Hi PP
I'm currently running the gmer scan and new dds and attach logs on my computer number 1 and will send those shortly. That is if you are working with me on my other 2 computers as well. Let me know if i need to start a new topic or use one of the ones i've already started, if not this one.
I have pasted the OTMoveIt log, MalwareBytes scan log and the DDS log from computer 2 (the one we are working on is this topic) below, in that order.
========== SERVICES/DRIVERS ==========
Service Aks65 stopped successfully.
Service Aks65 deleted successfully.
Service SGFPUSB stopped successfully.
Service SGFPUSB deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\7OKmaf5cd0 deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"" /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\DbEnAct deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{6A3A4B73-29FA-E312-16F7-03790D1CEBA3}\\ deleted successfully.
========== FILES ==========
c:\documents and settings\all users\application data\fknklifw moved successfully.
c:\program files\yjlkape moved successfully.
File/Folder c:\windows\system32\drivers\Aks65.sys not found.
c:\documents and settings\joline\delself.bat moved successfully.
c:\docume~1\joline\applic~1\yxazesa.bat moved successfully.
c:\docume~1\alluse~1\applic~1\wyzec.sys moved successfully.
c:\docume~1\joline\applic~1\seryh.reg moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Joline\LOCALS~1\Temp\~DFFDC0.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\28606383-1635-46fd-8982-ae11a26f783c.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\75fe61b0-0c10-4d08-9390-ab5129358898.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\a0c05a0d-214d-40f3-a9c8-9bc21c91d786.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01172009_213738
Files moved on Reboot...
C:\DOCUME~1\Joline\LOCALS~1\Temp\~DFFDC0.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\28606383-1635-46fd-8982-ae11a26f783c.tmp not found!
File C:\WINDOWS\temp\75fe61b0-0c10-4d08-9390-ab5129358898.tmp not found!
File C:\WINDOWS\temp\a0c05a0d-214d-40f3-a9c8-9bc21c91d786.tmp not found!
Malwarebytes' Anti-Malware 1.33
Database version: 1663
Windows 5.1.2600 Service Pack 3
17/01/2009 23:04:47
mbam-log-2009-01-17 (23-04-47).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 158990
Time elapsed: 42 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
DDS (Ver_09-01-07.01) - NTFSx86
Run by Joline at 23:09:46.70 on 17/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.152 [GMT 0:00]
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Joline\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 0
mRun: [Workflow] E:\Workflow.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_06\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\joline\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\joline\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.2\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath -
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-28 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-28 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-28 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-28 107272]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-12-28 29208]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-28 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2008-12-28 1339600]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-6-3 1174152]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-12-28 29208]
S4 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton antivirus\navapsvc.exe" --> c:\program files\norton antivirus\navapsvc.exe [?]
=============== Created Last 30 ================
2009-01-17 22:14
--d----- c:\docume~1\joline\applic~1\Malwarebytes
2009-01-17 22:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-17 22:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 22:14 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-17 22:14 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-17 21:37 --d----- C:\_OTMoveIt
2009-01-17 20:06 96,080 a------- c:\docume~1\joline\applic~1\GDIPFONTCACHEV1.DAT
2009-01-15 18:58 250 a------- c:\windows\gmer.ini
2009-01-09 19:08 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-09 19:06 --d----- c:\documents and settings\joline\.housecall6.6
2009-01-09 16:20 --d----- c:\windows\system32\Adobe
2008-12-31 22:16 --d----- c:\windows\pss
2008-12-29 15:59 --d-h--- c:\windows\system32\GroupPolicy
2008-12-28 00:49 --d-h--- C:\$AVG8.VAULT$
2008-12-28 00:10 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-28 00:10 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2008-12-28 00:10 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-28 00:10 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-28 00:10 --d----- c:\windows\system32\drivers\Avg
2008-12-28 00:10 --d----- c:\docume~1\joline\applic~1\AVGTOOLBAR
2008-12-28 00:09 50,968 a------- c:\windows\system32\avgfwdx.dll
2008-12-28 00:09 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2008-12-28 00:09 --d----- c:\program files\AVG
2008-12-28 00:09 --d----- c:\docume~1\alluse~1\applic~1\avg8
==================== Find3M ====================
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-09 11:52 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-06-21 18:22 0 a------- c:\program files\temp01
2008-09-04 13:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat
============= FINISH: 23:10:30.68 ===============
I hope that did it. I have posted the logs for Computer 1 in this topic http://www.bleepingcomputer.com/forums/t/192221/rootkit-computer-1/
Regards
Joline
Edited by Joline, 17 January 2009 - 06:55 PM.