-13 10:18:42 253952 ----a-w- c:\program files\sg50Registration.dll
2010-07-13 10:18:20 151552 ----a-w- c:\program files\sg50Utils.dll
2010-07-13 10:18:00 335872 ----a-w- c:\program files\Sage.SBD.Utils.dll
2010-06-28 11:51:52 651264 ----a-w- c:\program files\Convertreports.exe
2008-08-19 15:34:38 1961984 ----a-w- c:\program files\Calendar1122vc80.dll
2006-08-29 20:14:16 5556616 ----a-w- c:\program files\mdac_typ.exe
2005-01-20 14:58:44 36864 ----a-w- c:\program files\CrypKeys.exe
1999-07-13 14:26:50 70656 ----a-w- c:\program files\polspell.dll
.
============= FINISH: 9:06:01.94 ===============

Attached File(s)


#10 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 04 November 2011 - 06:35 AM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the DDS and GMER logs and programs from your desktop.


NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.


Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them     Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.


  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.


  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.



  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean

    It's normal after running TFC cleaner that the PC will be slower to boot the first time.


  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE


  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.


  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.


  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.



**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#11 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 15 November 2011 - 11:35 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users