Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan DNSChanger


  • This topic is locked This topic is locked
29 replies to this topic

#1 blkdrkkngt

blkdrkkngt

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 24 December 2008 - 03:58 PM

Mod. edit. blkdrkkngt was referred here from the Am I Infected forum. Please read this topic: http://www.bleepingcomputer.com/forums/t/187814/trojandns-changer/ for description of the problem and for what's been done already. Another topic states that blkdrkkngt's USB ports are not functioning properly. ~ OB

DDS (Version 1.1.0) - NTFSx86
Run by Owner at 15:50:32.06 on Wed 12/24/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.256 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053F9267-DC04-4294-A72C-58F732D338C0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - Skype add-on (mastermind)
BHO: Skype add-on (mastermind): {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [INPROCOMMWireless] c:\program files\atheros\wireless\utility\WlanUtil.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck /autofix
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [System Files Updater] c:\windows\flyakiteosx\System Files Updater.exe /S
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\rocket~1.lnk - c:\windows\bricopacks\vista inspirat 2\rocketdock\RocketDock.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\transbar.lnk - c:\windows\bricopacks\vista inspirat 2\transbar\TransBar.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\ubericon.lnk - c:\windows\bricopacks\vista inspirat 2\ubericon\UberIcon Manager.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\y'zsha~1.lnk - c:\windows\bricopacks\vista inspirat 2\yzshadow\YzShadow.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{cc15a5fc-b6d3-4a2d-8a26-d8f2702a3c00}\IcoUltraMon.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-3 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-3 26824]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-3 76040]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\RaInfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-26 47640]
R2 UltraMonUtility;UltraMon Utility Driver;\??\c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-9-14 10496]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\f:\everest ultimate edition\kerneld.wnt []
S3 RkHit;RkHit;\??\c:\windows\system32\drivers\RKHit.sys [2008-12-20 28672]
S4 LMIRfsClientNP;LMIRfsClientNP; []

=============== Created Last 30 ================

2008-12-22 22:16 --d----- c:\docume~1\owner\applic~1\Windows Search
2008-12-22 21:08 --d----- c:\windows\system32\CatRoot2
2008-12-20 23:36 --d----- c:\windows\ERUNT
2008-12-20 23:23 --d----- C:\SDFix
2008-12-20 22:44 28,672 a------- c:\windows\system32\drivers\RKHit.sys
2008-12-20 16:40 4,554 a------- c:\windows\system32\tmp.reg
2008-12-18 20:47 --d----- c:\windows\SxsCaPendDel
2008-12-18 20:43 --d----- c:\docume~1\owner\applic~1\Windows Desktop Search
2008-12-18 20:41 --d----- c:\program files\Windows Desktop Search
2008-12-18 20:38 --d----- c:\program files\Windows Media Connect 2
2008-12-18 20:32 --d----- c:\docume~1\owner\applic~1\Uniblue
2008-12-18 20:32 --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2008-12-18 20:30 -cd-h--- c:\docume~1\alluse~1\applic~1\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-12-18 20:30 --d----- c:\program files\Uniblue
2008-12-18 20:28 -cd-h--- c:\docume~1\alluse~1\applic~1\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-18 20:28 --d----- C:\f0ce55996bc39d01da
2008-12-18 20:28 --d-hr-- C:\AHCache
2008-12-18 20:28 --d----- C:\c9e3632431ad937b5212
2008-12-18 20:26 --d----- c:\windows\system32\URTTEMP
2008-12-17 18:18 92 a------- c:\windows\GridV.UNI
2008-12-17 18:18 --d----- c:\program files\Acer Inc
2008-12-17 18:18 69,632 a------- c:\windows\system32\drivers\int15.sys
2008-12-17 18:18 14,544 a------- c:\windows\system32\drivers\TVicPort.sys
2008-12-17 18:18 8,704 a------- c:\windows\system32\drivers\TVicPort64.sys
2008-12-17 18:18 8,704 a------- c:\windows\system32\drivers\int15_64.sys
2008-12-17 18:18 6,144 a------- c:\windows\system32\drivers\zntport64.sys
2008-12-17 18:18 6,080 a------- c:\windows\system32\drivers\zntport.sys
2008-12-14 00:51 --d----- c:\program files\iPod
2008-12-14 00:51 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-07 15:15 53,248 a------- c:\windows\system32\acpimof.dll
2008-12-07 15:15 45,056 a------- c:\windows\system32\Epm-Po.dll
2008-12-07 12:55 --d----- c:\windows\IIS Temporary Compressed Files
2008-12-07 12:55 --d----- c:\windows\system32\Cache
2008-12-07 12:54 --d----- c:\windows\system32\FxsTmp
2008-12-07 12:54 535 a------- c:\windows\system32\mapisvc.inf
2008-12-07 00:37 --d----- c:\program files\YzShadow
2008-12-07 00:37 --d----- c:\program files\WinRoll
2008-12-07 00:37 --d----- c:\program files\Tiger System Preferences v2
2008-12-07 00:37 --d----- c:\program files\SearchSpy
2008-12-07 00:36 --d----- c:\program files\RK Launcher
2008-12-07 00:36 2,136,064 a------- c:\windows\system32\osxboot.exe
2008-12-07 00:32 --d-h--- c:\windows\FlyakiteOSX
2008-12-06 23:21 691,200 ac------ c:\windows\system32\dllcache\logon.scr
2008-12-06 23:21 691,200 a------- c:\windows\system32\logon.scr
2008-12-06 23:21 --d----- c:\windows\system32\VIRepair
2008-12-05 23:41 553 a------- c:\windows\USetup.iss
2008-12-05 23:40 1,826,816 a------- c:\windows\SkyTel.exe
2008-12-05 23:40 290,816 a------- c:\windows\vncutil.exe
2008-12-05 23:40 104,992 a------- c:\windows\RtkAudioService.exe
2008-12-05 23:40 34,816 a------- c:\windows\system32\RtkCoInstXP.dll
2008-12-05 23:40 1,389,056 a------- c:\windows\system32\drivers\Monfilt.sys
2008-12-05 23:40 1,684,736 a------- c:\windows\system32\drivers\Ambfilt.sys
2008-12-05 23:40 --d----- c:\program files\Realtek
2008-12-05 23:40 528,384 a------- c:\windows\RtlExUpd.dll
2008-12-02 20:46 --d----- c:\program files\Lavasoft
2008-12-02 20:39 --d----- c:\program files\common files\Wise Installation Wizard
2008-12-01 16:20 --d----- c:\program files\AMDAGP
2008-11-28 14:18 --d----- c:\docume~1\alluse~1\applic~1\WinZipSE
2008-11-27 23:05 --d----- c:\documents and settings\owner\.thumbnails
2008-11-27 23:03 --d----- c:\documents and settings\owner\.gimp-2.6
2008-11-27 23:03 --d----- c:\documents and settings\owner\.gegl-0.0
2008-11-27 23:02 --d----- c:\program files\GIMP-2.0
2008-11-27 03:10 --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2008-11-27 03:09 --d----- c:\docume~1\alluse~1\applic~1\Sony Online Entertainment
2008-11-27 03:09 --d----- c:\program files\Sony Online Entertainment

==================== Find3M ====================

2008-12-17 18:47 3,230 a------- c:\windows\system32\ealregsnapshot1.reg
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-11-25 16:37 4,952,576 a------- c:\windows\system32\drivers\RtkHDAud.sys
2008-11-22 13:07 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-20 06:33 60,832 a---h--- c:\windows\system32\mlfcache.dat
2008-11-17 16:08 17,676,288 a------- c:\windows\RTHDCPL.EXE
2008-11-16 16:26 415,744 a------- c:\windows\system32\CF31453.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-08 15:47 5,370 a------- c:\windows\BricoPackFoldersDelete.cmd
2008-11-08 15:47 71,429 a------- c:\windows\BricoPackUninst.cmd
2008-11-07 16:35 103,424 a------- c:\windows\system32\SwitchBlade_nat.dll
2008-11-07 14:57 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2008-11-02 12:59 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-17 16:02 106,496 a------- c:\windows\system32\ATL71.DLL
2008-10-16 19:35 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-16 19:35 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-16 19:35 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-16 19:35 23,736 a------- c:\windows\system32\lmimirr.dll
2008-10-16 19:35 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-16 15:38 803,840 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 345,448 a------- c:\windows\system32\muweb.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-10 20:32 218,624 a------- c:\windows\system32\uxtheme.dll
2008-10-09 16:34 137,623 a------- c:\windows\HPHins15.dat
2008-10-05 11:24 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-04 13:44 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-01 14:51 87,552 a------- c:\windows\system32\VACFix.exe
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-30 16:38 2,168,320 a------- c:\windows\MicCal.exe
2008-09-28 22:34 230,400 a------- c:\windows\UltraMon.scr
2008-09-28 22:33 218,112 a------- c:\windows\system32\UltraMonIndDisp.exe
2008-09-28 22:32 302,080 a------- c:\windows\system32\UltraMon.dll
2008-09-28 22:32 83,968 a------- c:\windows\system32\UltraMonHook.dll
2008-09-28 22:32 81,920 a------- c:\windows\system32\UltraMonIndDispHook.dll

============= FINISH: 15:52:05.89 ===============

Attached Files


Edited by Orange Blossom, 24 December 2008 - 05:59 PM.


BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:14 AM

Posted 06 January 2009 - 02:35 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 blkdrkkngt

blkdrkkngt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 07 January 2009 - 08:16 PM

ComboFix 09-01-07.01 - Alex 2009-01-07 20:04:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.431 [GMT -5:00]
Running from: d:\documents and settings\Alex.PHANEUFA\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\install.exe
d:\windows\system32\404Fix.exe
d:\windows\system32\AutoRun.inf
d:\windows\system32\Cache
d:\windows\system32\dumphive.exe
d:\windows\system32\IEDFix.C.exe
d:\windows\system32\IEDFix.exe
d:\windows\system32\o4Patch.exe
d:\windows\system32\Process.exe
d:\windows\system32\SrchSTS.exe
d:\windows\system32\tmp.reg
d:\windows\system32\VACFix.exe
d:\windows\system32\VCCLSID.exe
d:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-05 17:26 . 2009-01-05 17:26 <DIR> d-------- d:\program files\Free M4a to MP3 Converter
2009-01-05 17:24 . 2009-01-05 17:25 <DIR> d-------- d:\program files\MP4 to MP3 Converter
2009-01-05 17:24 . 2009-01-05 17:24 <DIR> d-------- d:\program files\Common Files\Download Manager
2008-12-30 00:41 . 2008-12-30 00:41 756 --a------ d:\windows\AnimatorDV.INI
2008-12-30 00:40 . 2008-12-30 00:40 <DIR> d-------- D:\Iron Man vs Spidey
2008-12-30 00:38 . 2008-12-30 00:41 <DIR> d-------- d:\program files\AnimatorDVSimple+
2008-12-29 22:59 . 2008-12-29 22:59 60,292 --ah----- d:\windows\system32\mlfcache.dat
2008-12-29 17:33 . 2008-12-29 17:33 <DIR> d-------- d:\program files\Bonjour
2008-12-29 11:48 . 2008-12-29 11:48 1,216 --a------ d:\windows\system32\ealregsnapshot1.reg
2008-12-29 11:26 . 2008-12-29 11:49 <DIR> d-------- d:\program files\Electronic Arts
2008-12-28 22:20 . 2008-12-28 22:20 <DIR> d-------- d:\program files\Colorizer
2008-12-28 13:19 . 2008-10-16 15:38 6,066,176 -----c--- d:\windows\system32\dllcache\ieframe.dll
2008-12-28 13:19 . 2007-04-17 04:32 2,455,488 -----c--- d:\windows\system32\dllcache\ieapfltr.dat
2008-12-28 13:19 . 2007-03-08 00:10 991,232 -----c--- d:\windows\system32\dllcache\ieframe.dll.mui
2008-12-28 13:19 . 2008-10-16 15:38 459,264 -----c--- d:\windows\system32\dllcache\msfeeds.dll
2008-12-28 13:19 . 2008-10-16 15:38 383,488 -----c--- d:\windows\system32\dllcache\ieapfltr.dll
2008-12-28 13:19 . 2008-10-16 15:38 267,776 -----c--- d:\windows\system32\dllcache\iertutil.dll
2008-12-28 13:19 . 2008-10-16 15:38 63,488 -----c--- d:\windows\system32\dllcache\icardie.dll
2008-12-28 13:19 . 2008-10-16 15:38 52,224 -----c--- d:\windows\system32\dllcache\msfeedsbs.dll
2008-12-28 13:19 . 2008-10-16 08:11 13,824 -----c--- d:\windows\system32\dllcache\ieudinit.exe
2008-12-28 12:46 . 2008-12-28 12:46 <DIR> d-------- d:\program files\MSXML 4.0
2008-12-28 12:39 . 2008-06-13 06:05 272,128 --------- d:\windows\system32\drivers\bthport.sys
2008-12-28 12:39 . 2008-06-13 06:05 272,128 -----c--- d:\windows\system32\dllcache\bthport.sys
2008-12-28 12:37 . 2008-08-14 05:11 2,189,184 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2008-12-28 12:37 . 2008-08-14 05:09 2,145,280 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-28 12:37 . 2008-08-14 04:33 2,066,048 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-28 12:37 . 2008-08-14 04:33 2,023,936 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe
2008-12-28 12:37 . 2008-10-24 06:21 455,296 -----c--- d:\windows\system32\dllcache\mrxsmb.sys
2008-12-28 00:06 . 2008-12-28 00:06 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2008-12-28 00:05 . 2008-12-28 00:06 <DIR> d-------- d:\program files\Viewpoint
2008-12-28 00:04 . 2008-12-28 00:15 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\AOL OCP
2008-12-28 00:04 . 2008-12-28 00:04 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\AOL
2008-12-28 00:02 . 2009-01-01 17:49 <DIR> d-------- d:\program files\Common Files\AOL
2008-12-28 00:01 . 2008-12-28 00:14 398 --ah----- D:\IPH.PH
2008-12-27 22:44 . 2008-12-27 22:45 <DIR> d-------- d:\documents and settings\Alex.PHANEUFA\Application Data\Nikon
2008-12-27 22:18 . 2008-12-27 22:18 <DIR> d-------- d:\program files\Nikon
2008-12-27 22:18 . 2008-12-27 22:18 <DIR> d-------- d:\program files\Common Files\muvee Technologies
2008-12-27 22:18 . 2008-12-27 22:18 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\Nikon
2008-12-27 20:33 . 2008-12-29 13:03 <DIR> d--h----- d:\windows\$hf_mig$
2008-12-27 20:29 . 2008-12-27 20:29 <DIR> d---s---- d:\documents and settings\Alex.PHANEUFA\UserData
2008-12-27 20:08 . 2008-12-27 20:08 <DIR> d-------- d:\program files\Seagate
2008-12-27 20:08 . 2008-12-27 20:08 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\Seagate
2008-12-27 20:05 . 2008-12-27 20:12 <DIR> d-------- d:\windows\Downloaded Installations
2008-12-27 19:46 . 2008-12-27 22:45 <DIR> d-------- d:\program files\Common Files\Nikon
2008-12-27 19:41 . 2008-12-27 19:41 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\Ultima_T15
2008-12-27 19:41 . 2008-12-27 19:41 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\EnterNHelp
2008-12-27 19:41 . 2009-01-07 19:58 20 ---h----- d:\documents and settings\All Users.WINDOWS\Application Data\PKP_DLdu.DAT
2008-12-27 18:03 . 2008-12-27 18:04 719,240 --a------ D:\WindowsXP-KB935448-x86-ENU.exe
2008-12-25 09:28 . 2008-04-14 04:42 221,184 --a------ d:\windows\system32\wmpns.dll
2008-12-22 15:57 . 2008-12-22 15:57 <DIR> d-------- d:\program files\iPod
2008-12-22 15:57 . 2008-12-22 15:57 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 15:57 . 2008-04-17 13:12 107,368 --a------ d:\windows\system32\GEARAspi.dll
2008-12-22 15:57 . 2008-04-17 13:12 15,464 --a------ d:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-21 22:35 . 2008-12-12 00:57 78,336 --a------ d:\windows\system32\Agent.OMZ.Fix.exe
2008-12-21 11:48 . 2008-12-21 11:48 <DIR> d-------- d:\windows\ERUNT
2008-12-21 11:42 . 2008-12-21 11:58 <DIR> d-------- D:\SDFix
2008-12-19 11:54 . 2009-01-05 22:55 756 --a------ d:\windows\wininit.ini
2008-12-17 19:53 . 2008-12-17 19:53 <DIR> d-------- D:\Acer
2008-12-17 19:53 . 2006-02-22 11:19 69,632 --a------ d:\windows\system32\eRecUtil.dll
2008-12-17 19:53 . 2006-01-19 18:19 49,152 --a------ d:\windows\system32\SysMonitor.exe
2008-12-17 17:53 . 2008-12-17 17:53 <DIR> d-------- d:\documents and settings\Alex.PHANEUFA\Application Data\HP
2008-12-16 22:14 . 2008-12-16 22:14 <DIR> d-------- d:\program files\AWS
2008-12-16 22:14 . 2008-12-16 22:14 <DIR> d-------- d:\documents and settings\Alex.PHANEUFA\Application Data\WeatherBug
2008-12-14 01:31 . 2008-12-14 01:33 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2008-12-14 01:31 . 2008-12-14 11:22 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-13 23:46 . 2008-12-13 23:46 <DIR> d-------- d:\program files\Trend Micro
2008-12-13 00:39 . 2008-10-07 13:33 201,157 --a------ d:\windows\system32\nvapps.nvb
2008-12-12 22:41 . 2008-12-30 02:08 <DIR> d-------- d:\documents and settings\Alex.PHANEUFA\Application Data\gtk-2.0
2008-12-12 22:20 . 2008-12-12 22:20 <DIR> d-------- d:\program files\Canon
2008-12-12 22:03 . 2008-12-12 22:03 <DIR> d-------- d:\temp\CanoScanCSUv571a
2008-12-12 22:03 . 2008-12-13 23:56 <DIR> d-------- D:\Temp
2008-12-12 22:03 . 2008-12-12 22:03 <DIR> d-------- D:\CanoScan_N1220U_CSUv571a
2008-12-12 21:38 . 2008-12-12 21:38 <DIR> d-------- d:\program files\ACD Systems
2008-12-12 20:39 . 2008-12-12 20:39 <DIR> d-------- d:\documents and settings\Alex.PHANEUFA\.thumbnails
2008-12-12 20:23 . 2008-12-30 02:33 <DIR> d-------- d:\documents and settings\Alex.PHANEUFA\.gimp-2.6
2008-12-12 20:23 . 2008-12-12 22:26 <DIR> d-------- d:\documents and settings\Alex.PHANEUFA\.gegl-0.0
2008-12-12 20:22 . 2008-12-12 22:24 <DIR> d-------- d:\program files\GIMP-2.0
2008-12-12 16:42 . 2008-12-12 16:42 <DIR> d-------- d:\program files\XBCD
2008-12-12 16:25 . 2009-01-04 20:50 76,072 --a------ d:\windows\system32\GDIPFONTCACHEV1.DAT
2008-12-12 16:07 . 2009-01-06 19:05 <DIR> d--h----- D:\$AVG8.VAULT$
2008-12-12 15:38 . 2009-01-07 20:09 <DIR> d--h----- d:\windows\FlyakiteOSX
2008-12-12 15:38 . 2008-11-06 20:09 218,624 --a------ d:\windows\system32\uxtheme.backup
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ d:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ d:\windows\system32\dnssd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 01:09 --------- d-----w d:\program files\DNA
2009-01-08 01:09 --------- d-----w d:\documents and settings\Alex.PHANEUFA\Application Data\DNA
2009-01-08 00:56 --------- d-----w d:\documents and settings\Alex.PHANEUFA\Application Data\Skype
2009-01-07 23:56 --------- d-----w d:\documents and settings\Alex.PHANEUFA\Application Data\skypePM
2009-01-07 21:34 --------- d-----w d:\documents and settings\Alex.PHANEUFA\Application Data\BitTorrent
2009-01-07 19:18 --------- d-----w d:\documents and settings\Alex.PHANEUFA\Application Data\Apple Computer
2009-01-07 05:31 --------- d-----w d:\program files\LogMeIn
2009-01-06 20:05 --------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-01-04 23:51 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-01-04 23:44 --------- d-----w d:\program files\MSBuild
2009-01-04 23:44 --------- d-----w d:\program files\Microsoft Works
2009-01-04 23:38 38,496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 23:38 15,504 ----a-w d:\windows\system32\drivers\mbam.sys
2008-12-29 16:49 --------- d--h--w d:\program files\InstallShield Installation Information
2008-12-28 00:40 --------- d-----w d:\program files\Common Files\InstallShield
2008-12-27 23:17 --------- d-----w d:\program files\iTunes
2008-12-25 13:54 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-12-22 20:50 --------- d-----w d:\program files\Common Files\Apple
2008-12-16 22:42 97,928 ----a-w d:\windows\system32\drivers\avgldx86.sys
2008-12-16 22:42 76,040 ----a-w d:\windows\system32\drivers\avgtdix.sys
2008-12-16 03:17 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\avg8
2008-12-07 21:20 82,673,796 ----a-w d:\windows\Driver Cache.zip
2008-12-07 21:17 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\WinZip
2008-12-07 04:56 --------- d-----w d:\program files\QuickTime
2008-12-07 04:51 --------- d-----w d:\program files\Safari
2008-12-07 04:45 --------- d-----w d:\program files\Java
2008-11-23 03:02 --------- d-----w d:\program files\Realtek
2008-11-22 05:00 71,637 ----a-w d:\windows\BricoPackUninst.cmd
2008-11-22 04:30 --------- d-----w d:\program files\SystemRequirementsLab
2008-11-21 22:46 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\LogMeIn
2008-11-20 22:21 --------- d-----w d:\program files\Activision
2008-11-20 22:18 --------- d-----w d:\documents and settings\Alex.PHANEUFA\Application Data\Malwarebytes
2008-11-20 22:17 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-11-20 22:06 --------- d-----w d:\program files\Sony
2008-11-20 22:06 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\Sony Corporation
2008-11-20 22:03 --------- d-----w d:\program files\Sony Setup
2008-11-20 22:03 --------- d-----w d:\program files\Photosynth
2008-11-20 22:02 --------- d-----w d:\program files\Common Files\Adobe AIR
2008-11-20 22:02 --------- d-----w d:\program files\Common Files\Adobe
2008-11-20 22:00 --------- d-----w d:\program files\Finale NotePad 2008
2008-11-20 21:55 --------- d-----w d:\program files\BitTorrent
2008-11-20 21:41 --------- d-----w d:\program files\Skype
2008-11-20 21:41 --------- d-----w d:\program files\Common Files\Skype
2008-11-20 21:41 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\Skype
2008-11-20 21:31 0 ---ha-w d:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2008-11-20 21:31 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2008-11-20 21:26 --------- d-----w d:\program files\MSXML 6.0
2008-11-11 22:21 4,946,944 ----a-w d:\windows\system32\drivers\RtkHDAud.sys
2008-11-07 21:40 17,421,824 ----a-w d:\windows\RTHDCPL.EXE
2008-04-14 09:42 73,728 --sha-w d:\windows\FlyakiteOSX\Backup\wmplayer.exe
2008-04-14 09:42 73,728 -csha-w d:\windows\system32\dllcache\wmplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="d:\documents and settings\Alex.PHANEUFA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-06 133104]
"RocketDock"="d:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"BitTorrent DNA"="d:\program files\DNA\btdna.exe" [2008-12-15 342848]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Weather"="d:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"EA Core"="d:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"XboxStat"="d:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-16 1261336]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"LogMeIn GUI"="d:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"AppleSyncNotifier"="d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"System Files Updater"="d:\windows\FlyakiteOSX\Tools\System Files Updater.exe" [2006-02-25 118485]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"MaxMenuMgr"="d:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"nwiz"="nwiz.exe" [2008-10-07 d:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-07 d:\windows\RTHDCPL.EXE]

d:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
Nikon Monitor.lnk - d:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
WinZip Quick Pick.lnk - d:\program files\WinZip\WZQKPICK.EXE [2008-09-11 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 d:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"d:\\Program Files\\DNA\\btdna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Activision\\Spider-Man - Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2008-11-06 97928]
R4 AvgTdiX;AVG8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2008-11-06 76040]
R4 LMIInfo;LogMeIn Kernel Information Provider;d:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;d:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-21 47640]
S3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [2008-11-20 38496]
S3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;d:\windows\system32\drivers\WMP300Nv1.sys [2008-11-06 822400]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - Alerter
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - avg8emc
*Deregistered* - avg8wd
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fax
*Deregistered* - FreeAgentGoNext Service
*Deregistered* - helpsvc
*Deregistered* - hpqcxs08
*Deregistered* - hpqddsvc
*Deregistered* - IISADMIN
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - LanmanServer
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - LMIMaint
*Deregistered* - LogMeIn
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NVSvc
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SMTPSVC
*Deregistered* - SNMP
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Viewpoint Manager Service
*Deregistered* - W32Time
*Deregistered* - W3SVC
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wltrysvc
*Deregistered* - WMP300NSvc
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - i:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - i:\directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-07 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1645522239-1801674531-1002.job
- d:\documents and settings\Alex.PHANEUFA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 19:34]

2009-01-07 d:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- d:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-07-07 09:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RK Launcher - d:\program files\RK Launcher\RKLauncher.exe
HKLM-Run-WinVNC - d:\program files\TightVNC\WinVNC.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: *.update.microsoft.com
Trusted Zone: download.windowsupdate.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 20:09:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1645522239-1801674531-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Electronic Arts\S*NULL*P*NULL*O*NULL*R*NULL*E*NULL*"!]
"Order"=hex:08,00,00,00,02,00,00,00,fa,01,00,00,01,00,00,00,04,00,00,00,78,00,\
00,00,00,00,00,00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,00,32,\
00,46,08,00,00,9d,39,cc,85,20,00,45,41,48,45,4c,50,7e,31,2e,4c,4e,4b,00,00,\
2e,00,03,00,04,00,ef,be,9d,39,cc,85,9d,39,cc,85,14,00,00,00,45,00,41,00,20,\
00,48,00,65,00,6c,00,70,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,\
0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,78,00,00,00,01,00,00,\
00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,00,32,00,be,05,00,00,\
9d,39,cc,85,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,00,00,2e,00,03,00,04,\
00,ef,be,9d,39,cc,85,9d,39,cc,85,14,00,00,00,52,00,65,00,61,00,64,00,20,00,\
4d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,\
00,00,00,1c,00,00,00,00,00,00,00,00,00,74,00,00,00,02,00,00,00,66,00,00,00,\
41,75,67,4d,02,00,00,00,01,00,00,00,54,00,32,00,58,07,00,00,9d,39,cb,85,20,\
00,53,50,4f,52,45,7e,31,2e,4c,4e,4b,00,2c,00,03,00,04,00,ef,be,9d,39,cb,85,\
9d,39,cb,85,14,00,00,00,53,00,50,00,4f,00,52,00,45,00,22,21,2e,00,6c,00,6e,\
00,6b,00,00,00,1a,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1a,00,00,00,00,00,\
00,00,00,00,8a,00,00,00,03,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,\
00,00,00,6a,00,32,00,d3,07,00,00,9d,39,cc,85,20,00,55,4e,49,4e,53,54,7e,31,\
2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,9d,39,cc,85,9d,39,cc,85,14,00,00,\
00,55,00,6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,53,00,50,00,\
4f,00,52,00,45,00,22,21,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,\
00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
d:\windows\system32\sxs.dll
d:\windows\system32\LMIinit.dll
d:\windows\System32\BCMLogon.dll
d:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\WLTRYSVC.EXE
d:\windows\system32\BCMWLTRY.EXE
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\progra~1\AVG\AVG8\avgwdsvc.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe
d:\windows\system32\inetsrv\inetinfo.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\LogMeIn\x86\ramaint.exe
d:\program files\LogMeIn\x86\LogMeIn.exe
d:\program files\LogMeIn\x86\LMIGuardian.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\snmp.exe
d:\program files\Viewpoint\Common\ViewpointService.exe
d:\program files\Linksys\WMP300N\WLService.exe
d:\program files\Linksys\WMP300N\WMP300N.exe
d:\progra~1\AVG\AVG8\avgemc.exe
d:\program files\LogMeIn\x86\LMIGuardian.exe
d:\windows\system32\rundll32.exe
d:\program files\iPod\bin\iPodService.exe
d:\program files\HP\Digital Imaging\bin\hpqste08.exe
d:\program files\Skype\Plugin Manager\skypePM.exe
d:\program files\AVG\AVG8\avgrsx.exe
d:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-01-07 20:13:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-08 01:13:16

Pre-Run: 161,495,224,320 bytes free
Post-Run: 161,467,871,232 bytes free

392 --- E O F --- 2008-12-29 18:03:45

#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:14 AM

Posted 07 January 2009 - 09:56 PM

Questions, First the DDS scan indicates that it is being run from the c:\ drive, but in the combofix log is run from the d:\ drive. Did something happen, is it the same drive?

Also what problems are you seeing now?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 blkdrkkngt

blkdrkkngt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 08 January 2009 - 01:47 AM

oh, sorry, i loaded my computer with D partition as Local Disk.

and same problems, no connectivity to update my AVG and malwarebytes. Also, i cant connect to Automatic updates. Still the ads. I can however update when i run spybot and remove the entry. but it always comes back.

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:14 AM

Posted 08 January 2009 - 08:45 AM

open your device manager and look to see if TDSSERV.SYS is listed. Make sure that hidden devices are shown.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 blkdrkkngt

blkdrkkngt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 08 January 2009 - 03:37 PM

No, its not there.

#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:14 AM

Posted 08 January 2009 - 05:01 PM

OK first I need you to go into windows services and set WMI to automatic and start it.

Download Sophos Anti-Rootkit & save it to your desktop after filling out the questionaire and reading the EULA.

Note: You will need to enter your name, e-mail address and location in order to access the download page.
  • Double-click sarsfx.exe to extract the files.
  • Click the Accept button at the EULA, then Install to the default directory
  • At the next prompt, click Yes to start the program
  • Make sure the following are checked:
  • Running processes
  • Windows Registry
  • Local Hard Drives
  • Click the "Start Scan" button.
  • Allow the program to scan your computer - please be patient as it may take some time
  • Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  • In the main window, you will see each of the entries found by the scan (if any)
  • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
  • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
  • If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  • To clean up these entries click on the Clean up checked items button
  • If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  • Once you have cleaned the selected files, when prompted, please re-boot your computer.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • Please post the contents of this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Note: If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted, including temporary files being deleted automatically.

Download Sysclean Package & save it to your desktop.

1. Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
2. Place the sysclean.com inside that folder.
3. Then download the latest Virus Pattern Files - (Pattern files are usually named "lptxxx.zip",
where xxx is the pattern file number)
4. Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com.
(Click here for information on how to extract a file if you are not sure how to do this. . DO NOT scan yet.

Reboot your computer in SAFE MODE using the "F8" method.
To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Note: Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:
1. Open the Sysclean folder and double-click on "sysclean.com" to start the scanning process.
2. Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
3. Click the Advanced button.
4. The scan options appear. Select the Scan all local fixed drives.
5. Click the Scan button on the TrendMicro™ System Cleaner console.
6. It will take some time to complete. Be patient and let it clean whatever it finds.
7. Another MS-DOS window appears containing the log file generated in the System Cleaner folder.
8. To view the log, click the View button on the TrendMicro™ System Cleaner console. The TrendMicro™ Sysclean Package - Log window appears.
The Files Detected section shows the viruses that were detected by System Cleaner.
The Files Clean section shows the viruses that were cleaned.
The Clean Fail section shows the viruses that were not cleaned.
9. Exit when done, reboot normally and re-enable your anti-virus program.

Instructions with screenshots are here if you need them.

This tool generates a log file (sysclean.log) in the same folder where the scan is completed.
When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations.
The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.


Post both of those logs, and post a new DDS Scan log and a Combofix scan log

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 blkdrkkngt

blkdrkkngt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 08 January 2009 - 05:38 PM

Where can i download DDS?

Edited by blkdrkkngt, 08 January 2009 - 05:50 PM.


#10 blkdrkkngt

blkdrkkngt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 08 January 2009 - 06:15 PM

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext
Removable: No
Notes: (no more detail available)


Area: Windows registry
Description: Hidden registry value
Location: \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Removable: No
Notes: DWORD 0x88af411c = -2001780452


Area: Windows registry
Description: Hidden registry value
Location: \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Removable: No
Notes: (type 1, length 2) " "


no warning though.

#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:14 AM

Posted 08 January 2009 - 07:00 PM

You ran DDS the first post in this thread, instructions are here
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:14 AM

Posted 08 January 2009 - 07:58 PM

This is bugging me. From what I can see wrong, the tools you have run up to now should have gotten rid of it. So after the test I already am having you run, there are a few basics I want you to do.

I want to make sure Java isn't a problem (I have found a few references that point to java). To clear the Java Runtime Environment (JRE) cache:
  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel.

    -The Java Control Panel appears.
  • Click Settings under Temporary Internet Files.

    -The Temporary Files Settings dialog box appears.
  • Click Delete Files.

    -The Delete Temporary Files dialog box appears.

    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click OK on Delete Temporary Files window.

    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
  • Close the Java Control Panel
You can view those instructions along with graphics Here



Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6.0.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11".
Click the "Download" button to the right.
UNCHECK the option to install Google Toolbar if you don't want it .
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
[*]Note: By default a box may be checked to install a toolbar - if you do not want to install it, then be sure to opt-out by unchecking that box.


Please download VundoFix.exe to your desktop.
Reboot into safe mode.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, Right Click in the open box and Select Export list
  • The Vundofix.txt log will appear on your Desktop
  • Do not Select the Fix Vundo yet.
  • Please post the contents of that vundofix.txt log.


Tell me how the Java reset and update went, and the Vundo.txt log.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 blkdrkkngt

blkdrkkngt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 08 January 2009 - 08:46 PM

heres the report. ill run the dds and combo fix again.

#14 blkdrkkngt

blkdrkkngt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 08 January 2009 - 08:54 PM

heres combofix

#15 blkdrkkngt

blkdrkkngt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 08 January 2009 - 08:58 PM

DDS (Ver_09-01-07.01) - NTFSx86
Run by Alex at 20:55:09.89 on Thu 01/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.495 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
D:\WINDOWS\system32\svchost.exe -k hpdevmgmt
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\LogMeIn\x86\RaMaint.exe
D:\Program Files\LogMeIn\x86\LogMeIn.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\Program Files\Linksys\WMP300N\WLService.exe
D:\Program Files\Linksys\WMP300N\WMP300N.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\LogMeIn\x86\LogMeInSystray.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
D:\Documents and Settings\Alex.PHANEUFA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\RocketDock\RocketDock.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\DNA\btdna.exe
D:\Program Files\AWS\WeatherBug\Weather.exe
D:\Program Files\Electronic Arts\EADM\Core.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\WINDOWS\explorer.exe
D:\Documents and Settings\Alex.PHANEUFA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - d:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - d:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Google Update] "d:\documents and settings\alex.phaneufa\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [RocketDock] "d:\program files\rocketdock\RocketDock.exe"
uRun: [Skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [BitTorrent DNA] "d:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [Weather] d:\program files\aws\weatherbug\Weather.exe 1
uRun: [EA Core] "d:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [XboxStat] "d:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
mRun: [HP Software Update] d:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "d:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] d:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [System Files Updater] d:\windows\flyakiteosx\tools\System Files Updater.exe /S
mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [MaxMenuMgr] "d:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: d:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - d:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1.win\startm~1\programs\startup\nikonm~1.lnk - d:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: d:\docume~1\alluse~1.win\startm~1\programs\startup\winzip~1.lnk - d:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - d:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - d:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - d:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2008-11-6 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;d:\windows\system32\drivers\avgmfx86.sys [2008-11-6 26824]
R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;d:\windows\system32\drivers\WMP300Nv1.sys [2008-11-6 822400]
R4 AvgTdiX;AVG8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2008-11-6 76040]
R4 LMIInfo;LogMeIn Kernel Information Provider;d:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;d:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-21 47640]
S3 MEMSWEEP2;MEMSWEEP2;\??\d:\windows\system32\3c.tmp --> d:\windows\system32\3C.tmp [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-01-08 17:54 <DIR> --d----- d:\program files\Sophos
2009-01-08 17:34 <DIR> --d----- D:\Sysclean
2009-01-08 16:40 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\Electronic Arts
2009-01-07 20:03 161,792 a------- d:\windows\SWREG.exe
2009-01-07 20:03 98,816 a------- d:\windows\sed.exe
2009-01-07 19:55 <DIR> --d----- d:\windows\setup.pss
2009-01-05 17:26 <DIR> --d----- d:\program files\Free M4a to MP3 Converter
2009-01-05 17:24 <DIR> --d----- d:\program files\MP4 to MP3 Converter
2009-01-05 17:24 <DIR> --d----- d:\program files\common files\Download Manager
2008-12-30 00:41 756 a------- d:\windows\AnimatorDV.INI
2008-12-30 00:40 <DIR> --d----- D:\Iron Man vs Spidey
2008-12-30 00:38 <DIR> --d----- d:\program files\AnimatorDVSimple+
2008-12-29 22:59 60,292 a---h--- d:\windows\system32\mlfcache.dat
2008-12-29 17:33 <DIR> --d----- d:\program files\Bonjour
2008-12-29 11:48 1,216 a------- d:\windows\system32\ealregsnapshot1.reg
2008-12-28 22:20 <DIR> --d----- d:\program files\Colorizer
2008-12-28 13:19 459,264 -c------ d:\windows\system32\dllcache\msfeeds.dll
2008-12-28 13:19 52,224 -c------ d:\windows\system32\dllcache\msfeedsbs.dll
2008-12-28 13:19 267,776 -c------ d:\windows\system32\dllcache\iertutil.dll
2008-12-28 13:19 13,824 -c------ d:\windows\system32\dllcache\ieudinit.exe
2008-12-28 13:19 6,066,176 -c------ d:\windows\system32\dllcache\ieframe.dll
2008-12-28 13:19 991,232 -c------ d:\windows\system32\dllcache\ieframe.dll.mui
2008-12-28 13:19 383,488 -c------ d:\windows\system32\dllcache\ieapfltr.dll
2008-12-28 13:19 2,455,488 -c------ d:\windows\system32\dllcache\ieapfltr.dat
2008-12-28 13:19 63,488 -c------ d:\windows\system32\dllcache\icardie.dll
2008-12-28 12:46 <DIR> --d----- d:\program files\MSXML 4.0
2008-12-28 12:39 272,128 -c------ d:\windows\system32\dllcache\bthport.sys
2008-12-28 12:39 272,128 -------- d:\windows\system32\drivers\bthport.sys
2008-12-28 12:37 2,145,280 -c------ d:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-28 12:37 2,189,184 -c------ d:\windows\system32\dllcache\ntoskrnl.exe
2008-12-28 12:37 2,023,936 -c------ d:\windows\system32\dllcache\ntkrpamp.exe
2008-12-28 12:37 2,066,048 -c------ d:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-28 12:37 455,296 -c------ d:\windows\system32\dllcache\mrxsmb.sys
2008-12-28 00:06 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\Viewpoint
2008-12-28 00:05 <DIR> --d----- d:\program files\Viewpoint
2008-12-28 00:02 <DIR> --d----- d:\program files\common files\AOL
2008-12-28 00:01 398 a---h--- D:\IPH.PH
2008-12-27 22:18 <DIR> --d----- d:\program files\common files\muvee Technologies
2008-12-27 22:18 <DIR> --d----- d:\program files\Nikon
2008-12-27 20:33 <DIR> --d----- d:\windows\system32\PreInstall
2008-12-27 20:33 <DIR> --d-h--- d:\windows\$hf_mig$
2008-12-27 20:29 <DIR> --dsh--- d:\documents and settings\alex.phaneufa\UserData
2008-12-27 20:08 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\Seagate
2008-12-27 20:08 <DIR> --d----- d:\program files\Seagate
2008-12-27 20:05 <DIR> --d----- d:\windows\Downloaded Installations
2008-12-27 19:46 <DIR> --d----- d:\program files\common files\Nikon
2008-12-27 19:41 20 ----h--- d:\docume~1\alluse~1.win\applic~1\PKP_DLdu.DAT
2008-12-27 18:05 <DIR> --d----- d:\windows\pss
2008-12-27 18:03 719,240 a------- D:\WindowsXP-KB935448-x86-ENU.exe
2008-12-25 09:28 221,184 a------- d:\windows\system32\wmpns.dll
2008-12-22 15:57 107,368 a------- d:\windows\system32\GEARAspi.dll
2008-12-22 15:57 15,464 a------- d:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-22 15:57 <DIR> --d----- d:\program files\iPod
2008-12-22 15:57 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-21 22:35 78,336 a------- d:\windows\system32\Agent.OMZ.Fix.exe
2008-12-21 17:03 <DIR> --d----- d:\windows\system32\SoftwareDistribution
2008-12-21 11:48 <DIR> --d----- d:\windows\ERUNT
2008-12-21 11:42 <DIR> --d----- D:\SDFix
2008-12-19 11:54 801 a------- d:\windows\wininit.ini
2008-12-17 19:53 69,632 a------- d:\windows\system32\eRecUtil.dll
2008-12-17 19:53 49,152 a------- d:\windows\system32\SysMonitor.exe
2008-12-17 19:53 <DIR> --d----- D:\Acer
2008-12-16 22:14 <DIR> --d----- d:\program files\AWS
2008-12-16 22:14 <DIR> --d----- d:\docume~1\alex~1.pha\applic~1\WeatherBug
2008-12-14 01:31 <DIR> --d----- d:\program files\Spybot - Search & Destroy
2008-12-14 01:31 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2008-12-13 23:46 <DIR> --d----- d:\program files\Trend Micro
2008-12-13 00:39 201,157 a------- d:\windows\system32\nvapps.nvb
2008-12-12 22:20 <DIR> --d----- d:\program files\Canon
2008-12-12 22:03 <DIR> --d----- d:\temp\CanoScanCSUv571a
2008-12-12 22:03 <DIR> --d----- D:\Temp
2008-12-12 22:03 <DIR> --d----- D:\CanoScan_N1220U_CSUv571a
2008-12-12 21:38 <DIR> --d----- d:\program files\ACD Systems
2008-12-12 20:39 <DIR> --d----- d:\documents and settings\alex.phaneufa\.thumbnails
2008-12-12 20:23 <DIR> --d----- d:\documents and settings\alex.phaneufa\.gimp-2.6
2008-12-12 20:23 <DIR> --d----- d:\documents and settings\alex.phaneufa\.gegl-0.0
2008-12-12 20:22 <DIR> --d----- d:\program files\GIMP-2.0
2008-12-12 16:42 <DIR> --d----- d:\program files\XBCD
2008-12-12 16:25 76,072 a------- d:\windows\system32\GDIPFONTCACHEV1.DAT
2008-12-12 16:07 <DIR> --d-h--- D:\$AVG8.VAULT$
2008-12-12 15:38 218,624 a------- d:\windows\system32\uxtheme.backup
2008-12-12 15:38 <DIR> --d-h--- d:\windows\FlyakiteOSX
2008-12-12 11:18 87,336 a------- d:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- d:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-04 18:38 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- d:\windows\system32\drivers\mbam.sys
2008-12-27 22:17 106,496 a------- d:\windows\system32\ATL71.DLL
2008-12-16 17:42 76,040 a------- d:\windows\system32\drivers\avgtdix.sys
2008-12-16 17:42 97,928 a------- d:\windows\system32\drivers\avgldx86.sys
2008-12-16 17:42 10,520 a------- d:\windows\system32\avgrsstx.dll
2008-12-07 16:20 82,673,796 a------- d:\windows\Driver Cache.zip
2008-11-22 22:22 86,327 a------- d:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-22 00:00 71,637 a------- d:\windows\BricoPackUninst.cmd
2008-11-20 16:31 0 a---h--- d:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2008-11-20 16:31 0 a---h--- d:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2008-11-11 17:21 4,946,944 a------- d:\windows\system32\drivers\RtkHDAud.sys
2008-11-10 05:43 410,984 a------- d:\windows\system32\deploytk.dll
2008-11-07 16:40 17,421,824 a------- d:\windows\RTHDCPL.EXE
2008-11-06 20:09 218,624 a------- d:\windows\system32\uxtheme.dll
2008-11-06 19:57 137,631 a------- d:\windows\HPHins15.dat
2008-11-06 19:52 22,024 a------- d:\windows\system32\emptyregdb.dat
2008-10-23 07:36 286,720 a------- d:\windows\system32\gdi32.dll
2008-10-16 20:35 83,288 a------- d:\windows\system32\LMIRfsClientNP.dll
2008-10-16 20:35 28,984 a------- d:\windows\system32\LMIport.dll
2008-10-16 20:35 10,040 a------- d:\windows\system32\lmimirr2.dll
2008-10-16 20:35 23,736 a------- d:\windows\system32\lmimirr.dll
2008-10-16 20:35 87,352 a------- d:\windows\system32\LMIinit.dll
2008-10-16 15:38 826,368 a------- d:\windows\system32\wininet.dll
2008-10-16 14:07 208,744 a------- d:\windows\system32\muweb.dll
2008-04-14 04:42 73,728 a--sh--- d:\windows\flyakiteosx\backup\wmplayer.exe
2008-04-14 04:42 73,728 ac-sh--- d:\windows\system32\dllcache\wmplayer.exe

============= FINISH: 20:55:22.81 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users