Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible virus/malware?


  • This topic is locked This topic is locked
17 replies to this topic

#1 tonyb24

tonyb24

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 07 February 2009 - 06:07 AM

Hi
Can anyone help me with this?

I had trouble a week ago. I could not view anything on my two hard drives when I clicked on my computer (i.e. whe I clicked on C drive, nothing happened). My pc would also not let me run Spybot, so I removed it and cannot now download it. Also, running an anti-virus scan (using AVG free) my pc was checking for hours. When I looked it seemed to be checking the same files over and over. I removed the program but cannot download this either.

After running Malwarebyte's Anti-Malware, there were a few infections that were removed and I thought I'd solved the problem. However, now I can't use the windows disk defragmenter. I get a message saying 'disk defragmenter could not start'. Also my pc won't let me restore to a previous time. I think it's something to do with what Malwarebyte found but I can't figure it out.

I've just tried to run Malwarebyte's anti-malware again and i get this message 'the database you are using is not supported by this version of Malwarebyte's Anti-Malware. Download the latest version of the program'.

I just tried to do this and cannot do this either. I get the same message when trying to download AVG free edition - 'The page cannot be found. The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.'

Here is the DDS.txt as instructed. and also the Attach.txt attachment.
Thanks in advance
Tony



DDS (Ver_09-02-01.01) - NTFSx86
Run by Tony at 10:53:03.65 on 07/02/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.165 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161716270\ee\AOLSoftware.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AOL 9.0 VR\waol.exe
C:\Program Files\AOL 9.0 VR\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\F6CK84XP\dds[1].scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CMVideoPlugin Class: {ce580665-f3f7-4d64-86f8-14ac84ffc810} - c:\windows\system32\CMVideo.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [RemoteControl]
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [RemoteCenter]
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HostManager] c:\program files\common files\aol\1161716270\ee\AOLSoftware.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [AOLAspSunset2] c:\documents and settings\all users\application data\aol\userprofiles\all users\antispyware\dat\updates\aspapp\sunsetAsp2.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161710922218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PFModNT.sys [2006-10-24 15840]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2007-9-2 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2007-9-2 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2007-9-2 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2007-9-2 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2007-9-2 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2007-9-2 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2007-9-2 90800]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18791.exe
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18787.exe
2009-02-06 11:43 <DIR> --ds---- c:\documents and settings\tony\UserData
2009-01-31 17:17 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-31 16:55 <DIR> --dshr-- C:\autorun.inf
2009-01-28 23:11 <DIR> --d----- c:\program files\CMVideoPlugin
2009-01-28 22:15 155,648 a------- c:\windows\system32\CMVideo.dll
2009-01-15 01:05 <DIR> --d----- C:\OEMSettings

==================== Find3M ====================

2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2007-04-23 14:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 10:53:34.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 AM

Posted 16 February 2009 - 02:26 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

If this file exists, please post it:
c:\ComboFix.txt

With Regards,
The Panda

#3 tonyb24

tonyb24
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 19 February 2009 - 06:40 PM

Hi Panda
Sorry for the delayed reply but I've been away for a few days.
Here are the things you asked for.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Tony at 10:53:03.65 on 07/02/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.165 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161716270\ee\AOLSoftware.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AOL 9.0 VR\waol.exe
C:\Program Files\AOL 9.0 VR\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\F6CK84XP\dds[1].scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CMVideoPlugin Class: {ce580665-f3f7-4d64-86f8-14ac84ffc810} - c:\windows\system32\CMVideo.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [RemoteControl]
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [RemoteCenter]
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HostManager] c:\program files\common files\aol\1161716270\ee\AOLSoftware.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [AOLAspSunset2] c:\documents and settings\all users\application data\aol\userprofiles\all users\antispyware\dat\updates\aspapp\sunsetAsp2.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161710922218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PFModNT.sys [2006-10-24 15840]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2007-9-2 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2007-9-2 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2007-9-2 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2007-9-2 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2007-9-2 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2007-9-2 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2007-9-2 90800]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18791.exe
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18787.exe
2009-02-06 11:43 <DIR> --ds---- c:\documents and settings\tony\UserData
2009-01-31 17:17 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-31 16:55 <DIR> --dshr-- C:\autorun.inf
2009-01-28 23:11 <DIR> --d----- c:\program files\CMVideoPlugin
2009-01-28 22:15 155,648 a------- c:\windows\system32\CMVideo.dll
2009-01-15 01:05 <DIR> --d----- C:\OEMSettings

==================== Find3M ====================

2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2007-04-23 14:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 10:53:34.53 ===============



GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-02-19 23:36:05
Windows 5.1.2600 Service Pack 2


---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:B63300D1
ADS C:\Program Files\ATI Technologies\ATI.ACE\skins\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Scrollbar:Smaller.WB4
ADS C:\Program Files\Sonic Foundry\CD Architect 5.0\CDArch50.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\pss\Registration Myst VStartup: End of Ages.LNK

---- EOF - GMER 1.0.12 ----


I have managed to run Malwarebyte's anti Malware and below is a log from the last time it was run.

alwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

13/02/2009 10:02:44
mbam-log-2009-02-13 (10-02-38).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 214838
Time elapsed: 48 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{b4acf1f7-325c-4269-a5e2-645476428b8c} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a77a8135-c1d5-40e4-a4f1-51fa11936b5d} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cd57f97b-89eb-4769-8894-7d16528c44d9} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0a8a5904-fd83-40df-ba27-7d5704ef6ffa} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ce580665-f3f7-4d64-86f8-14ac84ffc810} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce580665-f3f7-4d64-86f8-14ac84ffc810} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CMVideo.XMLDOMDocumentEventsSink (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CMVideo.XMLDOMDocumentEventsSink.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\CMVideo.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\Temp\tempo-1039078.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\Temp\tempo-1039312.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\Temp\tempo-1202593.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\Temp\tempo-1202812.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\system32\gaopdxpptxjixu.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\gaopdxdkxruwka.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\gaopdxodbqltpu.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\gaopdxrevxvkos.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\gaopdxybowkmfy.sys (Trojan.Agent) -> No action taken.


I deleted these files, but I think these were files that were there previously and have returned.

Thanks for your help.

Tony

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 AM

Posted 19 February 2009 - 06:56 PM

Hello Tony.

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please follow up by taken a new scan with DDS. Only DDS.txt is needed.

If this file exists, please post it:
C:\ComboFix.txt

With Regards,
The Panda

#5 tonyb24

tonyb24
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 19 February 2009 - 07:41 PM

Hi Panda, that was quick!

This is the Malware scan log

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

20/02/2009 00:36:08
mbam-log-2009-02-20 (00-36-08).txt

Scan type: Quick Scan
Objects scanned: 121426
Time elapsed: 25 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


This is the DDs.txt file

DDS (Ver_09-02-01.01) - NTFSx86
Run by Tony at 0:39:17.73 on 20/02/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.58 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161716270\ee\AOLSoftware.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AOL 9.0 VR\waol.exe
C:\Program Files\AOL 9.0 VR\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\F6CK84XP\dds[1].scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [RemoteControl]
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [RemoteCenter]
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HostManager] c:\program files\common files\aol\1161716270\ee\AOLSoftware.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [AOLAspSunset2] c:\documents and settings\all users\application data\aol\userprofiles\all users\antispyware\dat\updates\aspapp\sunsetAsp2.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161710922218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PFModNT.sys [2006-10-24 15840]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-7-31 38496]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2007-9-2 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2007-9-2 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2007-9-2 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2007-9-2 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2007-9-2 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2007-9-2 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2007-9-2 90800]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-19 22:36 250 a------- c:\windows\gmer.ini
2009-02-13 10:41 <DIR> --d----- C:\MS221
2009-02-13 10:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18791.exe
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18787.exe
2009-02-06 11:43 <DIR> --ds---- c:\documents and settings\tony\UserData
2009-01-31 17:17 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-31 16:55 <DIR> --dshr-- C:\autorun.inf
2009-01-28 23:13 4 a------- c:\windows\system32\gaopdxcounter
2009-01-28 23:11 <DIR> --d----- c:\program files\CMVideoPlugin

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2007-04-23 14:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 0:40:09.57 ===============


Thanks again

Tony

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 AM

Posted 20 February 2009 - 08:16 AM

Hello.

Please disable TeaTimer before proceeding.
To disable SpyBot's TeaTimer:
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

#7 tonyb24

tonyb24
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 20 February 2009 - 12:33 PM

Hi Panda

Used AntiVir to scan system. It came up with problems which I have removed.

After Running GMER, this is the log.

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-02-20 17:28:49
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT F8B2A144 ZwCreateThread
SSDT F8B2A130 ZwOpenProcess
SSDT F8B2A135 ZwOpenThread
SSDT F8B2A13F ZwTerminateProcess
SSDT F8B2A13A ZwWriteVirtualMemory

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:B63300D1
ADS C:\Program Files\ATI Technologies\ATI.ACE\skins\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Scrollbar:Smaller.WB4
ADS C:\Program Files\Sonic Foundry\CD Architect 5.0\CDArch50.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\pss\Registration Myst VStartup: End of Ages.LNK

---- EOF - GMER 1.0.12 ----

Thanks

Tony

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 AM

Posted 20 February 2009 - 03:17 PM

Hello Tony.

Looks like the infection was removed.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please also take a new DDS.txt log.

Any problems at the moment?

With REgards,
The Panda

#9 tonyb24

tonyb24
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 26 February 2009 - 09:39 AM

Sorry for the delay Panda but here are the items you requested.
I am not experiencing many problems at the moment although I haven't tried to restore my PC. The problem I originally had seems to have disappeared although I still cannot use AVG. Thanks for your help.

Tony

F-Scanner
Scanning Report
Thursday, February 26, 2009 12:23:24 - 14:28:22
Computer name: POWERLOC-DM2MP8
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 5 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Questionmarket (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Webtrends (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 40317
System: 4419
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 5
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AOL 9.0 VR\ORGANIZE\BUTLERAM
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AOL 9.0 VR\ORGANIZE\CACHE\BUTLER00

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Blacklight: 0.0.0
F-Secure Hydra: 3.6.8511, 2009-02-26
F-Secure Pegasus: 1.20.0, 1970-00-01
F-Secure AVP: 7.0.171, 2009-02-26
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.




DDS.txt log

DDS (Ver_09-02-01.01) - NTFSx86
Run by Tony at 14:32:15.73 on 26/02/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.60 [GMT 0:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161716270\ee\AOLSoftware.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\AOL 9.0 VR\waol.exe
C:\Program Files\AOL 9.0 VR\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\DOCUME~1\Tony\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Tony\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\Z7WWTHAO\dds[1].scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [RemoteControl]
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [RemoteCenter]
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HostManager] c:\program files\common files\aol\1161716270\ee\AOLSoftware.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [AOLAspSunset2] c:\documents and settings\all users\application data\aol\userprofiles\all users\antispyware\dat\updates\aspapp\sunsetAsp2.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235169560281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-20 11840]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PFModNT.sys [2006-10-24 15840]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-20 52032]
R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\tony\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2009-2-21 70144]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2007-9-2 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2007-9-2 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2007-9-2 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2007-9-2 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2007-9-2 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2007-9-2 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2007-9-2 90800]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-20 22:47 <DIR> --d----- C:\fsaua.data
2009-02-20 22:40 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-20 13:48 <DIR> --d----- c:\program files\Avira
2009-02-20 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-19 22:36 250 a------- c:\windows\gmer.ini
2009-02-13 10:41 <DIR> --d----- C:\MS221
2009-02-13 10:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18791.exe
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18787.exe
2009-02-06 11:43 <DIR> --ds---- c:\documents and settings\tony\UserData
2009-01-31 17:17 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-31 16:55 <DIR> --dshr-- C:\autorun.inf
2009-01-28 23:13 4 a------- c:\windows\system32\gaopdxcounter
2009-01-28 23:11 <DIR> --d----- c:\program files\CMVideoPlugin

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2007-04-23 14:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 14:34:42.65 ===============

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 AM

Posted 26 February 2009 - 03:40 PM

Hello.

Were you able to install all the updates? You are still at Service Pack 2.

If you were unable to install the updates, use the Service Pack 3 package.

With Regards,
The Panda

#11 tonyb24

tonyb24
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 28 February 2009 - 06:21 AM

Hi Panda
Now installed Service Pack 3 and I've run all the scans again. The logs are below.
The file 'Trojan.BHO' seems to always appear whether I've removed it or not. Is this the problem?

Thanks

Tony

F-Scanner

Scanning Report
Friday, February 27, 2009 20:48:22 - 22:47:36
Computer name: POWERLOC-DM2MP8
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 5 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Specificclick (spyware)
System
TrackingCookie.Webtrends (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 45112
System: 4406
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 5
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AOL 9.0 VR\ORGANIZE\BUTLERAM
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AOL 9.0 VR\ORGANIZE\CACHE\BUTLER00

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Blacklight: 0.0.0
F-Secure Hydra: 3.6.8511, 2009-02-27
F-Secure Pegasus: 1.20.0, 1970-00-01
F-Secure AVP: 7.0.171, 2009-02-27
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


Mbam

Malwarebytes' Anti-Malware 1.34
Database version: 1809
Windows 5.1.2600 Service Pack 3

27/02/2009 19:12:04
mbam-log-2009-02-27 (19-11-58).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 197132
Time elapsed: 1 hour(s), 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\CMVideoPlugin (Trojan.BHO) -> No action taken.

Files Infected:
(No malicious items detected)


Avira scan

Avira AntiVir Personal
Report file date: 27 February 2009 19:13

Scanning for 1270875 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: POWERLOC-DM2MP8

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 09:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 08:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 13:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 08:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 12:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 14:06:49
ANTIVIR2.VDF : 7.1.2.55 248832 Bytes 2/20/2009 13:49:18
ANTIVIR3.VDF : 7.1.2.95 183808 Bytes 2/27/2009 17:07:39
Engineversion : 8.2.0.98
AEVDF.DLL : 8.1.1.0 106868 Bytes 2/20/2009 14:07:02
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 07:12:55
AESCN.DLL : 8.1.1.7 127347 Bytes 2/20/2009 14:07:00
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 14:58:38
AEPACK.DLL : 8.1.3.8 397684 Bytes 2/20/2009 14:06:59
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 07:12:54
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/27/2009 07:12:54
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 07:12:50
AEGEN.DLL : 8.1.1.22 336245 Bytes 2/27/2009 07:12:50
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 11:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 2/20/2009 14:06:52
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 11:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 09:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 10:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 13:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 12:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 09:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 13:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 18:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 13:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 13:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 14:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 14:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 27 February 2009 19:13

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'WG111v3.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'CTDetect.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'QTTask.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'type32.exe' - '1' Module(s) have been scanned
Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb09.exe' - '1' Module(s) have been scanned
Scan process 'hphmon05.exe' - '1' Module(s) have been scanned
Scan process 'InCD.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'incdsrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
44 processes with 44 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '68' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <Local Disk>


End of the scan: 27 February 2009 20:32
Used time: 1:19:32 Hour(s)

The scan has been done completely.

11091 Scanning directories
612975 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
612974 Files not concerned
3581 Archives were scanned
2 Warnings
0 Notes

DDS.txt

DDS (Ver_09-02-01.01) - NTFSx86
Run by Tony at 22:51:01.92 on 27/02/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.133 [GMT 0:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161716270\ee\AOLSoftware.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL 9.0 VR\waol.exe
C:\Program Files\AOL 9.0 VR\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\LGXL7T93\dds[1].scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [RemoteControl]
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [RemoteCenter]
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HostManager] c:\program files\common files\aol\1161716270\ee\AOLSoftware.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [AOLAspSunset2] c:\documents and settings\all users\application data\aol\userprofiles\all users\antispyware\dat\updates\aspapp\sunsetAsp2.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235169560281
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235728719671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-20 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-20 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-20 151297]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PFModNT.sys [2006-10-24 15840]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-20 52032]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2007-9-2 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2007-9-2 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2007-9-2 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2007-9-2 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2007-9-2 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2007-9-2 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2007-9-2 90800]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-27 14:33 221,184 a------- c:\windows\system32\wmpns.dll
2009-02-27 13:41 33,792 -c------ c:\windows\system32\dllcache\custsat.dll
2009-02-27 13:39 <DIR> --d----- c:\windows\network diagnostic
2009-02-27 13:39 144,384 -------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-27 13:39 10,240 -------- c:\windows\system32\drivers\sffp_mmc.sys
2009-02-27 13:36 19,569 a------- c:\windows\005743_.tmp
2009-02-27 12:07 <DIR> --d----- c:\program files\MSXML 4.0
2009-02-27 11:34 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-02-27 11:33 666,112 -c------ c:\windows\system32\dllcache\wininet.dll
2009-02-27 11:33 619,520 -c------ c:\windows\system32\dllcache\urlmon.dll
2009-02-27 11:33 1,499,136 -c------ c:\windows\system32\dllcache\shdocvw.dll
2009-02-27 11:33 3,067,904 -c------ c:\windows\system32\dllcache\mshtml.dll
2009-02-27 11:33 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-02-27 11:33 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-27 11:33 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-27 11:33 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-27 11:33 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-27 11:32 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-02-27 11:32 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-02-27 11:31 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-02-27 11:31 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-02-27 11:31 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-02-27 11:30 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-02-27 11:30 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-02-27 10:16 268,648 a------- c:\windows\system32\mucltui.dll
2009-02-27 10:16 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-02-20 22:47 <DIR> --d----- C:\fsaua.data
2009-02-20 22:40 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-20 13:48 <DIR> --d----- c:\program files\Avira
2009-02-20 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-19 22:36 250 a------- c:\windows\gmer.ini
2009-02-13 10:41 <DIR> --d----- C:\MS221
2009-02-13 10:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18791.exe
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18787.exe
2009-02-06 11:43 <DIR> --ds---- c:\documents and settings\tony\UserData
2009-01-31 17:17 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-31 16:55 <DIR> --dshr-- C:\autorun.inf

==================== Find3M ====================

2009-02-27 13:50 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2007-04-23 14:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 22:52:37.79 ===============

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 AM

Posted 28 February 2009 - 10:46 AM

Hello.

Looks like some adware appeared.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :services
    
    :processes
    iexplore.exe
    
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AOLAspSunset2"=-
    
    :files
    c:\documents and settings\all users\application data\aol\userprofiles\all users\antispyware\dat\updates\aspapp\sunsetAsp2.exe
    C:\Program Files\CMVideoPlugin\
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Scan with MalwareBytes and DDS again after please.

With Regards,
The Panda

#13 tonyb24

tonyb24
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 28 February 2009 - 03:24 PM

Hi

Here are the logs you asked for.

Tony

OT Move It

========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
Unable to kill process: iexplore.exe
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AOLAspSunset2 deleted successfully.
========== FILES ==========
File/Folder c:\documents and settings\all users\application data\aol\userprofiles\all users\antispyware\dat\updates\aspapp\sunsetAsp2.exe not found.
Folder C:\Program Files\CMVideoPlugin not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Tony\LOCALS~1\Temp\ mon002.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7a0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02282009_180054

Files moved on Reboot...
C:\DOCUME~1\Tony\LOCALS~1\Temp\ mon002.log moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_7a0.dat not found!


MBAM

Malwarebytes' Anti-Malware 1.34
Database version: 1809
Windows 5.1.2600 Service Pack 3

28/02/2009 20:10:13
mbam-log-2009-02-28 (20-10-13).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 195223
Time elapsed: 1 hour(s), 7 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS.txt

DDS (Ver_09-02-01.01) - NTFSx86
Run by Tony at 20:19:19.65 on 28/02/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.122 [GMT 0:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161716270\ee\AOLSoftware.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\AOL 9.0 VR\waol.exe
C:\Program Files\AOL 9.0 VR\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\LGXL7T93\dds[1].scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [RemoteControl]
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [RemoteCenter]
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HostManager] c:\program files\common files\aol\1161716270\ee\AOLSoftware.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235169560281
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235728719671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-20 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-20 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-20 151297]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PFModNT.sys [2006-10-24 15840]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-20 52032]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2007-9-2 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2007-9-2 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2007-9-2 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2007-9-2 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2007-9-2 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2007-9-2 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2007-9-2 90800]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-28 18:00 <DIR> --d----- C:\_OTMoveIt
2009-02-27 14:33 221,184 a------- c:\windows\system32\wmpns.dll
2009-02-27 13:41 33,792 -c------ c:\windows\system32\dllcache\custsat.dll
2009-02-27 13:39 <DIR> --d----- c:\windows\network diagnostic
2009-02-27 13:39 144,384 -------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-27 13:39 10,240 -------- c:\windows\system32\drivers\sffp_mmc.sys
2009-02-27 13:36 19,569 a------- c:\windows\005743_.tmp
2009-02-27 12:07 <DIR> --d----- c:\program files\MSXML 4.0
2009-02-27 11:34 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-02-27 11:33 666,112 -c------ c:\windows\system32\dllcache\wininet.dll
2009-02-27 11:33 619,520 -c------ c:\windows\system32\dllcache\urlmon.dll
2009-02-27 11:33 1,499,136 -c------ c:\windows\system32\dllcache\shdocvw.dll
2009-02-27 11:33 3,067,904 -c------ c:\windows\system32\dllcache\mshtml.dll
2009-02-27 11:33 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-02-27 11:33 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-27 11:33 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-27 11:33 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-27 11:33 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-27 11:32 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-02-27 11:32 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-02-27 11:31 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-02-27 11:31 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-02-27 11:31 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-02-27 11:30 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-02-27 11:30 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-02-27 10:16 268,648 a------- c:\windows\system32\mucltui.dll
2009-02-27 10:16 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-02-20 22:47 <DIR> --d----- C:\fsaua.data
2009-02-20 22:40 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-20 13:48 <DIR> --d----- c:\program files\Avira
2009-02-20 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-19 22:36 250 a------- c:\windows\gmer.ini
2009-02-13 10:41 <DIR> --d----- C:\MS221
2009-02-13 10:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18791.exe
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18787.exe
2009-02-06 11:43 <DIR> --ds---- c:\documents and settings\tony\UserData
2009-01-31 17:17 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-31 16:55 <DIR> --dshr-- C:\autorun.inf

==================== Find3M ====================

2009-02-27 13:50 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2007-04-23 14:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 20:20:38.93 ===============

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 AM

Posted 28 February 2009 - 04:26 PM

Hello.

Are there any issues at the moment?

With Regards,
The Panda

#15 tonyb24

tonyb24
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 02 March 2009 - 06:47 AM

Hi Panda

I don't seem to have the issues at the moment that I had when starting this thread.

I was not able to restore my pc before but have now been able to do this. However, when restoring I noticed that 'move it' had disappeared from my desktop. Therefore I have repeated what you asked me to do and have posted the logs below.

Thanks

Tony

Move It log

========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
Unable to kill process: iexplore.exe
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AOLAspSunset2 deleted successfully.
========== FILES ==========
File/Folder c:\documents and settings\all users\application data\aol\userprofiles\all users\antispyware\dat\updates\aspapp\sunsetAsp2.exe not found.
Folder C:\Program Files\CMVideoPlugin not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Tony\LOCALS~1\Temp\ mon003.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1c0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03012009_123600

Files moved on Reboot...
C:\DOCUME~1\Tony\LOCALS~1\Temp\ mon003.log moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_1c0.dat not found!


MBAM log

Malwarebytes' Anti-Malware 1.34
Database version: 1809
Windows 5.1.2600 Service Pack 3

02/03/2009 11:36:16
mbam-log-2009-03-02 (11-36-16).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 195821
Time elapsed: 1 hour(s), 14 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS.txt log


DDS (Ver_09-02-01.01) - NTFSx86
Run by Tony at 11:39:07.50 on 02/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.108 [GMT 0:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161716270\ee\AOLSoftware.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FirstClass\fcc32.exe
C:\Program Files\AOL 9.0 VR\waol.exe
C:\Program Files\AOL 9.0 VR\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\ZVEM84B0\dds[1].scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [RemoteControl]
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [RemoteCenter]
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HostManager] c:\program files\common files\aol\1161716270\ee\AOLSoftware.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235169560281
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235728719671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-20 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-20 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-20 151297]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PFModNT.sys [2006-10-24 15840]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-20 52032]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2007-9-2 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2007-9-2 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2007-9-2 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2007-9-2 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2007-9-2 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2007-9-2 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2007-9-2 90800]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-28 18:00 <DIR> --d----- C:\_OTMoveIt
2009-02-27 14:33 221,184 a------- c:\windows\system32\wmpns.dll
2009-02-27 13:41 33,792 -c------ c:\windows\system32\dllcache\custsat.dll
2009-02-27 13:39 <DIR> --d----- c:\windows\network diagnostic
2009-02-27 13:39 144,384 -------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-27 13:39 10,240 -------- c:\windows\system32\drivers\sffp_mmc.sys
2009-02-27 13:36 19,569 a------- c:\windows\005743_.tmp
2009-02-27 12:07 <DIR> --d----- c:\program files\MSXML 4.0
2009-02-27 11:34 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-02-27 11:33 666,112 -c------ c:\windows\system32\dllcache\wininet.dll
2009-02-27 11:33 619,520 -c------ c:\windows\system32\dllcache\urlmon.dll
2009-02-27 11:33 1,499,136 -c------ c:\windows\system32\dllcache\shdocvw.dll
2009-02-27 11:33 3,067,904 -c------ c:\windows\system32\dllcache\mshtml.dll
2009-02-27 11:33 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-02-27 11:33 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-27 11:33 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-27 11:33 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-27 11:33 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-27 11:32 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-02-27 11:32 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-02-27 11:31 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-02-27 11:31 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-02-27 11:31 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-02-27 11:30 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-02-27 11:30 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-02-27 10:16 268,648 a------- c:\windows\system32\mucltui.dll
2009-02-27 10:16 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-02-20 22:47 <DIR> --d----- C:\fsaua.data
2009-02-20 22:40 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-20 13:48 <DIR> --d----- c:\program files\Avira
2009-02-20 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-19 22:36 250 a------- c:\windows\gmer.ini
2009-02-13 10:41 <DIR> --d----- C:\MS221
2009-02-13 10:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18791.exe
2009-02-06 11:51 388,608 a------- c:\windows\system32\CF18787.exe
2009-02-06 11:43 <DIR> --ds---- c:\documents and settings\tony\UserData
2009-01-31 17:17 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-31 16:55 <DIR> --dshr-- C:\autorun.inf

==================== Find3M ====================

2009-02-27 13:50 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2007-04-23 14:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 11:40:24.34 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users