Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Bad Image virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 skyhawk

skyhawk

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 07 April 2009 - 05:07 PM

I have been infected with what I believe are 2 different viruses. The first is the 'Bad Image' virus which opens an error window whenever you try to run any program and tells you that this program is not a valid windows image. This also prevents some programs from running at all.

The second virus is the Win32/Cryptor virus. I have run the AVG (free edition) software, it finds 92 problems, but does not remove any of them. I also have Webroot Spysweeper with Anti-virus. This program was disabled by the virus, and when I try to reinstall, it only goes so far and then stops.

I would apprreciate any help you can provide.

Thanks,
Skyhawk

******************* DSS Script results ***************8

DDS (Ver_09-03-16.01) - NTFSx86
Run by Marty at 17:51:53.54 on Tue 04/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.855 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Documents and Settings\Marty\My Documents\YapsView.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Marty\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.live.com/default.aspx?wa=wsignin1.0
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [A00F23BD06D1.exe] "c:\docume~1\marty\locals~1\temp\_A00F23BD06D1.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [AGRSMMSG] "c:\windows\AGRSMMSG.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Ulead AutoDetector v2] "c:\program files\common files\ulead systems\autodetector\monitor.exe"
mRun: [Corel Photo Downloader] "c:\program files\corel\corel mediaone\Corel PhotoDownloader.exe" -startup
mRun: [Corel File Shell Monitor] "c:\program files\corel\corel mediaone\CorelIOMonitor.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [services] c:\windows\services.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1238944633_b3d2e19a99bf555589d17a7c71790032&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: __c00B3339 - c:\windows\system32\__c00B3339.dat
Notify: __c00D08F9 - c:\windows\system32\__c00D08F9.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marty\applic~1\mozilla\firefox\profiles\jhae8eve.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google/ig
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-12-7 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-4 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-4 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-4 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-4 298264]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-2-9 1178728]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-2-25 4048240]

=============== Created Last 30 ================

2009-04-07 17:41 <DIR> --d----- c:\program files\iPod
2009-04-07 17:41 <DIR> --d----- c:\program files\iTunes
2009-04-07 17:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-06 17:51 61,440 a------- c:\windows\system32\drivers\ppwlorv.sys
2009-04-05 16:04 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-05 15:58 775,168 a------- c:\windows\isRS-000.tmp
2009-04-05 15:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 15:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 15:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-05 11:17 <DIR> --d----- c:\program files\Microsoft
2009-04-05 11:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-05 11:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-04 11:00 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-04 10:54 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-04 10:54 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-04 10:54 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-04 10:54 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-04 10:54 <DIR> --d----- c:\program files\AVG
2009-04-04 10:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-03 18:11 <DIR> --d----- C:\1 NTFS
2009-04-02 08:44 <DIR> --d----- c:\program files\NVT Malware Remover Tool
2009-03-24 20:43 <DIR> --d----- c:\docume~1\marty\applic~1\Research In Motion
2009-03-24 20:36 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-03-24 20:36 <DIR> --d----- c:\program files\Roxio
2009-03-24 20:34 <DIR> --d----- c:\program files\common files\Research In Motion
2009-03-24 20:34 <DIR> --d----- c:\program files\Research In Motion
2009-03-24 20:12 256 a------- c:\documents and settings\marty\pool.bin
2009-03-24 19:58 <DIR> --d----- C:\Blackberry software
2009-03-22 11:13 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-22 11:13 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-22 11:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 11:12 <DIR> --d----- c:\program files\Bonjour
2009-03-22 11:10 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-22 11:10 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-22 00:03 256 a------- c:\windows\system32\pool.bin
2009-03-21 23:56 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2009-03-13 23:41 <DIR> --d----- c:\program files\Seagate
2009-03-13 23:41 <DIR> --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2009-04-05 15:56 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-05 15:56 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-04-05 15:56 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-03-05 17:10 1,553,784 a------- c:\windows\WRSetup.dll
2009-02-19 11:47 19,824 a---h--- c:\windows\system32\mlfcache.dat
2009-02-15 12:02 166,364 a------- c:\windows\hpoins30.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-04 08:51 80,007 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-03 12:36 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 17:53:39.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:56 AM

Posted 07 April 2009 - 05:34 PM

Hello, skyhawk

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I see you have already run MalwareBytes' with no success. Lets try ComboFix (if you cannot run it, try renaming it to multifix.exe)

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 skyhawk

skyhawk
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 07 April 2009 - 07:06 PM

Jat,
Thanks for the help. I have downloaded Combofix and run it. Although I get the bad image window everytime something in Combofix runs I am able to proceed through. I got as far as Combofix telling me that AVG was running and I should shut it off before proceeding. I went to the system tray and selected exit and also went to the task manager and tried to kill the AVG processes. Every time I killed on of the AVG processes, a new one was spawned. So Combofix said it could continue with AVG running, but it would be at my own risk. I thought it best to ask you how to proceed. Should I continue running Combofix?

Thanks,
Skyhawk

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:56 AM

Posted 07 April 2009 - 07:13 PM

Try to disable AVG correctly.

Go to this topic:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Scroll down to where you see AVG 8 and follow those instructions. Then run ComboFix.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 skyhawk

skyhawk
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 08 April 2009 - 06:02 PM

Jat,
Here are the results of my ComboFix scan...

ComboFix 09-04-04.01 - Marty 2009-04-08 18:17:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.914 [GMT -4:00]
Running from: c:\documents and settings\Marty\Desktop\multifix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.

2009-04-08 18:15 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-04-07 17:41 . 2009-04-07 17:42 <DIR> d-------- c:\program files\iTunes
2009-04-07 17:41 . 2009-04-07 17:41 <DIR> d-------- c:\program files\iPod
2009-04-07 17:41 . 2009-04-07 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-05 16:04 . 2009-04-05 16:22 664 --a------ c:\windows\system32\d3d9caps.dat
2009-04-05 15:41 . 2009-04-06 17:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:41 . 2009-04-05 15:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 15:41 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 15:41 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-05 11:17 . 2009-04-05 11:17 <DIR> d-------- c:\windows\Sun
2009-04-05 11:17 . 2009-04-05 11:17 <DIR> d-------- c:\program files\Microsoft
2009-04-05 11:17 . 2009-04-05 11:16 410,984 --a------ c:\windows\system32\deploytk.dll
2009-04-05 11:17 . 2009-04-05 11:16 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-04-05 11:16 . 2009-04-05 11:16 <DIR> d-------- c:\program files\Java
2009-04-04 11:00 . 2009-04-08 18:09 <DIR> d--h----- C:\$AVG8.VAULT$
2009-04-04 10:54 . 2009-04-08 17:26 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-04-04 10:54 . 2009-04-04 10:54 <DIR> d-------- c:\program files\AVG
2009-04-04 10:54 . 2009-04-04 12:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-04-04 10:54 . 2009-04-04 10:54 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-04 10:54 . 2009-04-04 10:54 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-04-04 10:54 . 2009-04-04 10:54 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-03 18:11 . 2009-04-03 21:44 <DIR> d-------- C:\1 NTFS
2009-04-02 08:44 . 2009-04-02 08:44 <DIR> d-------- c:\program files\NVT Malware Remover Tool
2009-03-24 20:43 . 2009-03-24 20:43 <DIR> d-------- c:\documents and settings\Marty\Application Data\Research In Motion
2009-03-24 20:40 . 2009-03-24 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2009-03-24 20:40 . 2009-03-24 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-03-24 20:36 . 2009-03-24 20:37 <DIR> d-------- c:\program files\Roxio
2009-03-24 20:36 . 2009-03-24 20:36 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2009-03-24 20:36 . 2009-03-24 20:36 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2009-03-24 20:36 . 2009-03-24 20:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2009-03-24 20:34 . 2009-03-29 12:31 <DIR> d-------- c:\program files\Research In Motion
2009-03-24 20:34 . 2009-03-24 20:34 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-03-24 20:12 . 2009-03-24 20:12 256 --a------ c:\documents and settings\Marty\pool.bin
2009-03-24 19:58 . 2009-03-24 20:03 <DIR> d-------- C:\Blackberry software
2009-03-22 11:13 . 2009-03-22 11:13 <DIR> d-------- c:\documents and settings\Marty\Application Data\Apple Computer
2009-03-22 11:13 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-22 11:13 . 2009-03-19 16:32 23,400 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-22 11:12 . 2009-03-22 11:12 <DIR> d-------- c:\program files\Bonjour
2009-03-22 11:12 . 2009-03-22 11:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 11:10 . 2009-03-22 11:11 <DIR> d-------- c:\program files\QuickTime
2009-03-22 11:10 . 2009-03-22 11:10 <DIR> d-------- c:\program files\Apple Software Update
2009-03-22 11:10 . 2009-03-22 11:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-22 11:10 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-22 11:10 . 2009-03-05 23:59 36,864 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-03-22 11:09 . 2009-04-07 17:41 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-22 11:09 . 2009-03-22 11:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-22 00:03 . 2009-04-08 09:31 256 --a------ c:\windows\system32\pool.bin
2009-03-21 23:56 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-03-13 23:41 . 2009-03-22 00:03 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-13 23:41 . 2009-03-13 23:41 <DIR> d-------- c:\program files\Seagate
2009-03-08 17:02 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-03-08 17:02 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2009-03-08 17:02 . 2001-08-17 22:36 8,192 --------- c:\windows\system32\kbdkor.dll
2009-03-08 17:02 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2009-03-08 17:02 . 2008-04-14 05:39 6,144 --a------ c:\windows\system32\kbd106.dll
2009-03-08 17:02 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-03-08 17:02 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-03-08 17:02 . 2008-04-14 05:39 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2009-03-08 17:02 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2009-03-08 17:02 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2009-03-08 17:02 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2009-03-08 17:02 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 23:30 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-05 22:41 --------- d-----w c:\program files\honestech Fireman CDDVD Burner 3.0
2009-04-05 19:56 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-04-05 19:56 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-05 19:56 176,752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 11:58 --------- d-----w c:\documents and settings\Marty\Application Data\HPAppData
2009-03-14 03:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-05 21:10 1,553,784 ----a-w c:\windows\WRSetup.dll
2009-02-26 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\Corel
2009-02-26 22:34 --------- d-----w c:\documents and settings\Marty\Application Data\Corel
2009-02-26 22:33 --------- d-----w c:\program files\Common Files\Corel
2009-02-26 19:24 --------- d-----w c:\program files\Corel
2009-02-26 14:56 --------- d-----w c:\documents and settings\Marty\Application Data\InstallShield
2009-02-26 02:31 --------- d-----w c:\documents and settings\Marty\Application Data\Ulead Systems
2009-02-26 01:01 --------- d-----w c:\program files\Common Files\Ulead Systems
2009-02-26 01:01 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-02-23 00:38 --------- d-----w c:\program files\UltraEdit
2009-02-22 02:30 --------- d-----w c:\program files\WS_FTP Pro
2009-02-21 17:32 --------- d-----w c:\program files\NOS
2009-02-21 17:32 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-02-19 22:45 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-19 22:44 --------- d-----w c:\program files\Common Files\Adobe
2009-02-19 00:27 --------- d-----w c:\program files\Google
2009-02-16 23:23 --------- d-----w c:\program files\Common Files\LightScribe
2009-02-15 16:00 --------- d-----w c:\documents and settings\Marty\Application Data\HP
2009-02-15 01:23 --------- d-----w c:\documents and settings\Marty\Application Data\Intuit
2009-02-14 22:39 --------- d-----w c:\program files\Common Files\Macromedia
2009-02-14 22:38 --------- d-----w c:\program files\Macromedia
2009-02-14 20:48 --------- d-----w c:\documents and settings\Marty\Application Data\Ipswitch
2009-02-14 20:02 --------- d-----w c:\program files\microsoft frontpage
2009-02-14 20:02 --------- d-----w c:\documents and settings\Owner\Application Data\Microsoft Web Folders
2009-02-14 19:31 --------- d-----w c:\documents and settings\Owner\Application Data\Ipswitch
2009-02-14 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\Ipswitch
2009-02-14 02:08 --------- d-----w c:\documents and settings\Owner\Application Data\HPAppData
2009-02-14 00:25 --------- d-----w c:\documents and settings\Owner\Application Data\Webroot
2009-02-12 00:20 --------- d-----w c:\program files\TeleChart
2009-02-10 00:59 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-02-10 00:31 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-02-10 00:29 --------- d-----w c:\program files\Webroot
2009-02-10 00:29 --------- d-----w c:\documents and settings\Marty\Application Data\Webroot
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 03:32 --------- d-----w c:\documents and settings\Marty\Application Data\Yahoo!
2009-02-08 19:14 --------- d-----w c:\program files\EASEUS
2009-02-08 16:53 --------- d-----w c:\program files\HP
2009-02-08 16:08 --------- d-----w c:\program files\MSXML 4.0
2009-02-08 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\Seagate
.

((((((((((((((((((((((((((((( SnapShot@2009-04-08_ 9.33.29.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-07 23:57:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-08 10:42:01 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-07 23:57:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-08 10:42:01 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-07 23:57:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-08 10:42:01 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-02-14 13:00 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-04-01 7110656]
"nwiz"="c:\windows\system32\nwiz.exe" [2006-04-01 1495040]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-04-01 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-25 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"AGRSMMSG"="c:\windows\AGRSMMSG.exe" [2004-06-29 88363]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2007-08-02 95504]
"Corel File Shell Monitor"="c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe" [2007-12-01 38400]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-26 236016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-04 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-05 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-03-05 6308728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2008-07-15 1512720]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-03-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-04 10:54 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-12-07 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-04 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-04 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-04 298264]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-02-09 1178728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-08 c:\windows\Tasks\wrSpySweeper_LF02B7CF2CC744B8D849B51B8E85970D4.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-03-05 17:10]

2009-04-08 c:\windows\Tasks\wrSpySweeper_LF02B7CF2CC744B8D849B51B8E85970D4.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-03-05 17:10]

2009-04-08 c:\windows\Tasks\wrSpySweeper_LF02B7CF2CC744B8D849B51B8E85970D4.job
- A:\ []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.live.com/default.aspx?wa=wsignin1.0
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Marty\Application Data\Mozilla\Firefox\Profiles\jhae8eve.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google/ig
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 18:20:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-08 18:58:29
ComboFix-quarantined-files.txt 2009-04-08 22:58:26
ComboFix2.txt 2009-04-08 13:35:21

Pre-Run: 13,250,392,064 bytes free
Post-Run: 13,238,661,120 bytes free

241 --- E O F --- 2009-03-13 07:01:10


Thanks,
Skyhawk

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:56 AM

Posted 08 April 2009 - 06:22 PM

Hello,

The bad entries in the DDS log seem to have dissapeared. The ComboFix log looks clean. Let's make sure.

Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 skyhawk

skyhawk
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 09 April 2009 - 04:40 PM

Jat,
Here are the results of the Kaspersky scan. The files that it noted as infected are files from an old backup of the C: drive and these infected files can be deleted since it is an old backup. What's the next step?

Thanks,
Skyhawk

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, April 9, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, April 09, 2009 01:37:24
Records in database: 2024005
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Z:\

Scan statistics:
Files scanned: 488253
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 18:17:49


File name / Threat name / Threats count
C:\1 NTFS\ c drive\1 NTFS\Documents and Settings\user\Local Settings\Application Data\Identities\{A25F29BB-E9A6-471E-972D-A5C4EB84B077}\Microsoft\Outlook Express\alt.binaries.pictures.erotica.supermodels.dbx Infected: Backdoor.Win32.Litmus.203 3
C:\1 NTFS\ c drive\1 NTFS\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dw 1
C:\1 NTFS\ c drive\1 NTFS\WINDOWS\system32\drivers\etc\1.hosts Infected: Trojan.Win32.Qhost.it 1
C:\1 NTFS\ c drive\1 NTFS\WINDOWS\system32\drivers\etc\Hosts.bak Infected: Trojan.Win32.Qhost.it 1

The selected area was scanned.

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:56 AM

Posted 10 April 2009 - 12:50 AM

Hello,

Since this is a backup, I reccomend you delete it. Nothing was found on your current PC. You are clean. Though I have noticed from your first log that you are using Two Antivirus.

Remove one Antivirus

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG Anti-Virus Free or Webroot Antivirus.

ReScan

Please rescan with DDS and post DDS.txt
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 skyhawk

skyhawk
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 10 April 2009 - 06:09 PM

Jat,
Thanks for all the help. I will remove the AVG software. You said to scan my system with DDS. What is DDS??? Where do I download it?

Thanks,
Skyhawk

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:56 AM

Posted 10 April 2009 - 06:46 PM

Hello,

It is the tool you used to suppy your initial log.

DDS

Download DDS and save it to your desktop from one of these locations:

Link 1
Link 2

Disable any script blocker, and then double click dds.scr to run the tool. Follow the instructions provided on how you should post these logs.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 skyhawk

skyhawk
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 10 April 2009 - 07:10 PM

Jat,
Here is the DDS output. Attach.txt file is attached to this post.

Thanks,
Skyhawk


DDS (Ver_09-03-16.01) - NTFSx86
Run by Marty at 20:07:55.73 on Fri 04/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.884 [GMT -4:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Marty\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.live.com/default.aspx?wa=wsignin1.0
uInternet Settings,ProxyOverride = *.local
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [AGRSMMSG] "c:\windows\AGRSMMSG.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Ulead AutoDetector v2] "c:\program files\common files\ulead systems\autodetector\monitor.exe"
mRun: [Corel File Shell Monitor] "c:\program files\corel\corel mediaone\CorelIOMonitor.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1238944633_b3d2e19a99bf555589d17a7c71790032&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marty\applic~1\mozilla\firefox\profiles\jhae8eve.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google/ig
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-2-9 1181040]

=============== Created Last 30 ================

2009-04-10 19:18 775,168 a------- c:\windows\isRS-000.tmp
2009-04-10 19:18 <DIR> --d----- c:\program files\Ask.com
2009-04-08 18:15 73,728 a------- C:\pv.exe
2009-04-07 22:45 <DIR> a-dshr-- C:\cmdcons
2009-04-07 22:44 161,792 a------- c:\windows\SWREG.exe
2009-04-07 22:44 98,816 a------- c:\windows\sed.exe
2009-04-07 17:41 <DIR> --d----- c:\program files\iPod
2009-04-07 17:41 <DIR> --d----- c:\program files\iTunes
2009-04-07 17:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-05 16:04 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-05 15:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 15:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 15:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-05 11:17 <DIR> --d----- c:\program files\Microsoft
2009-04-05 11:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-05 11:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-04 10:54 <DIR> --d----- c:\program files\AVG
2009-04-02 08:44 <DIR> --d----- c:\program files\NVT Malware Remover Tool
2009-03-24 20:43 <DIR> --d----- c:\docume~1\marty\applic~1\Research In Motion
2009-03-24 20:36 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-03-24 20:36 <DIR> --d----- c:\program files\Roxio
2009-03-24 20:34 <DIR> --d----- c:\program files\common files\Research In Motion
2009-03-24 20:34 <DIR> --d----- c:\program files\Research In Motion
2009-03-24 20:12 256 a------- c:\documents and settings\marty\pool.bin
2009-03-24 19:58 <DIR> --d----- C:\Blackberry software
2009-03-22 11:13 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-22 11:13 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-22 11:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 11:12 <DIR> --d----- c:\program files\Bonjour
2009-03-22 11:10 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-22 11:10 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-22 00:03 256 a------- c:\windows\system32\pool.bin
2009-03-21 23:56 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2009-03-13 23:41 <DIR> --d----- c:\program files\Seagate
2009-03-13 23:41 <DIR> --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2009-04-06 13:32 1,563,008 a------- c:\windows\WRSetup.dll
2009-02-19 11:47 19,824 a---h--- c:\windows\system32\mlfcache.dat
2009-02-15 12:02 166,364 a------- c:\windows\hpoins30.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-04 08:51 80,007 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-03 12:36 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 20:08:12.48 ===============

Attached Files



#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:56 AM

Posted 11 April 2009 - 05:25 AM

Hello,

I cannot see anything malicious in your logs, how is your PC now? any issues remain?

Congratulations you are now clean! :thumbup2:

We should tidy up our mess though.

Uninstall ComboFix
  • Go to Start, then click Run
  • In the box, type: Combofix /u
  • Press Enter or click ok, and ComboFix will uninstall. Refer to the picture below if unsure.
Posted Image

Other Deletions

Locate where you saved DDS.exe, right click the file and select Delete.



Take a read of this excellent tutorial:

Simple and easy ways to keep your computer safe and secure on the Internet


Disable and Enable System Restore.

You should disable and re-enable system restore to make sure there are no infected files found in a restore point. You should now create a new restore point, since your system is clean.

You can find instructions on how to disable and re-enable system restore here:

Windows XP System Restore Guide

Visit Microsoft's Windows Update Site Frequently
  • It is important that you visit http://www.windowsupdate.com regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
System still slow?

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Use a Firewall

Some good free firewalls are:Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

Next, I would recommend the download and installation of some (I would say two is enough) of the following programs:

Spybot© - Search and Destroy
  • This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with program on a regular basis just as you would an anti virus software.
SUPERAntiSpyware
  • You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
  • Each antispyware product has different detection rates for different infections, using different products therefore increases your chances of finding and killing most malware.
MalwareBytes' Anti-Malware
  • Malwarebytes' Anti-Malware can detect and remove malware that even the most well known anti-virus and anti-malware applications fail to detect.
  • Ability to perform full scans for all drives.
  • The "Quick Scan" option lets the user scan the computer quickly checking for the most damaging threats and completing in usually under 10 minutes.
Javacools© SpywareBlaster
  • SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Glad I could Help :)
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:56 AM

Posted 12 April 2009 - 05:01 AM

Since the problem appears to be resolved, this topic is now Closed. Glad I could help.
If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:56 AM

Posted 14 April 2009 - 03:23 AM

Reopened.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 skyhawk

skyhawk
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 14 April 2009 - 05:32 AM

Jat,
New DDS results.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Marty at 6:29:58.03 on Tue 04/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1046 [GMT -4:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Marty\Desktop\Virus Fixes\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.live.com/default.aspx?wa=wsignin1.0
uInternet Settings,ProxyOverride = *.local
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [AGRSMMSG] "c:\windows\AGRSMMSG.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Ulead AutoDetector v2] "c:\program files\common files\ulead systems\autodetector\monitor.exe"
mRun: [Corel File Shell Monitor] "c:\program files\corel\corel mediaone\CorelIOMonitor.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SpySweeper] c:\program files\webroot\webrootsecurity\SpySweeperUI.exe /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1238944633_b3d2e19a99bf555589d17a7c71790032&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marty\applic~1\mozilla\firefox\profiles\jhae8eve.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google/ig
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-2 29808]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-2 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-4-12 1181040]

=============== Created Last 30 ================

2009-04-12 22:14 1,563,008 a------- c:\windows\WRSetup.dll
2009-04-12 22:14 <DIR> --d----- c:\docume~1\marty\applic~1\Webroot
2009-04-12 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-04-11 10:32 <DIR> --d----- c:\windows\pss
2009-04-10 19:18 <DIR> --d----- c:\program files\Ask.com
2009-04-07 22:45 <DIR> a-dshr-- C:\cmdcons
2009-04-07 22:44 161,792 a------- c:\windows\SWREG.exe
2009-04-07 22:44 98,816 a------- c:\windows\sed.exe
2009-04-07 17:41 <DIR> --d----- c:\program files\iPod
2009-04-07 17:41 <DIR> --d----- c:\program files\iTunes
2009-04-07 17:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-05 16:04 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-05 15:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 15:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 15:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-05 11:17 <DIR> --d----- c:\program files\Microsoft
2009-04-05 11:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-05 11:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-04 10:54 <DIR> --d----- c:\program files\AVG
2009-04-02 14:30 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 14:30 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 14:30 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-04-02 08:44 <DIR> --d----- c:\program files\NVT Malware Remover Tool
2009-03-24 20:43 <DIR> --d----- c:\docume~1\marty\applic~1\Research In Motion
2009-03-24 20:36 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-03-24 20:36 <DIR> --d----- c:\program files\Roxio
2009-03-24 20:34 <DIR> --d----- c:\program files\common files\Research In Motion
2009-03-24 20:34 <DIR> --d----- c:\program files\Research In Motion
2009-03-24 20:12 256 a------- c:\documents and settings\marty\pool.bin
2009-03-24 19:58 <DIR> --d----- C:\Blackberry software
2009-03-22 11:13 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-22 11:13 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-22 11:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-22 11:12 <DIR> --d----- c:\program files\Bonjour
2009-03-22 11:10 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-22 11:10 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-22 00:03 256 a------- c:\windows\system32\pool.bin
2009-03-21 23:56 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys

==================== Find3M ====================

2009-02-19 11:47 19,824 a---h--- c:\windows\system32\mlfcache.dat
2009-02-15 12:02 166,364 a------- c:\windows\hpoins30.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-04 08:51 80,007 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-03 12:36 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 6:30:29.14 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users