Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2009 / Vundo Infection


  • This topic is locked This topic is locked
34 replies to this topic

#1 bk7p3lw

bk7p3lw

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 03 February 2009 - 05:48 PM

Toshiba Laptop has been infected with Antivirus 2009. Virus scan has quarantined several infected files (Trojan virus?). Primarily affects Internet Explorer, Mozilla Firefox and Spybot - Search & Destroy. Performance has slowed to a crawl.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Anil at 17:06:36.92 on Tue 02/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.254 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\am9obnhwMDAx\command.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\prunnet.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ntdll64.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Anil\My Documents\My Temp\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\tsi32\tsircusr.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3b7eb00d-b482-6398-0bb4-736fea9b5ab0}: {0ba5b9ae-f637-4bb0-8936-284bd00be7b3} - c:\windows\system32\uuixnu.dll
BHO: {3593413F-A1AD-4951-BFD4-338EB2BA9D4C} - No File
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\wvUmljig.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7AC8E4EA-31E6-4531-8332-AA1E87F7CD6D} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: {cb6118b1-ec7a-4e7c-9fc7-67d1b544ec0f} - c:\windows\system32\khfGwTmm.dll
BHO: {CCF935BC-7E8E-4DFF-8E4F-3B464B79C706} - No File
BHO: {f9d076b3-062f-4d0f-bcd2-b1bba8ea42d9} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [cogad] "c:\documents and settings\anil\application data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [TFNF5] TFNF5.exe
mRun: [TPSMain] TPSMain.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NVRotateSysTray] rundll32.exe c:\windows\system32\nvsysrot.dll,Enable
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DpUtil] c:\program files\toshiba\dualpointutility\TEDTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [Qjaqufeworitu] rundll32.exe "c:\windows\uquwidog.dll",e
mRun: [Framework Windows] frmwrk32.exe
StartupFolder: c:\docume~1\anil\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
LSP: c:\windows\temp\ntdll64.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: wvUmljig - wvUmljig.dll
AppInit_DLLs: c:\windows\system32\lozohana.dll c:\windows\system32\womayovi.dll c:\windows\system32\hamoremo.dll c:\windows\system32\lazejada.dll c:\windows\system32\gehudehe.dll c:\windows\system32\mabemime.dll c:\windows\system32\mofawege.dll c:\windows\system32\mekijoru.dll lsmfew.dll rdbkvn.dll ngsihg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\wvUmljig.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\khfGwTmm
LSA: Notification Packages = scecli c:\windows\system32\lozohana.dll c:\windows\system32\hamoremo.dll c:\windows\system32\lazejada.dll c:\windows\system32\gehudehe.dll c:\windows\system32\mabemime.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anil\applic~1\mozilla\firefox\profiles\4js4iom2.default\
FF - component: c:\program files\mozilla firefox\components\srff.dll
FF - HiddenExtension: XUL Cache: {9E7977B8-9226-4044-8504-E840EB2F9DBC} - c:\documents and settings\anil\local settings\application data\{9E7977B8-9226-4044-8504-E840EB2F9DBC}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-26 11840]
R1 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\TSIMSF5.sys [2008-3-2 5120]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-26 68865]
R2 cmdService;Command Service;c:\windows\am9obnhwmdax\command.exe [2009-1-31 293888]
R2 TSIREGMO;tsiregmo;c:\windows\system32\drivers\tsiregmo.sys [2008-3-2 5888]
R2 TSISER;TSISER;c:\windows\system32\drivers\tsiser.sys [2008-3-2 31740]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\TSISTRMX.SYS [2008-3-2 5120]
S1 TSIRCINK;Traveling Software Install Driver;c:\windows\system32\drivers\TSIRCINK.SYS [2008-3-2 9216]
S1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\drivers\trircmir.sys --> c:\windows\system32\drivers\trircmir.sys [?]
S2 Network Monitor;Network Monitor;c:\program files\network monitor\netmon.exe service --> c:\program files\network monitor\netmon.exe service [?]
S3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-26 151297]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-26 52032]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-10-25 18864]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2005-3-6 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2005-3-6 24344]
S4 black;black;c:\windows\system32\drivers\blackdrv.sys --> c:\windows\system32\drivers\BlackDrv.sys [?]

=============== Created Last 30 ================

2009-02-03 16:52 35,328 a------- c:\windows\system32\awtQKeda.dll
2009-02-03 16:52 45,568 -------- c:\windows\system32\clickfile.exe
2009-02-03 16:42 129,024 a------- c:\windows\system32\pcvubi.dll
2009-02-03 16:42 129,024 a------- c:\windows\system32\ajcsqfyf.dll
2009-02-03 16:40 1,523,278 ---sh--- c:\windows\system32\alorevcr.ini
2009-02-03 16:40 72,704 a------- c:\windows\system32\rcverola.dll
2009-02-02 14:01 125,440 a------- c:\windows\system32\ntdll64.exe
2009-02-02 08:59 125,440 ac------ c:\windows\system32\dllcache\userinit.exe
2009-02-02 08:58 1 a------- c:\windows\system32\uniq.tll
2009-02-02 08:58 26,112 a------- c:\windows\system32\frmwrk32.exe
2009-02-02 08:58 26,112 a------- c:\windows\system32\998.exe
2009-02-02 08:47 129,024 a------- c:\windows\system32\ngsydz.dll
2009-02-02 08:47 129,024 a------- c:\windows\system32\axwcfjqr.dll
2009-02-02 08:45 1,464,145 ---sh--- c:\windows\system32\fawanxrg.ini
2009-02-02 08:45 72,704 a------- c:\windows\system32\grxnawaf.dll
2009-01-31 01:53 135,168 a------- c:\windows\uquwidog.dll
2009-01-31 01:21 687,592 a------- c:\windows\system32\atmtd.dll._
2009-01-31 01:21 687,592 a------- c:\windows\system32\atmtd.dll
2009-01-31 01:21 <DIR> --d----- c:\program files\Network Monitor
2009-01-31 01:21 <DIR> --dsh--- c:\windows\am9obnhwMDAx
2009-01-31 01:21 <DIR> --d----- c:\docume~1\anil\applic~1\cogad
2009-01-31 01:20 <DIR> --d----- c:\docume~1\anil\applic~1\VirusRemover2008
2009-01-31 01:05 44,824 a------- c:\windows\system32\prunnet.exe
2009-01-30 13:22 1,515,355 ---sh--- c:\windows\system32\dacighlr.ini
2009-01-30 13:21 72,704 a------- c:\windows\system32\rlhgicad.dll
2009-01-30 13:18 129,024 a------- c:\windows\system32\rotude.dll
2009-01-30 13:18 129,024 a------- c:\windows\system32\qeiabwpo.dll
2009-01-29 13:21 1,515,358 ---sh--- c:\windows\system32\pmosyyox.ini
2009-01-29 13:18 129,024 a------- c:\windows\system32\wcpxju.dll
2009-01-29 13:18 129,024 a------- c:\windows\system32\hpueragt.dll
2009-01-28 20:37 1,515,358 ---sh--- c:\windows\system32\kfgqypcc.ini
2009-01-28 20:33 129,024 a------- c:\windows\system32\ehjrdd.dll
2009-01-28 20:33 129,024 a------- c:\windows\system32\kgkmumvf.dll
2009-01-27 20:35 1,517,115 ---sh--- c:\windows\system32\grnmbfcd.ini
2009-01-27 20:35 72,704 a------- c:\windows\system32\dcfbmnrg.dll
2009-01-27 20:32 129,024 a------- c:\windows\system32\uuixnu.dll
2009-01-27 20:32 129,024 a------- c:\windows\system32\ijnjoasc.dll
2009-01-26 20:35 129,024 a------- c:\windows\system32\ngsihg.dll
2009-01-26 20:35 129,024 a------- c:\windows\system32\ghahiyjk.dll
2009-01-26 20:32 1,517,115 ---sh--- c:\windows\system32\rtcpccvh.ini
2009-01-26 11:14 <DIR> --d----- c:\program files\Avira
2009-01-26 11:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-01-26 09:50 36,352 a------- c:\windows\system32\fccbYspM.dll
2009-01-26 09:48 143 a------- c:\windows\system32\mcrh.tmp
2009-01-25 21:34 5,632 a------- c:\windows\system32\ptpusb.dll
2009-01-25 21:34 159,232 a------- c:\windows\system32\ptpusd.dll
2009-01-25 20:51 <DIR> --d----- c:\program files\VnrPack
2009-01-25 20:45 <DIR> --d----- c:\docume~1\anil\applic~1\SpeedRunner
2009-01-25 20:40 <DIR> --d----- c:\docume~1\anil\applic~1\Twain
2009-01-25 20:35 <DIR> --d----- c:\program files\WebShow
2009-01-25 20:31 1,434,070 ---sh--- c:\windows\system32\emjsuvse.ini
2009-01-25 20:31 129,024 a------- c:\windows\system32\rdbkvn.dll
2009-01-25 20:31 129,024 a------- c:\windows\system32\wxclycok.dll
2009-01-25 20:30 <DIR> --d----- c:\program files\Mjcore
2009-01-24 20:31 129,024 a------- c:\windows\system32\lsmfew.dll
2009-01-24 20:31 129,024 a------- c:\windows\system32\xhpkiyhh.dll
2009-01-24 20:29 1,434,061 ---sh--- c:\windows\system32\icthrgor.ini
2009-01-24 20:28 288,702 a--sh--- c:\windows\system32\mmTwGfhk.ini
2009-01-24 20:28 288,597 a--sh--- c:\windows\system32\mmTwGfhk.ini2
2009-01-24 20:28 315,904 a------- c:\windows\system32\khfGwTmm.dll
2009-01-24 20:23 <DIR> --d----- c:\docume~1\anil\applic~1\GetModule
2009-01-24 20:23 <DIR> --d----- c:\program files\GetModule
2009-01-24 20:23 <DIR> --d----- c:\program files\iCheck
2009-01-24 20:23 36,352 a------- c:\windows\system32\wvUmljig.dll
2009-01-24 20:22 198,730 a------- c:\windows\system32\wpv001232809217.cpx
2009-01-05 14:46 <DIR> --d----- c:\windows\system32\scripting
2009-01-05 14:46 <DIR> --d----- c:\windows\l2schemas
2009-01-05 14:46 <DIR> --d----- c:\windows\system32\en
2009-01-05 14:46 <DIR> --d----- c:\windows\system32\bits
2009-01-05 14:39 <DIR> --d----- c:\windows\network diagnostic
2009-01-05 08:48 <DIR> --dsh--- c:\documents and settings\anil\PrivacIE

==================== Find3M ====================

2009-02-02 08:58 125,440 a------- c:\windows\system32\userinit.exe
2009-01-05 14:50 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2001-08-23 07:00 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 19:12 50,688 ---sh--- c:\windows\twain_32.dll
2005-08-02 16:46 187,904 a--shr-- c:\windows\am9obnhwmdax\asappsrv.dll
2005-08-02 16:58 293,888 a--shr-- c:\windows\am9obnhwmdax\command.exe
2005-07-29 16:24 472 a--shr-- c:\windows\am9obnhwmdax\uA6CvB1TgGEU.vbs
2008-04-13 19:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 19:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 19:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-13 19:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 19:12 84,992 a--sh--- c:\windows\system32\olepro32.dll
2008-04-13 19:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 17:09:31.94 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 bk7p3lw

bk7p3lw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 03 February 2009 - 05:55 PM

I wanted to add that I tried to download and install Malwarebytes Anti-Malware; however I get a floating point error upon installation. Frustrating.

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 04 February 2009 - 01:56 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 bk7p3lw

bk7p3lw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 04 February 2009 - 11:14 PM

Here are the steps that I have completed so far:

1. Disable anti-virus, Windows XP firewall and exited Spybot.
2. Unable to download ComboFix on the infected laptop so I downloaded the application (as Combo-Fix.exe) on another PC and copied it over using flash drive.
3. First attempt to run ComboFix -- nothing happened and laptop locked-up. Disconnected power and re-booted.
4. Second attempt to run ComboFix. After disabling anti-virus, etc., message pop-up appeared with the following:

Parasites found !!
The following files were trying to attach to ComboFix. They shall be disabled. Kindly note down on paper, the name of each file. We may need it later.
C:\WINDOWS\am9obnhwMDAx\asappsrv.dll <OK>

5. Two blue DOS like windows pop-up with the second having the following message:

Please wait.
ComboFix is preparing to run.

Attempting to create a new System Restore Point

6. A blinking cursor appears but after an hour or so disappears. Nothing seems to be happening - so reboot again.
7. Third attempt to run ComboFix. Same as before except have not gotten "Attempting to create a new System Restore Point" message.
8. Blinking cursor disappears after first 30 mins. Has been running for 7 hours with no result.

Any suggestions?

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 05 February 2009 - 12:00 AM

Lets use another route..


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 bk7p3lw

bk7p3lw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 05 February 2009 - 04:36 PM

Things have gone from bad to worse.

I rebooted and now everything seems to hang. Spybot has two windows that won't go away -- one is for a registry change and the other for an Error (floating point?).

I have rebooted several times and each time the laptop hangs and becomes non-responsive.

I wanted to copy the Malaware app from a flash drive but I can't even get Windows Explorer to work.

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 06 February 2009 - 01:43 AM

can you boot into "Safe Mode" or "Last Known Good Configuration"?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 bk7p3lw

bk7p3lw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 06 February 2009 - 03:37 PM

Safe Mode is not working.

Last Known Good Configuration does load and the system is a bit more responsive. I can actually turn off the computer using the Start menu. However, none of the other programs are responsive.

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 07 February 2009 - 12:34 AM

However, none of the other programs are responsive.


Can you explain in detail?.. Do you mean all programs (even Microsoft Words) are not responsive, or just those three programs that I need you to run..

Do below please...


Please restart your computer. Before running a new scan let's clean out the temporary folders.

Please download CleanUp! by stevengould.org and save it to your Desktop.
  • Double-click CleanUp452.exe and install CleanUp! to your computer
  • Open CleanUp! and click on Options.. button.
  • Under General tab, choose Standard CleanUp! and then click Ok
  • Click on the CleanUp! button. When it asked you to logoff Windows, click on Yes
  • Let your Windows rebooted (or do it manually) and continue with the next step


Now download OTScanIt2.exe and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Services, Drivers and Registry section, please set on Safe List.
  • In the Rootkit Search section, set to Yes
  • In the Files Created Within and Files Modified Within section, set it to WhiteList/File Age
  • At the bottom, tick on all Use WhiteList and Include All Unicode Names option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
    • Reg - IE Explorer Bars
      Reg - NetSvcs
      Reg - Tcpip Persistent Routers
      File - Lop Check
      File - Purity Scan
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 bk7p3lw

bk7p3lw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 07 February 2009 - 05:24 PM

I was able to get CleanUp! on to the laptop and had a successful run.

Downloaded OTScanIt2 however the self-extracting exe application that opens hangs ("Not Responding") on this laptop. I was able to run the self extractor on another PC.

I was able to run Microsoft Word (open and close) earlier; however after running CleanUp nothing is responding. I re-booted several times using the normal and last best configurations. Applications such as Windows Explorer never seem to work (or they work for a minute or two and then start to hang). This is preventing me from using a flash drive to copy the files over the infected laptop.

Should I be thinking about a clean Windows XP install at this point?

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 08 February 2009 - 12:44 PM

Should I be thinking about a clean Windows XP install at this point?


Its really up to you if you want to do a clean reformat.. However, don't forget to backup all of your data/documents/pictures/movies/songs/etc first..

It will be faster.. Tell me about your decision :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 bk7p3lw

bk7p3lw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 08 February 2009 - 04:19 PM

I was actually having problems with the Clean Install -- it actually stopped mid-process and said the hard drive was infected. So I went back to my last known good configuration and started ComboFix again. It actually worked and I am pasting the log file below.

ComboFix 09-02-08.01 - Anil 2009-02-08 16:01:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.722 [GMT -5:00]
Running from: c:\documents and settings\Anil\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\VirusRemover2008
c:\documents and settings\All Users\Start Menu\Programs\VirusRemover2008\VirusRemover2008.lnk
c:\documents and settings\Anil\Application Data\GetModule
c:\documents and settings\Anil\Application Data\GetModule\dicik.gz
c:\documents and settings\Anil\Application Data\GetModule\kwdik.gz
c:\documents and settings\Anil\Application Data\GetModule\ofadik.gz
c:\documents and settings\Anil\Application Data\SpeedRunner
c:\documents and settings\Anil\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Anil\Desktop\VirusRemover2008.lnk
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\NetworkService\Application Data\NetMon
c:\documents and settings\NetworkService\Application Data\NetMon\domains.txt
c:\documents and settings\NetworkService\Application Data\NetMon\log.txt
c:\program files\GetModule
c:\program files\GetModule\GetModule35.exe
c:\program files\iCheck
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\network monitor
c:\program files\VnrPack
c:\program files\VnrPack\dicts.gz
c:\program files\VnrPack\trgts.gz
c:\program files\VnrPack\VnrPack22.exe
c:\windows\am9obnhwMDAx\
c:\windows\am9obnhwMDAx\\asappsrv.dll
c:\windows\am9obnhwMDAx\\command.exe
c:\windows\am9obnhwMDAx\\uA6CvB1TgGEU.vbs
c:\windows\am9obnhwMDAx\command.exe
c:\windows\system32\998.exe
c:\windows\system32\abomivat.ini
c:\windows\system32\ajcsqfyf.dll
c:\windows\system32\alorevcr.ini
c:\windows\system32\atmtd.dll
c:\windows\system32\atmtd.dll._
c:\windows\system32\awtQKeda.dll
c:\windows\system32\axwcfjqr.dll
c:\windows\system32\azokutob.ini
c:\windows\system32\Cache
c:\windows\system32\dacighlr.ini
c:\windows\system32\dcfbmnrg.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekantujigpu.sys
c:\windows\system32\efijitog.ini
c:\windows\system32\ehjrdd.dll
c:\windows\system32\emjsuvse.ini
c:\windows\system32\esehuwoj.ini
c:\windows\system32\etelegis.ini
c:\windows\system32\fawanxrg.ini
c:\windows\system32\fccbYspM.dll
c:\windows\system32\frmwrk32.exe
c:\windows\system32\ghahiyjk.dll
c:\windows\system32\grnmbfcd.ini
c:\windows\system32\grxnawaf.dll
c:\windows\system32\hpueragt.dll
c:\windows\system32\hsfd83jfdg.dll
c:\windows\system32\icthrgor.ini
c:\windows\system32\ijnjoasc.dll
c:\windows\system32\ilosewum.ini
c:\windows\system32\kfgqypcc.ini
c:\windows\system32\kgkmumvf.dll
c:\windows\system32\khfGwTmm.dll.vir
c:\windows\system32\kmpocjak.dll
c:\windows\system32\lsmfew.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mmTwGfhk.ini
c:\windows\system32\mmTwGfhk.ini2
c:\windows\system32\mpyzxf.dll
c:\windows\system32\ngsihg.dll
c:\windows\system32\ngsydz.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\obipukop.ini
c:\windows\system32\pcvubi.dll
c:\windows\system32\pmosyyox.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\qeiabwpo.dll
c:\windows\system32\rcverola.dll
c:\windows\system32\rdbkvn.dll
c:\windows\system32\rlhgicad.dll
c:\windows\system32\rotude.dll
c:\windows\system32\rtcpccvh.ini
c:\windows\system32\senekanungrdvh.dll
c:\windows\system32\senekaodywrcls.dll
c:\windows\system32\senekaqobwmskx.dat
c:\windows\system32\senekasjxiflsb.dll
c:\windows\system32\senekaswrguhel.dat
c:\windows\system32\uguzazir.ini
c:\windows\system32\ulerukaf.ini
c:\windows\system32\uniq.tll
c:\windows\system32\usovoseh.ini
c:\windows\system32\uuixnu.dll
c:\windows\system32\wcpxju.dll
c:\windows\system32\wpv001232809217.cpx
c:\windows\system32\wvUmljig.dll
c:\windows\system32\wxclycok.dll
c:\windows\system32\xhpkiyhh.dll
c:\windows\Tasks\mwmcuqtl.job

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-07 13:54 . 2009-02-07 13:54 <DIR> d-------- c:\program files\CleanUp!
2009-02-07 10:52 . 2009-02-07 10:52 51,712 --a------ c:\windows\system32\drivers\TDSSmhlt.sys
2009-02-07 10:52 . 2009-02-07 10:52 27,136 --a------ c:\windows\system32\TDSSoiqh.dll
2009-02-07 10:51 . 2009-02-07 10:51 72,704 --a------ c:\windows\system32\funfnhwd.dll
2009-02-07 10:51 . 2009-02-07 10:51 21,504 --a------ C:\wskrote.exe
2009-02-07 10:51 . 2009-02-07 10:51 19,456 --a------ C:\xxweksc.exe
2009-02-07 10:51 . 2009-02-07 10:51 9,728 --a------ c:\windows\instsp1.exe
2009-02-07 10:51 . 2009-02-07 10:51 8,192 --a------ C:\jxnx.exe
2009-02-07 10:51 . 2009-02-07 10:51 705 --a------ C:\jwfmld.exe
2009-02-07 10:51 . 2009-02-07 10:51 2 --a------ C:\-1946113091
2009-02-03 16:52 . 2009-02-03 16:52 45,568 --------- c:\windows\system32\clickfile.exe
2009-01-31 01:53 . 2009-01-31 01:53 135,168 --a------ c:\windows\uquwidog.dll
2009-01-31 01:21 . 2009-01-31 01:48 <DIR> d-------- c:\documents and settings\Anil\Application Data\cogad
2009-01-31 01:20 . 2009-01-31 01:20 <DIR> d-------- c:\documents and settings\Anil\Application Data\VirusRemover2008
2009-01-26 11:14 . 2009-01-26 11:14 <DIR> d-------- c:\program files\Avira
2009-01-26 11:14 . 2009-01-26 11:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-25 21:34 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-25 21:34 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-25 20:40 . 2009-01-25 21:23 <DIR> d-------- c:\documents and settings\Anil\Application Data\Twain
2009-01-25 20:35 . 2009-01-25 20:35 <DIR> d-------- c:\program files\WebShow

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 15:52 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-01-26 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-26 02:26 --------- d-----w c:\documents and settings\Anil\Application Data\Azureus
2009-01-26 02:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-15 13:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-07 15:49 --------- d-----w c:\program files\JKDefrag
2009-01-03 17:03 --------- d-----w c:\program files\WarRock
2008-12-27 14:55 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-27 14:55 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-27 14:55 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-27 14:55 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-27 14:49 --------- d-----w c:\program files\CCleaner
2008-12-26 02:12 --------- d-----w c:\program files\Vuze
2008-12-26 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-12-26 00:38 --------- d-----w c:\program files\Common Files\i4j_jres
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2009-01-26 01:46 211,456 ----a-w c:\program files\mozilla firefox\components\srff.dll
2001-08-23 12:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 00:12 57,344 --sh--w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 68856]
"NVIEW"="nview.dll" [2003-12-10 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-12-10 4866048]
"NVRotateSysTray"="c:\windows\system32\nvsysrot.dll" [2003-12-10 49152]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2005-02-28 23:43 245760]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-28 155648]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-02 172032]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-10-25 311296]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 451896]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 451896]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Qjaqufeworitu"="c:\windows\uquwidog.dll" [2009-01-31 135168]
"TFNF5"="TFNF5.exe" [2003-11-17 c:\windows\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-12-15 c:\windows\system32\TPSMain.exe]
"nwiz"="nwiz.exe" [2003-12-10 c:\windows\system32\nwiz.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 03:28 24576 c:\windows\system32\000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 c:\windows\agrsmmsg.exe]

c:\documents and settings\Anil\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-09-23 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lsmfew.dll rdbkvn.dll ngsihg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\eMule\\eMule.exe"=
"c:\\Program Files\\LapLink Gold\\LLServerMain.exe"=
"c:\\Program Files\\LapLink Gold\\laplink.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\TSIMSF5.sys [2008-03-02 5120]
R2 TSIREGMO;tsiregmo;c:\windows\system32\drivers\tsiregmo.sys [2008-03-02 5888]
R2 TSISER;TSISER;c:\windows\system32\drivers\tsiser.sys [2008-03-02 31740]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\TSISTRMX.SYS [2008-03-02 5120]
S1 TSIRCINK;Traveling Software Install Driver;c:\windows\system32\drivers\TSIRCINK.SYS [2008-03-02 9216]
S1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\Drivers\trircmir.sys --> c:\windows\system32\Drivers\trircmir.sys [?]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-10-25 18864]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2005-03-06 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2005-03-06 24344]
S4 black;black;c:\windows\system32\drivers\BlackDrv.sys --> c:\windows\system32\drivers\BlackDrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

BHO-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hsfd83jfdg.dll
HKCU-Run-cogad - c:\documents and settings\Anil\Application Data\cogad\cogad.exe
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hsfd83jfdg.dll
Notify-wvUmljig - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\TEMP\ntdll64.dll
FF - ProfilePath - c:\documents and settings\Anil\Application Data\Mozilla\Firefox\Profiles\4js4iom2.default\
FF - component: c:\program files\Mozilla Firefox\components\srff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 16:07:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\TSIRCSRV.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-02-08 16:11:55 - machine was rebooted [Anil]
ComboFix-quarantined-files.txt 2009-02-08 21:11:53

Pre-Run: 30,205,632,512 bytes free
Post-Run: 30,068,760,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

335 --- E O F --- 2009-01-15 13:29:50

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 08 February 2009 - 09:52 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
TDSSServ.sys

File::
c:\windows\system32\drivers\TDSSmhlt.sys
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\funfnhwd.dll
C:\wskrote.exe
C:\xxweksc.exe
c:\windows\instsp1.exe
C:\jxnx.exe
C:\jwfmld.exe
C:\-1946113091
c:\windows\system32\clickfile.exe
c:\windows\uquwidog.dll

Folder::
c:\documents and settings\Anil\Application Data\cogad
c:\documents and settings\Anil\Application Data\VirusRemover2008
c:\documents and settings\Anil\Application Data\Twain
c:\program files\WebShow

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Qjaqufeworitu"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 bk7p3lw

bk7p3lw
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 09 February 2009 - 10:32 AM

New ComboFix log:

ComboFix 09-02-08.02 - Anil 2009-02-09 9:36:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.547 [GMT -5:00]
Running from: c:\documents and settings\Anil\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Anil\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\-1946113091
C:\jwfmld.exe
C:\jxnx.exe
c:\windows\instsp1.exe
c:\windows\system32\clickfile.exe
c:\windows\system32\drivers\TDSSmhlt.sys
c:\windows\system32\funfnhwd.dll
c:\windows\system32\TDSSoiqh.dll
c:\windows\uquwidog.dll
C:\wskrote.exe
C:\xxweksc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1946113091
c:\documents and settings\Anil\Application Data\cogad
c:\documents and settings\Anil\Application Data\Twain
c:\documents and settings\Anil\Application Data\VirusRemover2008
c:\documents and settings\Anil\Application Data\VirusRemover2008\Logs\scns.log
C:\jwfmld.exe
C:\jxnx.exe
c:\program files\WebShow
c:\program files\WebShow\WebShow.dll
c:\windows\instsp1.exe
c:\windows\system32\clickfile.exe
c:\windows\system32\drivers\TDSSmhlt.sys
c:\windows\system32\funfnhwd.dll
c:\windows\system32\TDSSoiqh.dll
c:\windows\uquwidog.dll
C:\wskrote.exe
C:\xxweksc.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-07 13:54 . 2009-02-07 13:54 <DIR> d-------- c:\program files\CleanUp!
2009-01-26 11:14 . 2009-01-26 11:14 <DIR> d-------- c:\program files\Avira
2009-01-26 11:14 . 2009-01-26 11:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-25 21:34 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-25 21:34 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 15:52 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-01-26 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-26 02:26 --------- d-----w c:\documents and settings\Anil\Application Data\Azureus
2009-01-26 02:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-15 13:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-07 15:49 --------- d-----w c:\program files\JKDefrag
2009-01-03 17:03 --------- d-----w c:\program files\WarRock
2008-12-27 14:55 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-27 14:55 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-27 14:55 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-27 14:55 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-27 14:49 --------- d-----w c:\program files\CCleaner
2008-12-26 02:12 --------- d-----w c:\program files\Vuze
2008-12-26 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-12-26 00:38 --------- d-----w c:\program files\Common Files\i4j_jres
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2009-01-26 01:46 211,456 ----a-w c:\program files\mozilla firefox\components\srff.dll
2001-08-23 12:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 00:12 57,344 --sh--w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-08_16.11.04.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-08 21:06:24 202,833 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-09 14:39:35 202,834 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 68856]
"NVIEW"="nview.dll" [2003-12-10 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-12-10 4866048]
"NVRotateSysTray"="c:\windows\system32\nvsysrot.dll" [2003-12-10 49152]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2005-02-28 23:43 245760]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-28 155648]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-02 172032]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-10-25 311296]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 451896]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 451896]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"TFNF5"="TFNF5.exe" [2003-11-17 c:\windows\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-12-15 c:\windows\system32\TPSMain.exe]
"nwiz"="nwiz.exe" [2003-12-10 c:\windows\system32\nwiz.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 03:28 24576 c:\windows\system32\000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 c:\windows\agrsmmsg.exe]

c:\documents and settings\Anil\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-09-23 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\eMule\\eMule.exe"=
"c:\\Program Files\\LapLink Gold\\LLServerMain.exe"=
"c:\\Program Files\\LapLink Gold\\laplink.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\TSIMSF5.sys [2008-03-02 5120]
R2 TSIREGMO;tsiregmo;c:\windows\system32\drivers\tsiregmo.sys [2008-03-02 5888]
R2 TSISER;TSISER;c:\windows\system32\drivers\tsiser.sys [2008-03-02 31740]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\TSISTRMX.SYS [2008-03-02 5120]
S1 TSIRCINK;Traveling Software Install Driver;c:\windows\system32\drivers\TSIRCINK.SYS [2008-03-02 9216]
S1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\Drivers\trircmir.sys --> c:\windows\system32\Drivers\trircmir.sys [?]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-10-25 18864]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2005-03-06 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2005-03-06 24344]
S4 black;black;c:\windows\system32\drivers\BlackDrv.sys --> c:\windows\system32\drivers\BlackDrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\TEMP\ntdll64.dll
FF - ProfilePath - c:\documents and settings\Anil\Application Data\Mozilla\Firefox\Profiles\4js4iom2.default\
FF - component: c:\program files\Mozilla Firefox\components\srff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 09:40:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\TSIRCSRV.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-02-09 9:44:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-09 14:44:39
ComboFix2.txt 2009-02-08 21:11:57

Pre-Run: 30,034,214,912 bytes free
Post-Run: 30,015,680,512 bytes free

232 --- E O F --- 2009-01-15 13:29:50


New DDS:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Anil at 10:26:12.80 on Mon 02/09/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.550 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Anil\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TFNF5] TFNF5.exe
mRun: [TPSMain] TPSMain.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NVRotateSysTray] rundll32.exe c:\windows\system32\nvsysrot.dll,Enable
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DpUtil] c:\program files\toshiba\dualpointutility\TEDTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\anil\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
LSP: c:\windows\temp\ntdll64.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anil\applic~1\mozilla\firefox\profiles\4js4iom2.default\
FF - component: c:\program files\mozilla firefox\components\srff.dll
FF - HiddenExtension: XUL Cache: {9E7977B8-9226-4044-8504-E840EB2F9DBC} - c:\documents and settings\anil\local settings\application data\{9E7977B8-9226-4044-8504-E840EB2F9DBC}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-26 11840]
R1 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\TSIMSF5.sys [2008-3-2 5120]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-26 68865]
R2 TSIREGMO;tsiregmo;c:\windows\system32\drivers\tsiregmo.sys [2008-3-2 5888]
R2 TSISER;TSISER;c:\windows\system32\drivers\tsiser.sys [2008-3-2 31740]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\TSISTRMX.SYS [2008-3-2 5120]
S1 TSIRCINK;Traveling Software Install Driver;c:\windows\system32\drivers\TSIRCINK.SYS [2008-3-2 9216]
S1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\drivers\trircmir.sys --> c:\windows\system32\drivers\trircmir.sys [?]
S3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-26 151297]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-26 52032]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-10-25 18864]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2005-3-6 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2005-3-6 24344]
S4 black;black;c:\windows\system32\drivers\blackdrv.sys --> c:\windows\system32\drivers\BlackDrv.sys [?]

=============== Created Last 30 ================

2009-02-08 15:55 <DIR> a-dshr-- C:\cmdcons
2009-02-07 13:54 <DIR> --d----- c:\program files\CleanUp!
2009-02-04 12:11 161,792 a------- c:\windows\SWREG.exe
2009-02-04 12:11 98,816 a------- c:\windows\sed.exe
2009-01-26 11:14 <DIR> --d----- c:\program files\Avira
2009-01-26 11:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-01-25 21:34 5,632 a------- c:\windows\system32\ptpusb.dll
2009-01-25 21:34 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-01-05 14:50 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2001-08-23 07:00 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 19:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-04-13 19:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 19:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 19:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-13 19:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 19:12 84,992 a--sh--- c:\windows\system32\olepro32.dll
2008-04-13 19:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 10:26:22.87 ===============

Attached Files



#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 09 February 2009 - 01:25 PM

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users