Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack this log: malware infected so that google links dont work


  • This topic is locked This topic is locked
25 replies to this topic

#1 adocherty

adocherty

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 20 March 2009 - 05:40 PM

hey everyone
just today my computer was what seems to be hit with a malware infection
it wont show cached google links and opens new links into new windows
some malware programs will not work to install them.
shown below is my hijackthis log





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:50 PM, on 3/20/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Skype] "C:\Windows.old\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9D31FA8-4DF6-4EC1-9B53-E5224FD6C8A9}: NameServer = 85.255.112.129,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{B08418B0-4E94-4BB2-9639-D358712DA558}: NameServer = 85.255.112.129,85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.129,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.129,85.255.112.84
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 7503 bytes

BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:20 AM

Posted 21 March 2009 - 08:30 PM

Hello adocherty :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you.


I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:



Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.




Please go HERE and follow the instructions for #6 and post both logs DDS produces(do not post either as an attachment).





When completed please both both logs fromDDS as well as the one from Kaspersky.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 adocherty

adocherty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 23 March 2009 - 08:57 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 23, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 23, 2009 23:13:13
Records in database: 1958593
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 92149
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:20:09


File name / Threat name / Threats count
C:\Windows\System32\gaopdxbcfwpxqxbgrpcxvxxhrqqnrmrvvuwfhp.dll Infected: Packed.Win32.Tdss.f 1

The selected area was scanned.




----------------------------------------Below is the DDS log-------------------------------------



DDS (Ver_09-03-16.01) - NTFSx86
Run by Aidan Docherty at 18:55:30.63 on Mon 03/23/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3030.1137 [GMT -7:00]

AV: AVG *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows.old\Program Files\Skype\Phone\Skype.exe
C:\Windows.old\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Users\Aidan Docherty\AppData\Local\Temp\jkos-Aidan Docherty\binaries\ScanningProcess.exe
C:\Users\Aidan Docherty\AppData\Local\Temp\jkos-Aidan Docherty\binaries\ScanningProcess.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Aidan Docherty\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Skype] "c:\windows.old\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MsnMsgr] "c:\windows.old\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\users\aidand~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 85.255.112.129,85.255.112.84
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\aidand~1\appdata\roaming\mozilla\firefox\profiles\h9hxw5ut.default\
FF - prefs.js: browser.startup.homepage - google.ca
FF - plugin: c:\windows.old\program files\mozilla firefox\plugins\np_gp.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-20 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-19 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-1 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-19 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-19 298264]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2009-1-21 5120]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-1-18 112128]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-2-24 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-1-18 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-1-18 277504]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-23 33752]

=============== Created Last 30 ================

2009-03-20 16:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-20 16:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 16:48 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-20 16:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 16:48 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-20 15:30 <DIR> --d----- c:\program files\Trend Micro
2009-03-20 13:40 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-20 13:29 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-20 13:29 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-20 13:29 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-20 13:28 <DIR> --d----- c:\programdata\Lavasoft
2009-03-20 13:28 <DIR> --d----- c:\program files\Lavasoft
2009-03-20 00:09 <DIR> --d----- c:\program files\VideoLAN
2009-03-20 00:02 19,456 a------- c:\windows\system32\gaopdxbcfwpxqxbgrpcxvxxhrqqnrmrvvuwfhp.dll
2009-03-20 00:02 4 a------- c:\windows\system32\gaopdxcounter
2009-03-13 16:29 <DIR> --d----- c:\users\aidan docherty\Tracing
2009-03-13 16:25 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-10 16:59 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-10 16:59 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-10 16:59 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-10 16:59 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-10 16:58 268,288 a------- c:\windows\system32\schannel.dll
2009-03-10 16:56 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-25 12:36 <DIR> --d----- c:\users\aidand~1\appdata\roaming\FrostWire
2009-02-25 12:36 <DIR> --d----- c:\program files\FrostWire

==================== Find3M ====================

2009-03-09 11:13 226 a------- c:\users\aidand~1\appdata\roaming\wklnhst.dat
2009-02-13 17:10 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-13 17:10 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-13 17:10 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-21 18:41 86,016 a------- c:\windows\inf\infstor.dat
2009-01-21 18:41 51,200 a------- c:\windows\inf\infpub.dat
2009-01-21 18:41 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-20 13:43 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-19 01:42 665,600 a------- c:\windows\inf\drvindex.dat
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:55:59.85 ===============

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:20 AM

Posted 24 March 2009 - 08:51 AM

There should have been another log produced by DDS called Attach.txt. Although the instructions say to post it as an attachment please post it like you did the other.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 adocherty

adocherty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 24 March 2009 - 12:14 PM

I apologize, that is my mistake.

I attached a zipped "Attach" folder and am posting the contents here just in case.

Sorry again

A


------------------------------

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 1/18/2009 12:56:00 PM
System Uptime: 3/24/2009 9:22:02 AM (1 hours ago)

Motherboard: Dell Inc. | | 0P792H
Processor: Intel® Pentium® Dual CPU T3200 @ 2.00GHz | U2E1 | 2000/8194mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 223 GiB total, 149.652 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.734 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ACPI\ITE8708\4&1D041D47&0
Manufacturer:
Name:
PNP Device ID: ACPI\ITE8708\4&1D041D47&0
Service:

==== System Restore Points ===================


==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
AAC Decoder
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Advanced Audio FX Engine
Apple Mobile Device Support
Apple Software Update
AutoUpdate
AVG Free 8.0
BitTorrent
Bonjour
Broadcom Gigabit NetLink Controller
CCleaner (remove only)
Choice Guard
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Dell Dock
Dell Resource CD
Dell Webcam Central
Dell Wireless WLAN Card Utility
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
FrostWire 4.17.2
getPlus® for Adobe
H.264 Decoder
HijackThis 2.0.2
Integrated Webcam Driver (1.02.02.0603)
Intel® Graphics Media Accelerator Driver
iTunes
Java™ 6 Update 11
Live! Cam Avatar Creator
Malwarebytes' Anti-Malware
MediaDirect
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MKV Splitter
Mozilla Firefox (3.0.7)
MSVCRT
QuickSet
QuickTime
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.05
Samsung ML-2010 Series
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
VC80CRTRedist - 8.0.50727.762
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool

==== End Of File ===========================

Attached Files



#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:20 AM

Posted 24 March 2009 - 04:03 PM

No problem, we have what we need now.




Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case FrostWire and BitTorrent ). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the Malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology.




WINDOWS DEFENDER
  • Click Start > Programs > Windows Defender or launch from the system tray icon.
  • Click on Tools & Settings > Options.
  • Under Real-time protection options, uncheck the "Real-time protection" check box.
  • Click Save.
  • Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
  • (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)



Please download gmer.zip from Gmer and save it to your desktop.

Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
Right click on gmer.exe and select Run as administrator to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.
  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.
If you receive no notice, click on the Scan button.
  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.
Note: Do not run any programs while Gmer is running.








Launch your MalwareBytes and check for updates. After updating check Perform Full Scan and run the program.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.




  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of log.txt. I do not need the one from info.txt

When completed I will need the following:
  • Gmer.txt
  • MBAM report
  • RSIT log

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 adocherty

adocherty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 26 March 2009 - 06:53 PM

hey thanks
i will post that information on Monday as I have two huge papers to write for classes on monday morning.
Thanks a lot for your help so far

ad

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:20 AM

Posted 26 March 2009 - 07:31 PM

Ok, thanks for letting me know and good luck with your papers. :thumbup2:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 adocherty

adocherty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 30 March 2009 - 01:48 PM

hey so i just have a quick question - MBAM found and removed the infected file(s)
but do you still want me to run the other programs just in case?

I've attached the MBAM log in case that is all i needed. I'm just in class now so once im home ill post the other logs

Thanks !!

Malwarebytes' Anti-Malware 1.34
Database version: 1863
Windows 6.0.6001 Service Pack 1

3/29/2009 3:28:56 PM
mbam-log-2009-03-29 (15-28-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 161271
Time elapsed: 4 hour(s), 11 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.129,85.255.112.84 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.129,85.255.112.84 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.129,85.255.112.84 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-8-0-42-100026809-100018379-100026963-5108.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:20 AM

Posted 30 March 2009 - 04:08 PM

Yes, we still need to take a look at the others. Thanks.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 adocherty

adocherty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 01 April 2009 - 01:15 PM

hey sorry about the wait
i have one assignment to drop off in class today and i will post the logs asap

apologies,

AD

#12 adocherty

adocherty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 01 April 2009 - 06:35 PM

here is the "RSIT log.txt log" first and the "gmer" log second

Logfile of random's system information tool 1.06 (written by random/random)
Run by Aidan Docherty at 2009-04-01 16:29:03
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 156 GB (68%) free of 228 GB
Total RAM: 3030 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:16 PM, on 4/1/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Aidan Docherty\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Aidan Docherty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Skype] "C:\Windows.old\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Windows.old\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 6593 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-02-13 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-20 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-20 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-08-26 150040]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-08-26 178712]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-08-26 154136]
"Broadcom Wireless Manager UI"=C:\Windows\system32\WLTRAY.exe [2008-06-02 3563520]
"Dell Webcam Central"=C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe [2008-06-03 446635]
"PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2008-07-04 132392]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-02-13 1601304]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-20 136600]
"Samsung PanelMgr"=C:\Windows\Samsung\PanelMgr\SSMMgr.exe [2007-01-03 520192]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-03-09 515416]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-20 1233920]
"Skype"=C:\Windows.old\Program Files\Skype\Phone\Skype.exe [2008-11-18 21633320]
"MsnMsgr"=C:\Windows.old\Program Files\Windows Live\Messenger\msnmsgr.exe [2007-10-18 5724184]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe

C:\Users\Aidan Docherty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-08-14 221184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-04-01 16:29:03 ----D---- C:\rsit
2009-03-29 11:34:10 ----D---- C:\ProgramData\WindowsSearch
2009-03-29 01:25:41 ----D---- C:\Users\Aidan Docherty\AppData\Roaming\Malwarebytes
2009-03-20 16:48:01 ----D---- C:\ProgramData\Malwarebytes
2009-03-20 16:48:01 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-20 16:07:12 ----D---- C:\Program Files\Windows Live Safety Center
2009-03-20 15:30:49 ----D---- C:\Program Files\Trend Micro
2009-03-20 13:40:47 ----A---- C:\Windows\system32\lsdelete.exe
2009-03-20 13:29:02 ----HDC---- C:\ProgramData\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-20 13:28:05 ----D---- C:\ProgramData\Lavasoft
2009-03-20 13:28:05 ----D---- C:\Program Files\Lavasoft
2009-03-20 00:09:41 ----D---- C:\Program Files\VideoLAN
2009-03-20 00:02:59 ----A---- C:\Windows\system32\gaopdxbcfwpxqxbgrpcxvxxhrqqnrmrvvuwfhp.dll
2009-03-20 00:02:56 ----D---- C:\RECYCLER
2009-03-13 16:25:25 ----D---- C:\Program Files\Windows Live SkyDrive
2009-03-10 16:59:51 ----A---- C:\Windows\system32\wmp.dll
2009-03-10 16:59:49 ----A---- C:\Windows\system32\wmploc.DLL
2009-03-10 16:59:49 ----A---- C:\Windows\system32\spwmp.dll
2009-03-10 16:59:49 ----A---- C:\Windows\system32\dxmasf.dll
2009-03-10 16:58:21 ----A---- C:\Windows\system32\schannel.dll

======List of files/folders modified in the last 1 months======

2009-04-01 16:29:00 ----D---- C:\Windows\Temp
2009-04-01 13:04:31 ----HD---- C:\$AVG8.VAULT$
2009-04-01 11:55:14 ----D---- C:\Users\Aidan Docherty\AppData\Roaming\Skype
2009-04-01 10:58:48 ----D---- C:\Windows\System32
2009-04-01 10:58:48 ----D---- C:\Windows\inf
2009-04-01 10:58:48 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-03-30 17:58:35 ----SHD---- C:\System Volume Information
2009-03-29 15:31:18 ----D---- C:\Windows\system32\drivers
2009-03-29 14:30:00 ----D---- C:\Program Files\Mozilla Firefox
2009-03-29 12:50:47 ----SHD---- C:\Windows\Installer
2009-03-29 11:34:10 ----HD---- C:\ProgramData
2009-03-28 17:39:23 ----D---- C:\Users\Aidan Docherty\AppData\Roaming\BitTorrent
2009-03-28 11:16:28 ----D---- C:\Windows
2009-03-27 11:18:10 ----D---- C:\Users\Aidan Docherty\AppData\Roaming\FrostWire
2009-03-27 01:06:34 ----D---- C:\Windows\Prefetch
2009-03-22 02:07:25 ----RD---- C:\Program Files
2009-03-20 21:04:39 ----SD---- C:\Windows\Downloaded Program Files
2009-03-20 18:45:43 ----SD---- C:\Users\Aidan Docherty\AppData\Roaming\Microsoft
2009-03-20 14:21:10 ----SHD---- C:\$Recycle.Bin
2009-03-20 14:20:08 ----RD---- C:\Users
2009-03-20 13:30:03 ----D---- C:\Windows\system32\Tasks
2009-03-20 13:29:59 ----D---- C:\Windows\Tasks
2009-03-20 13:29:25 ----D---- C:\Windows\system32\catroot
2009-03-20 13:29:24 ----DC---- C:\Windows\system32\DRVSTORE
2009-03-20 13:27:51 ----D---- C:\Windows\winsxs
2009-03-20 12:04:48 ----D---- C:\Windows\Debug
2009-03-13 16:25:31 ----D---- C:\Program Files\Common Files\microsoft shared
2009-03-13 16:24:52 ----D---- C:\Program Files\Windows Live
2009-03-11 14:34:32 ----D---- C:\Program Files\Windows Media Player
2009-03-11 14:34:32 ----D---- C:\Program Files\Windows Mail
2009-03-11 11:53:25 ----D---- C:\ProgramData\Microsoft Help
2009-03-11 11:50:59 ----D---- C:\Windows\system32\catroot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-02-13 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-02-13 27656]
R1 AvgTdiX;AVG8 Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2009-02-13 107272]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2008-02-15 46592]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-07-30 43008]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-07-30 38400]
R2 SSPORT;SSPORT; \??\C:\Windows\system32\Drivers\SSPORT.sys [2006-12-08 5120]
R3 BCM42RLY;BCM42RLY; C:\Windows\system32\drivers\BCM42RLY.sys [2008-06-02 18424]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2008-06-02 1207288]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-08-14 2469888]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI; C:\Windows\system32\drivers\IntcHdmi.sys [2008-07-15 112128]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\k57nd60x.sys [2008-02-24 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver; C:\Windows\system32\DRIVERS\OA001Ufd.sys [2008-06-03 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver; C:\Windows\system32\DRIVERS\OA001Vid.sys [2008-05-13 277504]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-20 88576]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
S2 DgiVecp;DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [2006-12-08 41984]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 inyafakj;inyafakj; \??\C:\Users\AIDAND~1\AppData\Local\Temp\inyafakj.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-20 134016]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-02-13 903960]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-02-13 298264]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 DockLoginService;Dock Login Service; C:\Program Files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\Windows\System32\WLTRYSVC.EXE [2008-06-02 24064]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------




GMER LOG
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-01 16:26:07
Windows 6.0.6001 Service Pack 1


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\gaopdxmtmqksvdfnoddpnewmvreqpixpiobiru.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxmtmqksvdfnoddpnewmvreqpixpiobiru.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxmtmqksvdfnoddpnewmvreqpixpiobiru.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxbcfwpxqxbgrpcxvxxhrqqnrmrvvuwfhp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A9D31FA8-4DF6-4EC1-9B53-E5224FD6C8A9}@LeaseObtainedTime 1238627029
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A9D31FA8-4DF6-4EC1-9B53-E5224FD6C8A9}@T1 1238670229
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A9D31FA8-4DF6-4EC1-9B53-E5224FD6C8A9}@T2 1238702629
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A9D31FA8-4DF6-4EC1-9B53-E5224FD6C8A9}@LeaseTerminatesTime 1238713429
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxmtmqksvdfnoddpnewmvreqpixpiobiru.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxmtmqksvdfnoddpnewmvreqpixpiobiru.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxbcfwpxqxbgrpcxvxxhrqqnrmrvvuwfhp.dll

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\LogFiles\Scm\SCM.EVM (size mismatch) 393216/360448 bytes

---- EOF - GMER 1.0.15 ----

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:20 AM

Posted 02 April 2009 - 09:40 AM

You have a rootkit present on your machine we need to do the following:


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 adocherty

adocherty
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 02 April 2009 - 02:09 PM

ComboFix 09-04-01.01 - Aidan Docherty 2009-04-02 11:59:46.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3030.1795 [GMT -7:00]
Running from: c:\users\Aidan Docherty\Desktop\ComboFix.exe
AV: AVG *On-access scanning enabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gaopdxbcfwpxqxbgrpcxvxxhrqqnrmrvvuwfhp.dll
d:\recycler\S-8-0-42-100026809-100018379-100026963-5108.com

.
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-02 11:51 . 2009-04-02 11:56 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-04-01 16:29 . 2009-04-01 16:29 <DIR> d-------- C:\rsit
2009-03-29 11:34 . 2009-03-29 11:34 <DIR> d-------- c:\users\All Users\WindowsSearch
2009-03-29 11:34 . 2009-03-29 11:34 <DIR> d-------- c:\programdata\WindowsSearch
2009-03-29 01:25 . 2009-03-29 01:25 <DIR> d-------- c:\users\Aidan Docherty\AppData\Roaming\Malwarebytes
2009-03-20 16:48 . 2009-03-20 16:48 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-20 16:48 . 2009-03-20 16:48 <DIR> d-------- c:\programdata\Malwarebytes
2009-03-20 16:48 . 2009-03-20 16:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 16:48 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-20 16:48 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-20 16:07 . 2009-03-29 12:50 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-20 15:30 . 2009-03-20 15:30 <DIR> d-------- c:\program files\Trend Micro
2009-03-20 14:20 . 2009-03-20 14:20 <DIR> dr------- c:\users\Guest\Videos
2009-03-20 14:20 . 2009-03-20 14:20 <DIR> dr------- c:\users\Guest\Searches
2009-03-20 14:20 . 2009-03-20 14:20 <DIR> dr------- c:\users\Guest\Saved Games
2009-03-20 14:20 . 2009-03-20 14:20 <DIR> dr------- c:\users\Guest\Pictures
2009-03-20 14:20 . 2009-03-20 14:20 <DIR> dr------- c:\users\Guest\Music
2009-03-20 14:20 . 2009-03-20 14:20 <DIR> dr------- c:\users\Guest\Links
2009-03-20 14:20 . 2009-03-20 14:24 <DIR> dr------- c:\users\Guest\Downloads
2009-03-20 14:20 . 2009-03-20 14:22 <DIR> dr------- c:\users\Guest\Documents
2009-03-20 14:20 . 2009-03-20 14:20 <DIR> dr------- c:\users\Guest\Contacts
2009-03-20 14:20 . 2006-11-02 05:37 <DIR> d-------- c:\users\Guest\AppData\Roaming\Media Center Programs
2009-03-20 14:20 . 2009-03-20 14:20 <DIR> d--h----- c:\users\Guest\AppData
2009-03-20 14:20 . 2009-03-20 14:20 <DIR> d-------- c:\users\Guest
2009-03-20 13:40 . 2009-03-09 12:06 15,688 --a------ c:\windows\System32\lsdelete.exe
2009-03-20 13:29 . 2009-03-20 13:29 <DIR> d--h-c--- c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-20 13:29 . 2009-03-20 13:29 <DIR> d--h-c--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-20 13:29 . 2009-03-09 12:06 64,160 --a------ c:\windows\System32\drivers\Lbd.sys
2009-03-20 13:28 . 2009-03-20 13:29 <DIR> d-------- c:\users\All Users\Lavasoft
2009-03-20 13:28 . 2009-03-20 13:29 <DIR> d-------- c:\programdata\Lavasoft
2009-03-20 13:28 . 2009-03-20 13:28 <DIR> d-------- c:\program files\Lavasoft
2009-03-20 00:09 . 2009-03-20 00:09 <DIR> d-------- c:\program files\VideoLAN
2009-03-13 16:29 . 2009-03-20 16:01 <DIR> d-------- c:\users\Aidan Docherty\Tracing
2009-03-13 16:25 . 2009-03-13 16:25 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-10 16:59 . 2008-12-15 20:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 16:59 . 2008-12-15 22:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 16:59 . 2008-12-15 22:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 16:59 . 2008-12-15 22:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-10 16:58 . 2008-11-26 21:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 16:56 . 2009-02-08 20:10 2,033,152 --a------ c:\windows\System32\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 18:55 --------- d-----w c:\programdata\avg8
2009-04-02 18:46 --------- d-----w c:\users\Aidan Docherty\AppData\Roaming\Skype
2009-03-29 00:39 --------- d-----w c:\users\Aidan Docherty\AppData\Roaming\BitTorrent
2009-03-27 18:18 --------- d-----w c:\users\Aidan Docherty\AppData\Roaming\FrostWire
2009-03-13 23:24 --------- d-----w c:\program files\Windows Live
2009-03-11 21:34 --------- d-----w c:\program files\Windows Mail
2009-03-11 18:53 --------- d-----w c:\programdata\Microsoft Help
2009-03-09 18:13 226 ----a-w c:\users\Aidan Docherty\AppData\Roaming\wklnhst.dat
2009-02-25 19:36 --------- d-----w c:\program files\FrostWire
2009-02-23 04:29 --------- d-----w c:\users\Aidan Docherty\AppData\Roaming\LimeWire
2009-02-14 22:33 --------- d-----w c:\program files\Microsoft.NET
2009-02-14 00:10 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-14 00:10 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-14 00:10 10,520 ----a-w c:\windows\System32\avgrsstx.dll
2009-02-12 09:49 --------- d-----w c:\users\Aidan Docherty\AppData\Roaming\Apple Computer
2009-02-07 01:52 49,504 ----a-w c:\windows\System32\sirenacm.dll
2009-02-03 08:12 --------- d-----w c:\programdata\Creative
2009-01-20 20:43 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"Skype"="c:\windows.old\Program Files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"MsnMsgr"="c:\windows.old\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-26 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-26 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-26 154136]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 3563520]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-07-04 132392]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-13 1601304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-20 136600]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2007-01-03 520192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

c:\users\Aidan Docherty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-12-18 1312096]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-07-31 1616976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{8DB7F0D4-61D8-4F91-88F3-6B27E0D005D7}c:\\windows.old\\program files\\skype\\phone\\skype.exe"= UDP:c:\windows.old\program files\skype\phone\skype.exe:Skype
"UDP Query User{3C828E9E-8172-4A3E-B821-AEC75BB01BD9}c:\\windows.old\\program files\\skype\\phone\\skype.exe"= TCP:c:\windows.old\program files\skype\phone\skype.exe:Skype
"{5080814B-991E-43A9-95F2-B1E36BB82599}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{DB12C6D6-1A10-4190-9204-C16058CF2D1F}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{F7DB2BDA-DA57-4C79-B087-207605708DF5}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{49D00F42-9099-43A3-959D-251AB4AE418C}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"TCP Query User{523CA83C-CEE6-4B3C-B3A1-55E92FC29F5D}c:\\windows.old\\program files\\windows live\\messenger\\msnmsgr.exe"= UDP:c:\windows.old\program files\windows live\messenger\msnmsgr.exe:Windows Live Messenger
"UDP Query User{B962FA1B-5EE4-400E-B529-3C2BEC34826D}c:\\windows.old\\program files\\windows live\\messenger\\msnmsgr.exe"= TCP:c:\windows.old\program files\windows live\messenger\msnmsgr.exe:Windows Live Messenger
"{D9D51A4D-DF15-4232-8D2D-5C269E608015}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{83284473-20CB-4C6A-9A06-C757A69B47B8}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{FBC4D75C-E497-4010-A278-4A432EA84B89}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{722F9071-765E-46E8-82B5-75560E6AF971}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"TCP Query User{2189E747-D6BF-4B45-AE3F-CCDB56BDF7F5}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{C1CE772B-328C-4E2D-928B-ACC08017D754}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"{9C20BFD5-7A11-40C4-929F-80AA4A4D655A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0A726574-FF20-4B78-ADFE-C6E9ACB864A1}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1EBB6F3C-4E81-40CC-ADF6-9D442E05033A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3C351FF6-BAA3-4FD6-B268-8FDA0F0A204B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{2F525BDB-6E8A-4852-8737-CAA11B8BE464}c:\\windows.old\\program files\\windows live\\messenger\\msnmsgr.exe"= UDP:c:\windows.old\program files\windows live\messenger\msnmsgr.exe:Windows Live Messenger
"TCP Query User{A1EC9E63-C61E-459B-B435-7733D4CCEB54}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{BE8B9084-AC2B-4A6D-8FD7-5FE819A1E071}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"{A0055397-D7C8-4319-B2B4-60FA32F92DE7}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{2F209AB3-6A85-4AFA-A87B-FE684286FD4D}c:\\windows.old\\program files\\skype\\phone\\skype.exe"= UDP:c:\windows.old\program files\skype\phone\skype.exe:Skype
"UDP Query User{F5E6603D-1144-4902-A154-CD0AAC91534A}c:\\windows.old\\program files\\skype\\phone\\skype.exe"= TCP:c:\windows.old\program files\skype\phone\skype.exe:Skype
"{A2222123-12ED-45C8-A1BB-1819784CD4C4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{38E6AF2F-E683-4EC0-B7A3-536A7C42E3A2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{C38E5590-C082-4525-BEE6-59E6BC2ACEBB}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{7CF0B15E-2371-43B6-A033-BFE7BBC78815}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"{EB78E531-1E4F-4C4A-BB59-1D1563379DAF}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{48109D98-740A-4AA4-A23E-C7D243EFF4C8}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{2E24F270-2B98-4277-9488-04E144D8C3D9}c:\\users\\aidan docherty\\desktop\\skype.exe"= UDP:c:\users\aidan docherty\desktop\skype.exe:skype.exe
"UDP Query User{2520FB6A-9841-49ED-85DD-2E98ED562988}c:\\users\\aidan docherty\\desktop\\skype.exe"= TCP:c:\users\aidan docherty\desktop\skype.exe:skype.exe
"{E080BA21-9B04-4377-9122-B915AE879B2E}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{9AD9EB9A-6899-48C9-9E9A-B2BE43C7E747}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{E5A366EA-F21E-4156-8483-252BE8F2EA7B}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{5DF4CF90-02F8-4CCA-A50C-AB481F92AEA8}c:\\program files\\frostwire\\frostwire.exe"= TCP:c:\program files\frostwire\frostwire.exe:FrostWire
"TCP Query User{E57067C4-EC99-4A37-BA10-EA58DABC70E7}c:\\program files\\tvants\\tvants.exe"= UDP:c:\program files\tvants\tvants.exe:TVAnts
"UDP Query User{A7CDFC29-B2EA-4994-AF05-01FB77DAB651}c:\\program files\\tvants\\tvants.exe"= TCP:c:\program files\tvants\tvants.exe:TVAnts
"TCP Query User{1398C29D-9D71-45C1-B8D7-AC14C09894B9}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{E809D5FB-75B6-4907-9F9F-9FEF24C5EC53}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-03-20 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-01-19 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-01 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-19 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-19 298264]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [2009-01-21 5120]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [2009-01-18 112128]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\k57nd60x.sys [2008-02-24 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\System32\drivers\OA001Ufd.sys [2009-01-18 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\System32\drivers\OA001Vid.sys [2009-01-18 277504]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-23 33752]
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:06]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Aidan Docherty\AppData\Roaming\Mozilla\Firefox\Profiles\h9hxw5ut.default\
FF - prefs.js: browser.startup.homepage - google.ca
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 12:03:16
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-02 12:06:00
ComboFix-quarantined-files.txt 2009-04-02 19:05:57

Pre-Run: 162,513,354,752 bytes free
Post-Run: 162,523,762,688 bytes free

192 --- E O F --- 2009-04-02 17:47:25


i tried to shut down AVG 8.0 real time scan , and followed the instructions you provided but it still said it was active

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:20 AM

Posted 03 April 2009 - 09:52 AM

Please run HJT again and post the log from it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users