Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with SHuer2/lmppcsetup.exe


  • This topic is locked This topic is locked
44 replies to this topic

#1 Yamazaki

Yamazaki

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 01 May 2009 - 10:29 PM

Hello all, I am posting with concerns after being apparently hijacked when google searching with constant AVG warnings that my system contained SHuer2/lmppcsetup. Normal web browsing does not always display a pages graphics or text as well more often than not. I am concerned due to possible security issues that may arise from this. The following is the log file from DDS:


DDS (Ver_09-03-16.01) - NTFSx86
Run by DeQuincy at 22:16:15.19 on Fri 05/01/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1260 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\ehome\ehtray.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DeQuincy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearch Bar = hxxp://www.toshiba.com/search
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [autochk] rundll32.exe c:\docume~1\dequincy\protect.dll,_IWMPEvents@16
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\documents and settings\dequincy\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\dequincy\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dequincy\applic~1\mozilla\firefox\profiles\c1q0hq2h.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-3-30 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-27 130936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-30 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-30 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-30 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-30 298776]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2005-12-22 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2005-12-22 33024]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-27 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-27 1095560]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2005-12-22 3456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-30 24652]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-30 908568]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]

=============== Created Last 30 ================

2009-05-01 20:01 22,538 a------- c:\windows\system32\lmppcsetup.exe
2009-04-29 23:24 <DIR> --d----- c:\program files\Trend Micro
2009-04-29 21:45 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-29 21:45 24,064 a--sh--- c:\documents and settings\dequincy\protect.dll
2009-04-29 19:06 <DIR> --d----- c:\docume~1\dequincy\applic~1\Malwarebytes
2009-04-29 19:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-29 19:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 19:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-27 21:05 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-27 21:05 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-27 21:05 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-27 21:05 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-27 21:05 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-27 21:05 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-27 21:05 <DIR> --d----- c:\docume~1\dequincy\applic~1\PC Tools
2009-04-27 21:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-27 20:25 626,688 a------- c:\windows\system32\msvcr80.dll
2009-04-20 11:12 <DIR> --d----- c:\program files\GRETECH
2009-04-17 22:44 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-04-17 22:42 <DIR> --d----- c:\windows\Logs
2009-04-17 22:41 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-17 22:32 <DIR> --d----- c:\program files\AviSynth 2.5
2009-04-17 22:32 22 a------- c:\windows\pspvc_path.ini
2009-04-17 22:32 <DIR> --d----- c:\program files\pspvc
2009-04-17 22:27 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-17 22:26 14,048 -------- c:\windows\system32\spmsg2.dll
2009-04-15 20:34 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 20:34 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 20:34 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 20:33 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:33 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:33 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:33 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 20:33 35,328 -c------ c:\windows\system32\dllcache\sc.exe
2009-04-15 20:33 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:33 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:33 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:33 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 20:33 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-06 13:46 2,838 a------- c:\windows\machine.ver
2009-04-03 21:47 116 a------- c:\windows\NeroDigital.ini

==================== Find3M ====================

2009-04-25 09:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-25 09:01 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-25 09:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-25 09:01 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-03-30 17:49 96,384 a------- c:\windows\system32\drivers\sptd0173.sys
2009-03-30 17:45 87,931 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-30 16:08 643,072 a------- c:\windows\system32\drivers\sptd.sys
2009-03-30 12:17 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 03:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 03:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 22:16:49.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:30 PM

Posted 14 May 2009 - 11:22 AM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh dds log back here :thumbup2:
Posted Image

#3 Yamazaki

Yamazaki
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 14 May 2009 - 09:40 PM

Here you go as requested:


DDS (Ver_09-05-14.01) - NTFSx86
Run by DeQuincy at 21:38:08.00 on Thu 05/14/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1219 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DeQuincy\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
mSearchAssistant =
mURLSearchHooks: H - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [InetChk] c:\windows\temp\ms1242172030.exe work
StartupFolder: c:\docume~1\dequincy\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dequincy\applic~1\mozilla\firefox\profiles\c1q0hq2h.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-3-30 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-27 130936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-30 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-30 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-30 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-30 298776]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2005-12-22 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2005-12-22 33024]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-27 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-27 1095560]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2005-12-22 3456]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-30 908568]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]

=============== Created Last 30 ================

2009-05-12 19:01 118 a------- c:\windows\system32\MRT.INI
2009-05-09 23:56 <DIR> --d----- c:\documents and settings\dequincy\dwhelper
2009-05-08 21:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Digsby
2009-05-08 21:08 <DIR> --d----- c:\docume~1\dequincy\applic~1\Digsby
2009-05-08 21:07 <DIR> --d----- c:\program files\Digsby
2009-05-08 21:05 <DIR> --d----- c:\docume~1\dequincy\applic~1\WeatherBug
2009-05-08 21:05 <DIR> --d----- c:\program files\AWS
2009-05-06 21:22 200 a------- c:\windows\QCPC80UI.dat
2009-05-06 19:28 27,648 a------- c:\windows\system32\lmn_setup.exe
2009-05-04 00:52 <DIR> --dsh--- c:\documents and settings\dequincy\PrivacIE
2009-05-04 00:39 <DIR> --dsh--- c:\documents and settings\dequincy\IETldCache
2009-05-04 00:32 <DIR> --d----- c:\windows\ie8updates
2009-05-04 00:30 <DIR> -cd-h--- c:\windows\ie8
2009-05-04 00:28 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-29 23:24 <DIR> --d----- c:\program files\Trend Micro
2009-04-29 19:06 <DIR> --d----- c:\docume~1\dequincy\applic~1\Malwarebytes
2009-04-29 19:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-29 19:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 19:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-27 21:05 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-27 21:05 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-27 21:05 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-27 21:05 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-27 21:05 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-27 21:05 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-27 21:05 <DIR> --d----- c:\docume~1\dequincy\applic~1\PC Tools
2009-04-27 21:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-27 20:25 626,688 a------- c:\windows\system32\msvcr80.dll
2009-04-20 11:12 <DIR> --d----- c:\program files\GRETECH
2009-04-17 22:44 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-04-17 22:42 <DIR> --d----- c:\windows\Logs
2009-04-17 22:41 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-17 22:32 <DIR> --d----- c:\program files\AviSynth 2.5
2009-04-17 22:32 22 a------- c:\windows\pspvc_path.ini
2009-04-17 22:32 <DIR> --d----- c:\program files\pspvc
2009-04-17 22:27 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-17 22:26 14,048 -------- c:\windows\system32\spmsg2.dll
2009-04-15 20:34 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 20:34 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 20:34 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 20:33 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:33 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:33 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:33 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 20:33 35,328 -c------ c:\windows\system32\dllcache\sc.exe
2009-04-15 20:33 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:33 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:33 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:33 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 20:33 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll

==================== Find3M ====================

2009-04-25 09:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-25 09:01 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-25 09:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-25 09:01 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-03-30 17:49 96,384 a------- c:\windows\system32\drivers\sptd0173.sys
2009-03-30 17:45 87,931 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-30 16:08 643,072 a------- c:\windows\system32\drivers\sptd.sys
2009-03-30 12:17 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 21:38:42.51 ===============

Attached Files



#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:30 PM

Posted 15 May 2009 - 02:16 AM

Hello :thumbup2:

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\windows\temp\ms1242172030.exe
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
c:\windows\system32\lmn_setup.exe

If Jotti is too busy please try Virustotal
_______________

Please download ATF-cleaner and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser:

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser:

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware
  • Click Update -tab and choose "Check for updates" to update.
  • When ready, Select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Please post a fresh DSS log, Mbam results and Jotti/virustotal results back here :)

Edited by Baabiouz, 15 May 2009 - 02:17 AM.

Posted Image

#5 Yamazaki

Yamazaki
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 16 May 2009 - 11:06 PM

First scan for C:\windows\temp\ms1242172030.exe yielded the following:

[ArcaVir]
2009-05-16 Found nothing
[F-Secure Anti-Virus]
2009-05-16 Found nothing
[Emsisoft A-squared]
2009-05-17 Found nothing
[Ikarus]
2009-05-16 Found nothing
[Avast! antivirus]
2009-05-16 Win32:Trojan-gen {Other}
[Kaspersky Anti-Virus]
2009-05-17 Found nothing
[Grisoft AVG Anti-Virus]
2009-05-16 Dropper.Agent.MRM
[ESET NOD32]
2009-05-15 Found nothing
[Avira AntiVir]
2009-05-15 TR/Proxy.Agent.BBQ.49
[Norman Virus Control]
2009-05-15 Found nothing
[Softwin BitDefender]
2009-05-17 Trojan.Proxy.Agent.BBQ
[Panda Antivirus]
2009-05-16 Found nothing
[ClamAV]
2009-05-16 Found nothing
[Quick Heal]
2009-05-15 Found nothing
[CPsecure]
2009-05-17 Found nothing
[Sophos]
2009-05-17 Mal/Generic-A
[Dr.Web]
2009-05-17 Found nothing
[VirusBlokAda VBA32]
2009-05-16 Win32.Trojan-Downloader
[Frisk F-Prot Antivirus]
2009-05-16 Found nothing
[VirusBuster]
2009-05-16 Found nothing


The second for c:\windows\system32\lmn_setup.exe yields this:

[ArcaVir]
2009-05-09 Found nothing
[F-Secure Anti-Virus]
2009-05-09 Trojan-Dropper.Win32.Agent.aonj
[Emsisoft A-squared]
2009-05-10 Gen.Trojan!IK
[Ikarus]
2009-05-09 Gen.Trojan
[Avast! antivirus]
2009-05-09 Win32:Rootkit-gen
[Kaspersky Anti-Virus]
2009-05-10 Trojan-Dropper.Win32.Agent.aonj
[Grisoft AVG Anti-Virus]
2009-05-09 SHeur2.AEKE
[ESET NOD32]
2009-05-08 Found nothing
[Avira AntiVir]
2009-05-08 DR/Small.cgi
[Norman Virus Control]
2009-05-08 Found nothing
[Softwin BitDefender]
2009-05-10 Gen:Trojan.Heur.1030CFE9E9
[Panda Antivirus]
2009-05-09 Found nothing
[ClamAV]
2009-05-10 Found nothing
[Quick Heal]
2009-05-08 TrojanSpy.Agent.alfd
[CPsecure]
2009-05-10 Found nothing
[Sophos]
2009-05-09 Mal/UnkPack-Fam
[Dr.Web]
2009-05-09 Trojan.Alupko.31
[VirusBlokAda VBA32]
2009-05-09 Malware-Cryptor.Win32.General.3
[Frisk F-Prot Antivirus]
2009-05-09 Found nothing
[VirusBuster]
2009-05-09 Found nothing


Using Malwarebytes gives this:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

5/16/2009 11:03:12 PM
mbam-log-2009-05-16 (23-03-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136622
Time elapsed: 22 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Finally here is the new DDS entry:


DDS (Ver_09-05-14.01) - NTFSx86
Run by DeQuincy at 23:05:57.20 on Sat 05/16/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1293 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DeQuincy\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
mSearchAssistant =
mURLSearchHooks: H - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [InetChk] c:\windows\temp\ms1242172030.exe work
StartupFolder: c:\docume~1\dequincy\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dequincy\applic~1\mozilla\firefox\profiles\c1q0hq2h.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-3-30 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-27 130936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-30 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-30 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-30 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-30 298776]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2005-12-22 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2005-12-22 33024]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-27 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-27 1095560]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2005-12-22 3456]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-30 908568]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]

=============== Created Last 30 ================

2009-05-12 19:01 118 a------- c:\windows\system32\MRT.INI
2009-05-09 23:56 <DIR> --d----- c:\documents and settings\dequincy\dwhelper
2009-05-08 21:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Digsby
2009-05-08 21:08 <DIR> --d----- c:\docume~1\dequincy\applic~1\Digsby
2009-05-08 21:07 <DIR> --d----- c:\program files\Digsby
2009-05-08 21:05 <DIR> --d----- c:\docume~1\dequincy\applic~1\WeatherBug
2009-05-08 21:05 <DIR> --d----- c:\program files\AWS
2009-05-06 21:22 200 a------- c:\windows\QCPC80UI.dat
2009-05-06 19:28 27,648 a------- c:\windows\system32\lmn_setup.exe
2009-05-04 00:52 <DIR> --dsh--- c:\documents and settings\dequincy\PrivacIE
2009-05-04 00:39 <DIR> --dsh--- c:\documents and settings\dequincy\IETldCache
2009-05-04 00:32 <DIR> --d----- c:\windows\ie8updates
2009-05-04 00:30 <DIR> -cd-h--- c:\windows\ie8
2009-05-04 00:28 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-29 23:24 <DIR> --d----- c:\program files\Trend Micro
2009-04-29 19:06 <DIR> --d----- c:\docume~1\dequincy\applic~1\Malwarebytes
2009-04-29 19:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-29 19:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 19:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-27 21:05 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-27 21:05 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-27 21:05 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-27 21:05 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-27 21:05 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-27 21:05 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-27 21:05 <DIR> --d----- c:\docume~1\dequincy\applic~1\PC Tools
2009-04-27 21:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-27 20:25 626,688 a------- c:\windows\system32\msvcr80.dll
2009-04-20 11:12 <DIR> --d----- c:\program files\GRETECH
2009-04-17 22:44 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-04-17 22:42 <DIR> --d----- c:\windows\Logs
2009-04-17 22:41 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-17 22:32 <DIR> --d----- c:\program files\AviSynth 2.5
2009-04-17 22:32 22 a------- c:\windows\pspvc_path.ini
2009-04-17 22:32 <DIR> --d----- c:\program files\pspvc
2009-04-17 22:27 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-17 22:26 14,048 -------- c:\windows\system32\spmsg2.dll

==================== Find3M ====================

2009-04-25 09:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-25 09:01 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-25 09:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-25 09:01 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-03-30 17:49 96,384 a------- c:\windows\system32\drivers\sptd0173.sys
2009-03-30 17:45 87,931 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-30 16:08 643,072 a------- c:\windows\system32\drivers\sptd.sys
2009-03-30 12:17 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 23:06:29.14 ===============

#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:30 PM

Posted 17 May 2009 - 04:37 AM

Hello

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\windows\temp\ms1242172030.exe
c:\windows\system32\lmn_setup.exe

Then empty your trash bin.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 13...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.


How's your computer working now?
Posted Image

#7 Yamazaki

Yamazaki
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 17 May 2009 - 12:55 PM

I have followed all instructions to a T and can web surf on my own free will without being redirected but the display of this forum and a site like Kotaku for example are displayed incorrectly with most of the frames removed with bare text. The forum display issue only started yesterday. Speed seems normal and boot remains fast with no slowdown. It seems my spyware doctor still found a number of infections showing Trojan.adclicker, Trojan.downloader.Agent.OGP, and Backdoor.Agent.CFC. Please advise on what steps should be taken next.
I've included another DDS entry for review:


DDS (Ver_09-05-14.01) - NTFSx86
Run by DeQuincy at 12:52:12.76 on Sun 05/17/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1357 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
c:\windows\ld08.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\SYS32DLL.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\DOCUME~1\DeQuincy\LOCALS~1\Temp\1196535994.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DeQuincy\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
mSearchAssistant =
mURLSearchHooks: H - No File
BHO: c:\windows\system32\afnoinkdsfe.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\afnoinkdsfe.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [Diagnostic Manager] c:\docume~1\dequincy\locals~1\temp\1196535994.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [InetChk] c:\windows\temp\ms1242172030.exe work
dRun: [<NO NAME>] c:\windows\temp\cg2dcl.exe
dRun: [Diagnostic Manager] c:\windows\temp\1245910994.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\cg2dcl.exe
dRun: [SYS32DLL] SYS32DLL
StartupFolder: c:\docume~1\dequincy\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
STS: c:\windows\system32\afnoinkdsfe.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\afnoinkdsfe.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dequincy\applic~1\mozilla\firefox\profiles\c1q0hq2h.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-3-30 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-27 130936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-30 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-30 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-30 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-30 298776]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2005-12-22 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2005-12-22 33024]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-27 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-27 1095560]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2005-12-22 3456]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-30 908568]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]

=============== Created Last 30 ================

2009-05-17 12:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-17 12:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-17 12:20 15,360 a------- c:\windows\system32\OLD4.tmp
2009-05-17 12:20 13,824 a------- c:\windows\system32\SYS32DLL.exe
2009-05-17 12:20 <DIR> --d----- c:\windows\system32\796525
2009-05-17 12:20 15,360 ----h--- c:\windows\ld08.exe
2009-05-17 12:20 23,040 ac------ c:\windows\system32\dllcache\setup.exe
2009-05-17 12:20 23,040 a------- c:\windows\system32\setup.exe
2009-05-17 12:16 46 a------- c:\windows\system32\p2hhr.bat
2009-05-17 12:16 15,000 a------- c:\windows\system32\afnoinkdsfe.dll
2009-05-17 12:16 23,040 a------- c:\windows\system32\ak1.exe
2009-05-12 19:01 118 a------- c:\windows\system32\MRT.INI
2009-05-09 23:56 <DIR> --d----- c:\documents and settings\dequincy\dwhelper
2009-05-08 21:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Digsby
2009-05-08 21:08 <DIR> --d----- c:\docume~1\dequincy\applic~1\Digsby
2009-05-08 21:07 <DIR> --d----- c:\program files\Digsby
2009-05-08 21:05 <DIR> --d----- c:\docume~1\dequincy\applic~1\WeatherBug
2009-05-08 21:05 <DIR> --d----- c:\program files\AWS
2009-05-06 21:22 200 a------- c:\windows\QCPC80UI.dat
2009-05-04 00:52 <DIR> --dsh--- c:\documents and settings\dequincy\PrivacIE
2009-05-04 00:39 <DIR> --dsh--- c:\documents and settings\dequincy\IETldCache
2009-05-04 00:32 <DIR> --d----- c:\windows\ie8updates
2009-05-04 00:30 <DIR> -cd-h--- c:\windows\ie8
2009-05-04 00:28 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-29 23:24 <DIR> --d----- c:\program files\Trend Micro
2009-04-29 19:06 <DIR> --d----- c:\docume~1\dequincy\applic~1\Malwarebytes
2009-04-29 19:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-29 19:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 19:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-27 21:05 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-27 21:05 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-27 21:05 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-27 21:05 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-27 21:05 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-27 21:05 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-27 21:05 <DIR> --d----- c:\docume~1\dequincy\applic~1\PC Tools
2009-04-27 21:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-27 20:25 626,688 a------- c:\windows\system32\msvcr80.dll
2009-04-20 11:12 <DIR> --d----- c:\program files\GRETECH
2009-04-17 22:44 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-04-17 22:42 <DIR> --d----- c:\windows\Logs
2009-04-17 22:41 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-17 22:32 <DIR> --d----- c:\program files\AviSynth 2.5
2009-04-17 22:32 22 a------- c:\windows\pspvc_path.ini
2009-04-17 22:32 <DIR> --d----- c:\program files\pspvc
2009-04-17 22:27 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-17 22:26 14,048 -------- c:\windows\system32\spmsg2.dll

==================== Find3M ====================

2009-04-25 09:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-25 09:01 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-25 09:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-25 09:01 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-03-30 17:49 96,384 a------- c:\windows\system32\drivers\sptd0173.sys
2009-03-30 17:45 87,931 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-30 16:08 643,072 a------- c:\windows\system32\drivers\sptd.sys
2009-03-30 12:17 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 12:52:57.68 ===============

#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:30 PM

Posted 17 May 2009 - 12:57 PM

Hello

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
Posted Image

#9 Yamazaki

Yamazaki
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 17 May 2009 - 07:52 PM

One thing of note is that I could not deactivate AVG properly as my license recently expired and was non-operable. Here is the combofix log:

ComboFix 09-05-17.01 - DeQuincy 05/17/2009 15:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1636 [GMT -5:00]
Running from: c:\documents and settings\DeQuincy\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsthxiyobvmyq.sys
c:\windows\system32\ovfsthxetewnsbo.dll
c:\windows\system32\ovfsthxodvqdqpp.dat
c:\windows\system32\ovfsthxrgkbirql.dat
c:\windows\system32\ovfsthxvpktkklt.dll
c:\windows\system32\ovfsthxykmsqjxt.dll
c:\windows\system32\SYS32DLL.exe
c:\windows\system32\WMV8DMOD.DLL
c:\windows\system32\WMV9DMOD.DLL
c:\windows\Temp\1166067244.exe
c:\windows\Temp\1167942244.exe
c:\windows\Temp\1245910994.exe
c:\windows\Temp\3726199586.exe
c:\windows\Temp\3729793336.exe
c:\windows\Temp\3804637086.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxvkbuyxgg


((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 17:30 . 2009-05-17 17:30 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-17 17:30 . 2009-05-17 17:30 -------- d-----w c:\program files\Java
2009-05-17 17:20 . 2008-04-14 00:12 23040 -c--a-w c:\windows\system32\dllcache\setup.exe
2009-05-17 17:17 . 2009-05-17 17:17 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-05-10 04:56 . 2009-05-10 04:56 -------- d-----w c:\documents and settings\DeQuincy\dwhelper
2009-05-09 02:27 . 2009-05-09 02:27 -------- d-----w c:\documents and settings\All Users\Application Data\Digsby
2009-05-09 02:08 . 2009-05-09 02:27 -------- d-----w c:\documents and settings\DeQuincy\Local Settings\Application Data\Digsby
2009-05-09 02:08 . 2009-05-09 02:27 -------- d-----w c:\documents and settings\DeQuincy\Application Data\Digsby
2009-05-09 02:07 . 2009-05-09 02:16 -------- d-----w c:\program files\Digsby
2009-05-09 02:05 . 2009-05-14 00:00 -------- d-----w c:\documents and settings\DeQuincy\Local Settings\Application Data\WeatherBug
2009-05-09 02:05 . 2009-05-09 02:05 -------- d-----w c:\documents and settings\DeQuincy\Application Data\WeatherBug
2009-05-09 02:05 . 2009-05-09 02:05 -------- d-----w c:\program files\AWS
2009-05-07 02:22 . 2009-05-07 02:22 200 ----a-w c:\windows\QCPC80UI.dat
2009-05-04 05:52 . 2009-05-04 05:52 -------- d-sh--w c:\documents and settings\DeQuincy\PrivacIE
2009-05-04 05:39 . 2009-05-04 05:39 -------- d-sh--w c:\documents and settings\DeQuincy\IETldCache
2009-05-04 05:37 . 2009-05-04 05:37 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-04 05:32 . 2009-05-04 05:32 -------- d-----w c:\windows\ie8updates
2009-05-04 05:30 . 2009-05-04 05:31 -------- dc-h--w c:\windows\ie8
2009-05-04 05:28 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-04 04:10 . 2009-05-04 04:10 -------- d-----w c:\documents and settings\DeQuincy\Local Settings\Application Data\Help
2009-05-04 01:01 . 2009-05-04 01:01 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-04-30 04:24 . 2009-04-30 04:24 -------- d-----w c:\program files\Trend Micro
2009-04-30 00:06 . 2009-04-30 00:06 -------- d-----w c:\documents and settings\DeQuincy\Application Data\Malwarebytes
2009-04-30 00:06 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-30 00:06 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 00:06 . 2009-04-30 00:06 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-30 00:06 . 2009-04-30 00:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-28 02:05 . 2008-12-11 13:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-28 02:05 . 2009-04-03 16:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-28 02:05 . 2008-12-18 17:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-28 02:05 . 2009-05-17 20:25 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-28 02:05 . 2009-04-28 02:07 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-28 02:05 . 2008-12-10 16:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-28 02:05 . 2009-04-28 02:05 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-28 02:05 . 2009-04-28 02:05 -------- d-----w c:\documents and settings\DeQuincy\Application Data\PC Tools
2009-04-28 02:05 . 2009-04-28 14:40 -------- d-----w c:\program files\Spyware Doctor
2009-04-28 01:25 . 2005-09-23 12:29 626688 ----a-w c:\windows\system32\msvcr80.dll
2009-04-20 16:13 . 2009-04-20 16:13 -------- d-----w c:\documents and settings\DeQuincy\Application Data\GRETECH
2009-04-20 16:12 . 2009-04-20 16:12 -------- d-----w c:\program files\GRETECH
2009-04-18 03:44 . 2005-05-26 20:34 2297552 ----a-w c:\windows\system32\d3dx9_26.dll
2009-04-18 03:42 . 2009-04-18 03:42 -------- d-----w c:\windows\Logs
2009-04-18 03:41 . 2009-05-04 05:32 -------- d--h--w c:\windows\msdownld.tmp
2009-04-18 03:32 . 2009-04-18 03:33 -------- d-----w c:\program files\AviSynth 2.5
2009-04-18 03:32 . 2009-04-18 03:33 -------- d-----w c:\program files\pspvc
2009-04-18 03:31 . 2009-04-18 03:31 -------- d-----w c:\program files\MSBuild
2009-04-18 03:30 . 2009-04-18 03:30 100048 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-18 03:27 . 2009-04-18 03:27 -------- d-----w c:\windows\system32\XPSViewer
2009-04-18 03:26 . 2009-04-18 03:26 -------- d-----w c:\program files\Reference Assemblies
2009-04-18 03:26 . 2006-06-29 18:07 14048 ------w c:\windows\system32\spmsg2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 23:58 . 2009-03-30 22:09 -------- d-----w c:\program files\Yahoo!
2009-04-25 14:01 . 2009-03-30 21:14 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-25 14:01 . 2009-03-30 21:14 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-25 14:01 . 2009-03-30 21:13 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-25 14:01 . 2009-03-30 21:14 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-04-20 01:45 . 2009-03-30 17:18 34160 ----a-w c:\documents and settings\DeQuincy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 03:33 . 2006-03-03 00:08 34160 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-02 01:02 . 2006-03-02 22:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 01:01 . 2009-04-02 01:01 -------- d-----w c:\program files\Seagate
2009-03-31 01:49 . 2009-03-31 01:49 -------- d-----w c:\program files\uTorrent
2009-03-31 01:12 . 2009-03-31 01:12 1172 ----a-w c:\windows\mozver.dat
2009-03-31 00:25 . 2009-03-31 00:25 -------- d-----w c:\program files\WinAVIVideoConverter
2009-03-30 22:49 . 2009-03-30 21:08 96384 ----a-w c:\windows\system32\drivers\sptd0173.sys
2009-03-30 22:09 . 2009-03-30 22:09 -------- d-----w c:\program files\MSXML 4.0
2009-03-30 21:40 . 2009-03-30 21:38 -------- d-----w c:\program files\AIM6
2009-03-30 21:39 . 2009-03-30 21:39 -------- d-----w c:\program files\Common Files\AOL
2009-03-30 21:27 . 2009-03-30 21:25 -------- d-----w c:\program files\Common Files\Ahead
2009-03-30 21:25 . 2009-03-30 21:25 -------- d-----w c:\program files\Nero
2009-03-30 21:13 . 2009-03-30 21:13 -------- d-----w c:\program files\AVG
2009-03-30 21:08 . 2009-03-30 21:08 643072 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-30 19:50 . 2009-03-30 19:50 -------- d-----w c:\program files\Combined Community Codec Pack
2009-03-30 19:24 . 2006-03-03 00:02 -------- d-----w c:\program files\Pure Networks
2009-03-30 17:57 . 2009-03-30 17:18 131 ----a-w c:\documents and settings\DeQuincy\Local Settings\Application Data\fusioncache.dat
2009-03-30 17:45 . 2006-03-02 22:17 -------- d-----w c:\program files\Toshiba
2009-03-30 17:18 . 2009-03-30 17:18 -------- d-----w c:\program files\Protector Suite QL
2009-03-30 17:18 . 2009-03-30 17:18 -------- d-----w c:\program files\Common Files\Protector Suite QL
2009-03-30 17:18 . 2009-03-30 17:18 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-30 17:17 . 2009-03-30 17:17 -------- d-----w c:\program files\AVerMedia
2009-03-30 17:17 . 2009-03-30 17:17 21275 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-03-30 17:17 . 2006-03-02 22:07 -------- d-----w c:\program files\Intel
2009-03-16 19:18 . 2009-04-18 03:45 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 19:18 . 2009-04-18 03:45 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 19:18 . 2009-04-18 03:45 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 19:18 . 2009-04-18 03:45 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 20:27 . 2009-04-18 03:45 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 20:27 . 2009-04-18 03:45 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 20:27 . 2009-04-18 03:45 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-08 09:34 . 2006-03-02 18:39 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2006-03-02 18:38 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2006-03-02 18:37 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2006-03-02 18:39 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2006-03-02 18:37 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2006-03-02 18:38 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2006-03-02 18:38 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2006-03-02 18:38 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2006-03-02 18:38 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2006-03-02 18:38 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2006-03-02 18:39 284160 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Uninstall_Survey"="wscript" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 761945]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-02-20 1589248]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2005-12-22 30208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-25 1947928]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-03 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-17 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2005-12-29 61952]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\documents and settings\DeQuincy\Start Menu\Programs\Startup\
digsby.lnk - c:\program files\Digsby\digsby.exe [2009-4-2 137728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-3-2 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-25 14:01 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-22 05:42 40448 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [3/30/2009 4:14 PM 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/27/2009 9:05 PM 130936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/30/2009 4:14 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/30/2009 4:13 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/30/2009 4:13 PM 298776]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [12/22/2005 12:55 AM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [12/22/2005 12:55 AM 33024]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [12/22/2005 12:25 AM 3456]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/30/2009 4:13 PM 908568]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/27/2009 9:05 PM 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
- - - - ORPHANS REMOVED - - - -

BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
HKCU-Run-Aim6 - (no file)
HKU-Default-Run-InetChk - c:\windows\TEMP\ms1242172030.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\1245910994.exe
HKU-Default-Run-uidenhiufgsduiazghs - c:\windows\TEMP\cg2dcl.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\DeQuincy\Application Data\Mozilla\Firefox\Profiles\c1q0hq2h.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 15:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\biokmd.dll

- - - - - - - > 'lsass.exe'(996)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
.
Completion time: 2009-05-17 15:43
ComboFix-quarantined-files.txt 2009-05-17 20:43

Pre-Run: 40,422,748,160 bytes free
Post-Run: 41,084,219,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

254 --- E O F --- 2009-05-13 00:01

Edited by Yamazaki, 17 May 2009 - 07:53 PM.


#10 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:30 PM

Posted 17 May 2009 - 10:44 PM

Hello

Looks good.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post Kaspersky results and a fresh DSS logs back here :thumbup2:
Posted Image

#11 Yamazaki

Yamazaki
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 18 May 2009 - 01:54 PM

I am having issues using the Kaspersky scanner as it keeps getting stuck. I will report back soon.

#12 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:30 PM

Posted 18 May 2009 - 02:03 PM

Ok. Do not use computer when kaspersky is scanning... If it gets stuck again check what file it is scanning and tell me :thumbup2:
Posted Image

#13 Yamazaki

Yamazaki
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 18 May 2009 - 05:40 PM

KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 18, 2009 21:28:01
Records in database: 2191809
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 46223
Threat name 3
Infected objects 7
Suspicious objects 0
Duration of the scan 00:45:05

File name Threat name Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxykmsqjxt.dll.vir Infected: Trojan.Win32.Tdss.acsz 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1166067244.exe.vir Infected: Trojan-Downloader.Win32.Suurch.qq 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1167942244.exe.vir Infected: Trojan-Downloader.Win32.Suurch.qq 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1245910994.exe.vir Infected: Trojan-Downloader.Win32.Suurch.qq 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\3726199586.exe.vir Infected: Trojan-Downloader.Win32.Agent.bvpv 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\3729793336.exe.vir Infected: Trojan-Downloader.Win32.Agent.bvpv 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\3804637086.exe.vir Infected: Trojan-Downloader.Win32.Agent.bvpv 1
The selected area was scanned.


Here is the DDS as well..sorry forgot it the first time 'round.


DDS (Ver_09-05-14.01) - NTFSx86
Run by DeQuincy at 18:34:23.40 on Mon 05/18/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1386 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DeQuincy\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mURLSearchHooks: H - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\dequincy\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dequincy\applic~1\mozilla\firefox\profiles\c1q0hq2h.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-3-30 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-27 130936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-30 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-30 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-30 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-30 298776]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2005-12-22 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2005-12-22 33024]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2005-12-22 3456]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-30 908568]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-27 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-27 1095560]

=============== Created Last 30 ================

2009-05-17 21:15 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-05-17 21:15 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-05-17 21:12 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-05-17 21:12 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-05-17 15:29 <DIR> a-dshr-- C:\cmdcons
2009-05-17 15:28 161,792 a------- c:\windows\SWREG.exe
2009-05-17 15:28 98,816 a------- c:\windows\sed.exe
2009-05-17 15:28 <DIR> --d----- C:\ComboFix
2009-05-17 13:16 151 a------- c:\windows\PhotoSnapViewer.INI
2009-05-17 12:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-17 12:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-17 12:20 23,040 ac------ c:\windows\system32\dllcache\setup.exe
2009-05-12 19:01 118 a------- c:\windows\system32\MRT.INI
2009-05-09 23:56 <DIR> --d----- c:\documents and settings\dequincy\dwhelper
2009-05-08 21:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Digsby
2009-05-08 21:08 <DIR> --d----- c:\docume~1\dequincy\applic~1\Digsby
2009-05-08 21:07 <DIR> --d----- c:\program files\Digsby
2009-05-08 21:05 <DIR> --d----- c:\docume~1\dequincy\applic~1\WeatherBug
2009-05-08 21:05 <DIR> --d----- c:\program files\AWS
2009-05-06 21:22 200 a------- c:\windows\QCPC80UI.dat
2009-05-04 00:52 <DIR> --dsh--- c:\documents and settings\dequincy\PrivacIE
2009-05-04 00:39 <DIR> --dsh--- c:\documents and settings\dequincy\IETldCache
2009-05-04 00:32 <DIR> --d----- c:\windows\ie8updates
2009-05-04 00:30 <DIR> -cd-h--- c:\windows\ie8
2009-05-04 00:28 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-29 23:24 <DIR> --d----- c:\program files\Trend Micro
2009-04-29 19:06 <DIR> --d----- c:\docume~1\dequincy\applic~1\Malwarebytes
2009-04-29 19:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-29 19:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 19:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-27 21:05 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-27 21:05 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-27 21:05 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-27 21:05 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-27 21:05 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-27 21:05 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-27 21:05 <DIR> --d----- c:\docume~1\dequincy\applic~1\PC Tools
2009-04-27 21:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-27 20:25 626,688 a------- c:\windows\system32\msvcr80.dll
2009-04-20 11:12 <DIR> --d----- c:\program files\GRETECH

==================== Find3M ====================

2009-04-25 09:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-25 09:01 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-25 09:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-25 09:01 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-03-30 17:49 96,384 a------- c:\windows\system32\drivers\sptd0173.sys
2009-03-30 17:45 87,931 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-30 16:08 643,072 a------- c:\windows\system32\drivers\sptd.sys
2009-03-30 12:17 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 18:34:51.45 ===============

Edited by Yamazaki, 18 May 2009 - 06:35 PM.


#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:30 PM

Posted 19 May 2009 - 08:07 AM

Hello

Those are Combofix backups. We will remove them later :thumbup2:

Backup Your Registry with ERUNT
  • Please click HERE to download Erunt.zip
  • Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Please run Notepad and paste the following text into a new file:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=-
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=-
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Reboot and please post a fresh DSS.log back here :)
Posted Image

#15 Yamazaki

Yamazaki
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 19 May 2009 - 07:35 PM

Clicking on the fix.reg files gives this message:


Registry Editor
---------------------------
Cannot import C:\Documents and Settings\DeQuincy\Desktop\fix.reg: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.
---------------------------

Please advise and thanks for your time.

Edited by Yamazaki, 19 May 2009 - 07:36 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users