Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans/worms/USB drive not recognized


  • This topic is locked This topic is locked
22 replies to this topic

#1 wispa

wispa

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:05:30 PM

Posted 23 May 2009 - 07:06 AM

Hi guys, I have been fighting so many viruses and malware for weeks now ever since I realised my google search links were redirecting to advert pages. I know my son inserted an infected USB stick with mini-basketball game but doubt if he was the only culprit!!! I think I have tracked down a lot of viruses through the hundreds of scans via AVG and MalwareBytes and now Spybot S&D, but some keep returning and WinPatrol finds the same file:C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16 keeps wanting to be added to startup, despite my removing it so many times, but I am not sure what keeps triggering it off.
My computer will not recognise any USB drives in disk management. Last night a fake virus attacked calling itself avast!antivirus and turned my screen red so I knew I was still in trouble. I am almost at the stage of wiping my hard drive but hoping I can get some help, before I go to that final step. Any help you can give me would be greatly appreciated. Thanks.

DDS.txt file as follows:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Chrissie at 21:50:31.10 on Sat 23/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.829 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Chrissie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/ig?hl=en
uSearch Page = hxxp://www.google.com.au/ig?hl=en
mSearch Page = hxxp://www.google.com.au/ig?hl=en
mStart Page = hxxp://www.google.com.au/ig?hl=en
uInternet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.* 127.*;<local>
uInternet Settings,ProxyServer = proxy.iprimus.com.au:8080
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [bacstray] BacsTray.exe
mRun: [FusionRemote] c:\program files\dvico\fusionhdtv\remote\FusionRc.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\chrissie\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag scrapbooks\agremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://games.bigfishgames.com/en_mysteryofsharkisla/online/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://gateway.frankston.vic.gov.au/vdesk/cachecleaner.cab#version=6030,2008,0904,1937
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/f5tunsrv.cab#version=6030,2009,327,1558
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/InstallerControl.cab#version=6030,2008,0904,1950
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/urTermProxy.cab#version=6020,2008,0717,1602
DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - hxxps://firepass.frankston.vic.gov.au/vdesk/terminal/msrdp.cab#version=5,2,3790,0
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://acer.oberon-media.com/online/online2/luxor_amun_rising/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://games.bigfishgames.com/en_big-city-adventure-sydney-australia/online/JBGamePlayer.cab
DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} - hxxp://expressit.broderbund.com/plugin/Download.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://acer.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://acer.oberon-media.com/online/online2/diner_dash/DinerDash.1.0.0.80.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/urxhost.cab#version=6030,2009,327,1548
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\fuwoduke.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrissie\applic~1\mozilla\firefox\profiles\60xmjbtu.default\
FF - plugin: c:\documents and settings\chrissie\application data\mozilla\firefox\profiles\60xmjbtu.default\extensions\{3191e4ce-790e-42be-b2e0-223475263b7e}\plugins\NPuroamCleaner.dll
FF - plugin: c:\documents and settings\chrissie\application data\mozilla\firefox\profiles\60xmjbtu.default\extensions\{dbbb3167-6e81-400f-bbfd-bd8921726f52}\plugins\NPuroamHost.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-14 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-9-1 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-27 298776]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2003-7-17 14336]
R3 CX88VID;FusionHDTV 88x AvStream Video Capture;c:\windows\system32\drivers\zl88avs.sys [2008-1-16 336128]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S2 avast!Antivirus;avast!Antivirus;c:\windows\system32\avast!antivirus.exe -k netsvcs --> c:\windows\system32\avast!Antivirus.exe -k netsvcs [?]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\chrissie\locals~1\temp\asbp2poa.sys --> c:\docume~1\chrissie\locals~1\temp\asbp2poa.sys [?]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [2006-7-16 26568]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-16 1174152]

=============== Created Last 30 ================

2009-05-23 10:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-23 10:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-23 10:58 <DIR> --d----- c:\docume~1\chrissie\applic~1\SUPERAntiSpyware.com
2009-05-23 10:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-23 10:23 <DIR> --d----- c:\program files\SpywareBlaster
2009-05-22 22:04 104,960 ac------ c:\windows\system32\dllcache\userinit.exe
2009-05-20 22:45 644 a------- c:\windows\wininit.ini
2009-05-20 22:03 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-20 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-16 21:32 <DIR> --d----- c:\program files\Trend Micro
2009-05-14 19:18 <DIR> --d----- C:\_OTMoveIt
2009-05-14 18:48 <DIR> --d----- c:\docume~1\chrissie\applic~1\WinPatrol
2009-05-14 18:48 <DIR> --d----- c:\program files\BillP Studios
2009-05-10 11:02 114,688 a------- C:\Fport.exe
2009-04-30 17:10 112 a------- C:\xcrashdump.dat

==================== Find3M ====================

2009-05-11 12:40 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-11 12:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-28 22:01 87,947 a------- c:\windows\hpoins06.dat
2009-03-28 15:47 23,332 a------- c:\windows\system32\emptyregdb.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-01 09:35 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-04-05 15:50 0 a------- c:\program files\temp01
2008-03-05 19:32 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 21:50:57.25 ===============

Attached Files


Edited by wispa, 23 May 2009 - 07:12 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 04 June 2009 - 08:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 wispa

wispa
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:05:30 PM

Posted 05 June 2009 - 04:22 AM

Hello, thanks for looking at this for me. I have used many virus removal tools and one particular file wants to run constantly using autochk.dll file. It doesn't help that I have had to turn off all windows updates as one particular update causes BSOD each time it runs and I have tried without fail to work out which one it is so all are turned off, leaving my PC becoming more vulnerable I guess!

I know the first round of viruses came from my other half trying to download and install a dodgy file and then my 10 year old running a screensaver program from a USB!!! I had viruses like spyware.banker, sheur2.adda, dropper.agent.mvt and worm.autorun files found. :thumbup2:

Any help would be greatly appreciated as I need my PC for remote access to work. Please advise what you need me to do next.
Cheers
Christine

Here is my dds file:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Chrissie at 19:04:06.19 on Fri 05/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.1120 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Documents and Settings\Chrissie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/ig?hl=en
uSearch Page = hxxp://www.google.com.au/ig?hl=en
mSearch Page = hxxp://www.google.com.au/ig?hl=en
mStart Page = hxxp://www.google.com.au/ig?hl=en
uInternet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.* 127.*;<local>
uInternet Settings,ProxyServer = proxy.iprimus.com.au:8080
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [bacstray] BacsTray.exe
mRun: [FusionRemote] c:\program files\dvico\fusionhdtv\remote\FusionRc.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\chrissie\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag scrapbooks\agremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://games.bigfishgames.com/en_mysteryofsharkisla/online/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://gateway.frankston.vic.gov.au/vdesk/cachecleaner.cab#version=6030,2008,0904,1937
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/f5tunsrv.cab#version=6030,2009,327,1558
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/InstallerControl.cab#version=6030,2008,0904,1950
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/urTermProxy.cab#version=6020,2008,0717,1602
DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - hxxps://firepass.frankston.vic.gov.au/vdesk/terminal/msrdp.cab#version=5,2,3790,0
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://acer.oberon-media.com/online/online2/luxor_amun_rising/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://games.bigfishgames.com/en_big-city-adventure-sydney-australia/online/JBGamePlayer.cab
DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} - hxxp://expressit.broderbund.com/plugin/Download.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://acer.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://acer.oberon-media.com/online/online2/diner_dash/DinerDash.1.0.0.80.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/urxhost.cab#version=6030,2009,327,1548
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\fuwoduke.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrissie\applic~1\mozilla\firefox\profiles\60xmjbtu.default\
FF - plugin: c:\documents and settings\chrissie\application data\mozilla\firefox\profiles\60xmjbtu.default\extensions\{3191e4ce-790e-42be-b2e0-223475263b7e}\plugins\NPuroamCleaner.dll
FF - plugin: c:\documents and settings\chrissie\application data\mozilla\firefox\profiles\60xmjbtu.default\extensions\{dbbb3167-6e81-400f-bbfd-bd8921726f52}\plugins\NPuroamHost.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-14 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-9-1 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-27 298776]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2003-7-17 14336]
R3 CX88VID;FusionHDTV 88x AvStream Video Capture;c:\windows\system32\drivers\zl88avs.sys [2008-1-16 336128]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\chrissie\locals~1\temp\asbp2poa.sys --> c:\docume~1\chrissie\locals~1\temp\asbp2poa.sys [?]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [2006-7-16 26568]
S4 avast!Antivirus;avast!Antivirus;c:\windows\system32\avast!antivirus.exe -k netsvcs --> c:\windows\system32\avast!Antivirus.exe -k netsvcs [?]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-16 1174152]

=============== Created Last 30 ================

2009-05-23 10:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-23 10:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-23 10:58 <DIR> --d----- c:\docume~1\chrissie\applic~1\SUPERAntiSpyware.com
2009-05-23 10:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-23 10:23 <DIR> --d----- c:\program files\SpywareBlaster
2009-05-20 22:45 644 a------- c:\windows\wininit.ini
2009-05-20 22:03 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-20 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-16 21:32 <DIR> --d----- c:\program files\Trend Micro
2009-05-14 19:18 <DIR> --d----- C:\_OTMoveIt
2009-05-14 18:48 <DIR> --d----- c:\docume~1\chrissie\applic~1\WinPatrol
2009-05-14 18:48 <DIR> --d----- c:\program files\BillP Studios
2009-05-10 11:02 114,688 a------- C:\Fport.exe

==================== Find3M ====================

2009-05-18 21:17 112 a------- C:\xcrashdump.dat
2009-05-11 12:40 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-11 12:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-03-28 22:01 87,947 a------- c:\windows\hpoins06.dat
2009-03-28 15:47 23,332 a------- c:\windows\system32\emptyregdb.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2008-04-05 15:50 0 a------- c:\program files\temp01
2008-03-05 19:32 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 19:04:37.74 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 06 June 2009 - 07:40 PM

Hello.

Let's start off with Combofix.

Download and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 wispa

wispa
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:05:30 PM

Posted 06 June 2009 - 09:59 PM

Hello back and thanks for responding :-)

The combo-fix did ask me to let it update so I did, I hope that was okay. It did not restart my pc so I am guessing it didnt really find anything, so here goes:

ComboFix 09-06-06.03 - Chrissie 07/06/2009 12:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.1001 [GMT 10:00]
Running from: c:\documents and settings\Chrissie\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\DinerDash.1.0.0.80
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\cup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\customer_cup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\heart.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\menu_down.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\menu_up.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\plates.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\ticket.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\tray.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_bring_check_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_deliver_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_deliver_order_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_diner.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_food_ready_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_gain_heart_1.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_get_drinks_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_party_arrive_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_pencil_write_2.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_pickup_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_rollover_1.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_seat_people_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\choosedifficulty.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\credits.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\flo_lose.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\flo_win.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\help1.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\help2.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\highscores.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelintro.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelintro_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelover.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelover_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\popup.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\popup_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\upgradegrid.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\upgradetitle.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\upsell.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowleft_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowleft_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowright_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowright_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\back_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\back_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backchalk.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backchalkup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backtomenu_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backtomenu_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\cancel.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\cancelup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\career.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\career_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\close.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\closeup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\continue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\continueover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\credits_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\credits_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\download_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\download_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\easy.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\easy_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\endlessshift.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\endlessshift_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\hard.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\hard_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\help.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\help_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\highscores.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\highscores_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\instructions_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\instructions_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\letsplay.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\letsplayover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\medium.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\medium_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\moreinfo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\moreinfoup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\off.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\off_on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\on_on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\pause.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\pauseover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quitgame.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quitgameover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quitover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\resumegame.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\resumegameover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\submit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\submitup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\tryagain.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\tryagainover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\upgrade_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\upgrade_up.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewglobal.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewglobalup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewhighscore.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewhighscoreon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewlocal.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewlocalup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\comics\webcomic.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\career.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\customer.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\endless.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\global.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\powerups.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cook\cook.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cook\cook.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cook\stove.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\arrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\click.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\click2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\grab.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\open.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\blue\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\blue\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\blue\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\green\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\green\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\green\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\purple\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\purple\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\purple\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\red\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\red\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\red\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\yellow\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\yellow\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\yellow\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\blue\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\blue\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\blue\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\green\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\green\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\green\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\purple\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\purple\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\purple\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\red\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\red\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\red\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\yellow\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\yellow\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\yellow\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\idle.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\idle.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\lower.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\lower.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\upper.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\upper.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\fonts\arial.mvec
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\fonts\komikaaxis.mvec
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\chair.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\chair.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dirt2top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dirt4top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dishcart.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dishcart.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\drinkstation_off.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\drinkstation_on1.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\drinkstation_on2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\ticketstation.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\ticketstation.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowdown.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowdownon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowleft.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowlefton.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowright.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowrighton.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowupon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\p1icon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\textedit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\title.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_d.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_d.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\fifth_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\first_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\fourth_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\second_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\playfirst_logo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\background.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food1.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food1.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food2.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food3.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food3.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\frames\upgrade_0001.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\2top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\2top.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\4top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\4top.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\upgrades.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\tableshadow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\choosedifficulty.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\chooseplayer.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\chooserestaurant.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\credits.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\game.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\gothighscore.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\help.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\help2.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\hiscore.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\hiscoreinfo.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\hiscoresubmit.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\levelintro.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\levelover.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\loading.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\mainloop.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\mainmenu.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\ok.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\pause.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\style.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\tutorialintro.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\upgrade.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\upsell.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\webcomic.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\yesno.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\splash\aol_logo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\splash\gamelabsplash.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\strings.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\angersmoke.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\angersmoke.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\chairflags.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\chairflags.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\check.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\checkmark.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\clock.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\closed.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\closingtime.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\coinflip.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\coinflip.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\dollar.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\doodles\coffee.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\doodles\tables.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\doodles\wallpaper.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\expert.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\expertscore.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\foodpoof.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\foodpoof.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\fork_timer.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\goalcompleted.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\heartgrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\heartgrow.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\jar.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\jar.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\level.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\level_career.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\score.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\sound.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\staroff.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\staron.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tablenumber.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tablenumberup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\traynumber.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tutorial_character.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tutorialarrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tutorialbox.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgradeanim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgradeanim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\drinks.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\maitred.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\oven.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\select.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\shoes.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\stereo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\table.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\dinerdash.exe
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Legacy_IPRIP
-------\Service_avast!Antivirus
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-05-24 06:47 . 2009-05-24 06:47 -------- d-----w- C:\rsit
2009-05-23 09:29 . 2009-05-23 09:29 -------- d-----w- c:\documents and settings\Sov\Application Data\WinPatrol
2009-05-23 00:59 . 2009-06-05 06:11 117760 ----a-w- c:\documents and settings\Chrissie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-23 00:58 . 2009-05-23 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-23 00:58 . 2009-06-05 06:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-23 00:58 . 2009-05-23 00:58 -------- d-----w- c:\documents and settings\Chrissie\Application Data\SUPERAntiSpyware.com
2009-05-23 00:58 . 2009-05-23 00:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-23 00:23 . 2009-05-23 09:51 -------- d-----w- c:\program files\SpywareBlaster
2009-05-20 12:03 . 2009-05-20 13:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-20 12:03 . 2009-05-20 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-20 06:18 . 2009-05-11 02:40 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-20 06:18 . 2009-05-11 02:39 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-20 06:18 . 2009-05-11 02:39 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-20 06:18 . 2009-05-11 02:39 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-20 06:18 . 2009-05-11 02:39 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-20 06:18 . 2009-05-11 02:39 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-20 06:17 . 2009-05-11 02:40 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-20 06:17 . 2009-05-11 02:37 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-20 06:17 . 2009-05-11 02:37 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-17 10:41 . 2009-05-17 10:45 13929472 ----a-w- c:\documents and settings\Sov\Application Data\D-Link Media Server\myares.dll
2009-05-17 10:41 . 2009-05-17 10:45 13929472 ----a-w- c:\documents and settings\Sov\Application Data\D-Link Media Server\ares.dll
2009-05-17 10:41 . 2009-05-17 10:41 2048 ----a-w- c:\documents and settings\Sov\Application Data\D-Link Media Server\relation.dll
2009-05-17 10:29 . 2009-05-17 10:29 -------- d-----w- c:\documents and settings\Sov\Application Data\Malwarebytes
2009-05-16 11:32 . 2009-05-16 11:32 -------- d-----w- c:\program files\Trend Micro
2009-05-14 09:18 . 2009-05-14 09:18 -------- d-----w- C:\_OTMoveIt
2009-05-14 08:48 . 2009-05-14 08:48 -------- d-----w- c:\documents and settings\Chrissie\Application Data\WinPatrol
2009-05-14 08:48 . 2006-07-16 06:51 0 ----a-w- c:\documents and settings\Chrissie\Application Data\WinPatrol\Config.sys
2009-05-14 08:48 . 2006-07-16 06:51 0 ----a-w- c:\documents and settings\Chrissie\Application Data\WinPatrol\Autoexec.bat
2009-05-14 08:48 . 2009-05-14 08:48 -------- d-----w- c:\program files\BillP Studios
2009-05-13 06:29 . 2009-05-11 02:39 2302232 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-13 06:29 . 2009-05-11 02:39 3399960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-10 01:02 . 2009-05-10 00:59 114688 ----a-w- C:\Fport.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 01:13 . 2008-08-30 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-30 11:48 . 2006-10-03 12:42 -------- d-----w- c:\program files\Apple Software Update
2009-05-30 07:56 . 2009-01-10 10:49 -------- d-----w- c:\documents and settings\Sov\Application Data\D-Link Media Server
2009-05-23 09:53 . 2007-08-12 03:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-17 10:41 . 2006-07-29 09:08 -------- d-----w- c:\program files\D-Link Media Server
2009-05-17 10:41 . 2009-01-10 10:49 684313 ----a-w- c:\documents and settings\Sov\Application Data\MediaServerDump\LiveUpdate\unins000.exe
2009-05-16 11:21 . 2006-07-19 12:40 -------- d-----w- c:\program files\Java
2009-05-16 11:20 . 2009-04-14 10:44 152576 ----a-w- c:\documents and settings\Chrissie\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-11 02:40 . 2009-01-26 21:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-11 02:40 . 2008-05-14 10:01 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-11 02:40 . 2007-09-01 11:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-09 22:02 . 2008-05-14 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-04-30 22:59 . 2009-04-30 22:59 0 ----a-w- c:\windows\nsreg.dat
2009-04-23 10:25 . 2007-11-11 23:09 -------- d-----w- c:\documents and settings\Sov\Application Data\Azureus
2009-04-19 10:24 . 2008-04-19 10:34 -------- d-----w- c:\program files\Bonjour
2009-04-11 09:42 . 2009-02-28 23:25 -------- d-----w- c:\program files\EdussMathsILS
2009-04-11 03:42 . 2009-04-11 03:42 -------- d-----w- c:\documents and settings\Chrissie\Application Data\Malwarebytes
2009-04-11 03:42 . 2009-04-11 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-04-11 03:42 . 2009-04-11 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 12:43 . 2009-04-09 12:43 155 ----a-w- c:\windows\system32\SelfDel.bat
2009-04-06 05:32 . 2009-04-11 03:42 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 05:32 . 2009-04-11 03:42 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-29 03:42 . 2006-08-17 10:09 149744 ----a-w- c:\documents and settings\Lucas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-29 03:21 . 2008-10-24 08:22 10684866 ----a-w- c:\documents and settings\Sov\Application Data\Azureus\plugins\azump\mplayer.exe
2009-03-29 02:44 . 2006-07-29 08:21 151488 ----a-w- c:\documents and settings\Sov\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 12:12 . 2009-03-28 12:12 3584 ----a-r- c:\documents and settings\Chrissie\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-03-28 12:01 . 2006-07-17 11:21 87947 ----a-w- c:\windows\hpoins06.dat
2009-03-28 09:14 . 2006-07-16 12:54 151488 ----a-w- c:\documents and settings\Chrissie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 05:47 . 2006-07-16 06:49 23332 ----a-w- c:\windows\system32\emptyregdb.dat
2009-03-26 22:48 . 2009-04-30 23:31 173696 ----a-w- c:\documents and settings\Chrissie\Application Data\Mozilla\Firefox\Profiles\60xmjbtu.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\Plugins\NPuroamHost.dll
2009-03-26 22:45 . 2009-04-30 23:04 141952 ----a-w- c:\documents and settings\Chrissie\Application Data\Mozilla\Firefox\Profiles\60xmjbtu.default\extensions\{3191E4CE-790E-42be-B2E0-223475263B7E}\Plugins\NPuroamCleaner.dll
2008-04-05 05:50 . 2008-04-05 05:50 0 ----a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-10-18 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-18 126976]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"FusionRemote"="c:\program files\DVICO\FusionHDTV\Remote\FusionRc.exe" [2007-03-29 2270208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-11 1947928]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"bacstray"="BacsTray.exe" - c:\windows\system32\BacsTray.exe [2003-05-08 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-08 68856]

c:\documents and settings\Chrissie\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-7-21 2913584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-8-11 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Forget Me Not.lnk - c:\program files\Broderbund\AG Scrapbooks\agremind.exe [2006-8-26 331776]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2008-5-17 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 02:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 02:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"NWEReboot"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\D-Link Media Server\\MediaGUI.exe"=
"c:\\Program Files\\D-Link Media Server\\MediaServer.exe"=
"c:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Documents and Settings\\Sov\\My Documents\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\TunnelServer.exe"=
"c:\\Documents and Settings\\Chrissie\\Application Data\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"\\\\Study\\D-Link Media Server\\MediaGUI.exe"=
"\\\\Study\\D-Link Media Server\\MediaServer.exe"=
"c:\\Documents and Settings\\Sov\\Application Data\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/05/2008 8:01 PM 325896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 2:22 PM 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/01/2009 7:51 AM 298776]
R3 CX88VID;FusionHDTV 88x AvStream Video Capture;c:\windows\system32\drivers\zl88avs.sys [16/01/2008 12:10 PM 336128]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\Chrissie\LOCALS~1\Temp\asbp2poa.sys --> c:\docume~1\Chrissie\LOCALS~1\Temp\asbp2poa.sys [?]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [16/07/2006 7:13 PM 26568]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 2:22 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]

2009-06-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-10 06:22]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/ig?hl=en
uSearch Page = hxxp://www.google.com.au/ig?hl=en
mStart Page = hxxp://www.google.com.au/ig?hl=en
uInternet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.* 127.*;<local>
uInternet Settings,ProxyServer = proxy.iprimus.com.au:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://games.bigfishgames.com/en_mysteryofsharkisla/online/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://games.bigfishgames.com/en_big-city-adventure-sydney-australia/online/JBGamePlayer.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://acer.oberon-media.com/online/online2/diner_dash/DinerDash.1.0.0.80.cab
FF - ProfilePath - c:\documents and settings\Chrissie\Application Data\Mozilla\Firefox\Profiles\60xmjbtu.default\
FF - plugin: c:\documents and settings\Chrissie\Application Data\Mozilla\Firefox\Profiles\60xmjbtu.default\extensions\{3191E4CE-790E-42be-B2E0-223475263B7E}\plugins\NPuroamCleaner.dll
FF - plugin: c:\documents and settings\Chrissie\Application Data\Mozilla\Firefox\Profiles\60xmjbtu.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\plugins\NPuroamHost.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 12:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3212)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-06-07 12:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-07 02:50

Pre-Run: 79,767,023,616 bytes free
Post-Run: 82,993,242,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

530 --- E O F --- 2009-03-28 12:20


Thanks again for your help,
Cheers

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 07 June 2009 - 02:45 PM

Hello.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire 4.16.7 and Vuze). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Please do the following:

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Folder::
    C:\_OTMoveIt
    Driver::
    asbp2poa
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 wispa

wispa
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:05:30 PM

Posted 07 June 2009 - 08:40 PM

Thanks for your response. With regard to the P2P programs, yes that is an ongoing issue in this household which may be solved by the purchase of a separate laptop for my other half to do with as he will and leave my pc well alone!!! At the moment I am stuck with this! :thumbup2:

Combo-fix asked to update again so I said okay to that and the results are below. The MBAM run found one registry entry which is the first time I have seen that in all the scans etc I have run over the past 6 weeks, which was removed successfully and result of that scan are listed below the Combo-Fix one:

ComboFix
ComboFix 09-06-07.03 - Chrissie 08/06/2009 11:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.1032 [GMT 10:00]
Running from: c:\documents and settings\Chrissie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chrissie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
c:\_otmoveit\MovedFiles\05142009_191839.log
c:\_otmoveit\MovedFiles\05142009_191839.res

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASBP2POA
-------\Service_asbp2poa


((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-07 03:16 . 2009-06-07 03:16 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-24 06:47 . 2009-05-24 06:47 -------- d-----w- C:\rsit
2009-05-23 09:29 . 2009-05-23 09:29 -------- d-----w- c:\documents and settings\Sov\Application Data\WinPatrol
2009-05-23 00:59 . 2009-06-05 06:11 117760 ----a-w- c:\documents and settings\Chrissie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-23 00:58 . 2009-05-23 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-23 00:58 . 2009-06-05 06:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-23 00:58 . 2009-05-23 00:58 -------- d-----w- c:\documents and settings\Chrissie\Application Data\SUPERAntiSpyware.com
2009-05-23 00:58 . 2009-05-23 00:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-23 00:23 . 2009-05-23 09:51 -------- d-----w- c:\program files\SpywareBlaster
2009-05-20 12:03 . 2009-05-20 13:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-20 12:03 . 2009-05-20 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-20 06:18 . 2009-05-11 02:40 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-20 06:18 . 2009-05-11 02:39 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-20 06:18 . 2009-05-11 02:39 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-20 06:18 . 2009-05-11 02:39 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-20 06:18 . 2009-05-11 02:39 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-20 06:18 . 2009-05-11 02:39 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-20 06:17 . 2009-05-11 02:40 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-20 06:17 . 2009-05-11 02:37 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-20 06:17 . 2009-05-11 02:37 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-17 10:41 . 2009-05-17 10:45 13929472 ----a-w- c:\documents and settings\Sov\Application Data\D-Link Media Server\myares.dll
2009-05-17 10:41 . 2009-05-17 10:45 13929472 ----a-w- c:\documents and settings\Sov\Application Data\D-Link Media Server\ares.dll
2009-05-17 10:41 . 2009-05-17 10:41 2048 ----a-w- c:\documents and settings\Sov\Application Data\D-Link Media Server\relation.dll
2009-05-17 10:29 . 2009-05-17 10:29 -------- d-----w- c:\documents and settings\Sov\Application Data\Malwarebytes
2009-05-16 11:32 . 2009-05-16 11:32 -------- d-----w- c:\program files\Trend Micro
2009-05-14 08:48 . 2009-05-14 08:48 -------- d-----w- c:\documents and settings\Chrissie\Application Data\WinPatrol
2009-05-14 08:48 . 2006-07-16 06:51 0 ----a-w- c:\documents and settings\Chrissie\Application Data\WinPatrol\Config.sys
2009-05-14 08:48 . 2006-07-16 06:51 0 ----a-w- c:\documents and settings\Chrissie\Application Data\WinPatrol\Autoexec.bat
2009-05-14 08:48 . 2009-05-14 08:48 -------- d-----w- c:\program files\BillP Studios
2009-05-13 06:29 . 2009-05-11 02:39 2302232 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-13 06:29 . 2009-05-11 02:39 3399960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-10 01:02 . 2009-05-10 00:59 114688 ----a-w- C:\Fport.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 03:16 . 2009-04-11 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 01:13 . 2008-08-30 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-30 11:48 . 2006-10-03 12:42 -------- d-----w- c:\program files\Apple Software Update
2009-05-30 07:56 . 2009-01-10 10:49 -------- d-----w- c:\documents and settings\Sov\Application Data\D-Link Media Server
2009-05-26 03:20 . 2009-04-11 03:42 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 03:19 . 2009-04-11 03:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 09:53 . 2007-08-12 03:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-17 10:41 . 2006-07-29 09:08 -------- d-----w- c:\program files\D-Link Media Server
2009-05-17 10:41 . 2009-01-10 10:49 684313 ----a-w- c:\documents and settings\Sov\Application Data\MediaServerDump\LiveUpdate\unins000.exe
2009-05-16 11:21 . 2006-07-19 12:40 -------- d-----w- c:\program files\Java
2009-05-16 11:20 . 2009-04-14 10:44 152576 ----a-w- c:\documents and settings\Chrissie\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-11 02:40 . 2009-01-26 21:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-11 02:40 . 2008-05-14 10:01 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-11 02:40 . 2007-09-01 11:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-09 22:02 . 2008-05-14 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-04-30 22:59 . 2009-04-30 22:59 0 ----a-w- c:\windows\nsreg.dat
2009-04-23 10:25 . 2007-11-11 23:09 -------- d-----w- c:\documents and settings\Sov\Application Data\Azureus
2009-04-19 10:24 . 2008-04-19 10:34 -------- d-----w- c:\program files\Bonjour
2009-04-11 09:42 . 2009-02-28 23:25 -------- d-----w- c:\program files\EdussMathsILS
2009-04-11 03:42 . 2009-04-11 03:42 -------- d-----w- c:\documents and settings\Chrissie\Application Data\Malwarebytes
2009-04-11 03:42 . 2009-04-11 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 12:43 . 2009-04-09 12:43 155 ----a-w- c:\windows\system32\SelfDel.bat
2009-03-29 03:42 . 2006-08-17 10:09 149744 ----a-w- c:\documents and settings\Lucas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-29 03:21 . 2008-10-24 08:22 10684866 ----a-w- c:\documents and settings\Sov\Application Data\Azureus\plugins\azump\mplayer.exe
2009-03-29 02:44 . 2006-07-29 08:21 151488 ----a-w- c:\documents and settings\Sov\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 12:12 . 2009-03-28 12:12 3584 ----a-r- c:\documents and settings\Chrissie\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-03-28 12:01 . 2006-07-17 11:21 87947 ----a-w- c:\windows\hpoins06.dat
2009-03-28 09:14 . 2006-07-16 12:54 151488 ----a-w- c:\documents and settings\Chrissie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 05:47 . 2006-07-16 06:49 23332 ----a-w- c:\windows\system32\emptyregdb.dat
2009-03-26 22:48 . 2009-04-30 23:31 173696 ----a-w- c:\documents and settings\Chrissie\Application Data\Mozilla\Firefox\Profiles\60xmjbtu.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\Plugins\NPuroamHost.dll
2009-03-26 22:45 . 2009-04-30 23:04 141952 ----a-w- c:\documents and settings\Chrissie\Application Data\Mozilla\Firefox\Profiles\60xmjbtu.default\extensions\{3191E4CE-790E-42be-B2E0-223475263B7E}\Plugins\NPuroamCleaner.dll
2008-04-05 05:50 . 2008-04-05 05:50 0 ----a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((( SnapShot@2009-06-07_02.43.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-08 01:13 . 2009-06-08 01:13 16384 c:\windows\Temp\Perflib_Perfdata_5ac.dat
+ 2009-06-08 00:56 . 2009-06-08 00:56 16384 c:\windows\Temp\Perflib_Perfdata_3ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-10-18 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-18 126976]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"FusionRemote"="c:\program files\DVICO\FusionHDTV\Remote\FusionRc.exe" [2007-03-29 2270208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-11 1947928]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"bacstray"="BacsTray.exe" - c:\windows\system32\BacsTray.exe [2003-05-08 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-08 68856]

c:\documents and settings\Chrissie\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-7-21 2913584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-8-11 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Forget Me Not.lnk - c:\program files\Broderbund\AG Scrapbooks\agremind.exe [2006-8-26 331776]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2008-5-17 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 02:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 02:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"NWEReboot"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\D-Link Media Server\\MediaGUI.exe"=
"c:\\Program Files\\D-Link Media Server\\MediaServer.exe"=
"c:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Documents and Settings\\Sov\\My Documents\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\TunnelServer.exe"=
"c:\\Documents and Settings\\Chrissie\\Application Data\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"\\\\Study\\D-Link Media Server\\MediaGUI.exe"=
"\\\\Study\\D-Link Media Server\\MediaServer.exe"=
"c:\\Documents and Settings\\Sov\\Application Data\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/05/2008 8:01 PM 325896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 2:22 PM 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/01/2009 7:51 AM 298776]
R3 CX88VID;FusionHDTV 88x AvStream Video Capture;c:\windows\system32\drivers\zl88avs.sys [16/01/2008 12:10 PM 336128]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [16/07/2006 7:13 PM 26568]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 2:22 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-10 06:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/ig?hl=en
uSearch Page = hxxp://www.google.com.au/ig?hl=en
mStart Page = hxxp://www.google.com.au/ig?hl=en
uInternet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.* 127.*;<local>
uInternet Settings,ProxyServer = proxy.iprimus.com.au:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://games.bigfishgames.com/en_mysteryofsharkisla/online/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://games.bigfishgames.com/en_big-city-adventure-sydney-australia/online/JBGamePlayer.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://acer.oberon-media.com/online/online2/diner_dash/DinerDash.1.0.0.80.cab
FF - ProfilePath - c:\documents and settings\Chrissie\Application Data\Mozilla\Firefox\Profiles\60xmjbtu.default\
FF - plugin: c:\documents and settings\Chrissie\Application Data\Mozilla\Firefox\Profiles\60xmjbtu.default\extensions\{3191E4CE-790E-42be-B2E0-223475263B7E}\plugins\NPuroamCleaner.dll
FF - plugin: c:\documents and settings\Chrissie\Application Data\Mozilla\Firefox\Profiles\60xmjbtu.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\plugins\NPuroamHost.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 11:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2964)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-06-08 11:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-08 01:21
ComboFix2.txt 2009-06-07 02:50

Pre-Run: 82,972,278,784 bytes free
Post-Run: 82,966,052,864 bytes free

233 --- E O F --- 2009-03-28 12:20


MalwareBytes Log

Malwarebytes' Anti-Malware 1.37
Database version: 2246
Windows 5.1.2600 Service Pack 2

8/06/2009 11:29:41 AM
mbam-log-2009-06-08 (11-29-41).txt

Scan type: Quick Scan
Objects scanned: 114583
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreaxs (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks again for this - Much appreciated :-)

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 08 June 2009 - 07:18 PM

Hello.

Please do the following.

Update Java to Version 6 Update 14

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for Java Runtime Environment (JRE) JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS log for me afterwards.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 wispa

wispa
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:05:30 PM

Posted 09 June 2009 - 08:23 AM

Hi Extremeboy

Thank you for your reply and detailed instructions. I have removed the old jre' etc and installed the latest one as requested. I am now running the kaspersky scan and it is only at 19% and has been running for nearly 2 hours now so I will leave it running as I need to get up early in the morning for work :-(

I will post logs when I get home tomorrow night as requested.

So far it has found 5 threats and 6 infected objects so looks like there is more to do so I would like to thank you again for all your help. I was really at the end of the line with this after running so many scans with different spyware, malware, anti-virus software (all recommended by this site :-)) and all removing spyware.bankers and trojan horses left, right and centre. I am optimistic that my pc can be rescued!

Cheers
Wispa

Edited by wispa, 09 June 2009 - 08:25 AM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 09 June 2009 - 04:30 PM

Glad we can help :thumbup2:

Post the online scan once it's done. Do not take any action yourself.

Kaspersky scan takes a while but it's one of the best online scanners out there.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 wispa

wispa
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:05:30 PM

Posted 10 June 2009 - 05:15 AM

Hello and thanks for your patience.

The Kaspersky log is as follows:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 09, 2009 12:00:21
Records in database: 2330929
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 164807
Threat name: 7
Infected objects: 8
Suspicious objects: 2
Duration of the scan: 03:04:23


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\608C0663.wma Infected: Trojan-Downloader.WMA.Wimad.o 1
C:\Documents and Settings\Chrissie\My Documents\MY Downloads\BSINSTALL.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Documents and Settings\Chrissie\My Documents\MY Downloads\setup_ares.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 3
C:\Documents and Settings\Chrissie\My Documents\MY Downloads\setup_ares.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 1
C:\Documents and Settings\Sov\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\TightVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

The selected area was scanned.

******************************

I checked with my other half and he admits he was using my PC yesterday whilst I was at work to check his emails so it looks to me that he has a dodgy email with that trojan-spy listed there. I haven't done anything about this at all, just awaiting your further instructions :thumbup2:

Now for the DDS Log:



DDS (Ver_09-05-14.01) - NTFSx86
Run by Chrissie at 19:43:04.16 on Wed 10/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.1039 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Chrissie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/ig?hl=en
uSearch Page = hxxp://www.google.com.au/ig?hl=en
mStart Page = hxxp://www.google.com.au/ig?hl=en
uInternet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.* 127.*;<local>
uInternet Settings,ProxyServer = proxy.iprimus.com.au:8080
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [bacstray] BacsTray.exe
mRun: [FusionRemote] c:\program files\dvico\fusionhdtv\remote\FusionRc.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\chrissie\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag scrapbooks\agremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://games.bigfishgames.com/en_mysteryofsharkisla/online/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://gateway.frankston.vic.gov.au/vdesk/cachecleaner.cab#version=6030,2008,0904,1937
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/f5tunsrv.cab#version=6030,2009,327,1558
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/InstallerControl.cab#version=6030,2008,0904,1950
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/urTermProxy.cab#version=6020,2008,0717,1602
DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - hxxps://firepass.frankston.vic.gov.au/vdesk/terminal/msrdp.cab#version=5,2,3790,0
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://acer.oberon-media.com/online/online2/luxor_amun_rising/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://games.bigfishgames.com/en_big-city-adventure-sydney-australia/online/JBGamePlayer.cab
DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} - hxxp://expressit.broderbund.com/plugin/Download.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://acer.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://acer.oberon-media.com/online/online2/diner_dash/DinerDash.1.0.0.80.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/urxhost.cab#version=6030,2009,327,1548
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrissie\applic~1\mozilla\firefox\profiles\60xmjbtu.default\
FF - plugin: c:\documents and settings\chrissie\application data\mozilla\firefox\profiles\60xmjbtu.default\extensions\{3191e4ce-790e-42be-b2e0-223475263b7e}\plugins\NPuroamCleaner.dll
FF - plugin: c:\documents and settings\chrissie\application data\mozilla\firefox\profiles\60xmjbtu.default\extensions\{dbbb3167-6e81-400f-bbfd-bd8921726f52}\plugins\NPuroamHost.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-14 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-9-1 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-27 298776]
R3 CX88VID;FusionHDTV 88x AvStream Video Capture;c:\windows\system32\drivers\zl88avs.sys [2008-1-16 336128]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [2006-7-16 26568]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-16 1174152]

=============== Created Last 30 ================

2009-06-09 21:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-07 11:49 <DIR> a-dshr-- C:\cmdcons
2009-06-07 11:47 161,792 a------- c:\windows\SWREG.exe
2009-06-07 11:47 154,624 a------- c:\windows\PEV.exe
2009-06-07 11:47 98,816 a------- c:\windows\sed.exe
2009-05-23 10:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-23 10:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-23 10:58 <DIR> --d----- c:\docume~1\chrissie\applic~1\SUPERAntiSpyware.com
2009-05-23 10:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-23 10:23 <DIR> --d----- c:\program files\SpywareBlaster
2009-05-20 22:45 644 a------- c:\windows\wininit.ini
2009-05-20 22:03 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-20 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-16 21:32 <DIR> --d----- c:\program files\Trend Micro
2009-05-14 18:48 <DIR> --d----- c:\docume~1\chrissie\applic~1\WinPatrol
2009-05-14 18:48 <DIR> --d----- c:\program files\BillP Studios

==================== Find3M ====================

2009-06-09 21:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-11 12:40 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-11 12:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-10 10:59 114,688 a------- C:\Fport.exe
2009-03-28 22:01 87,947 a------- c:\windows\hpoins06.dat
2009-03-28 15:47 23,332 a------- c:\windows\system32\emptyregdb.dat
2008-04-05 15:50 0 a------- c:\program files\temp01
2008-03-05 19:32 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 19:43:45.38 ===============

I wasn't sure if you wanted the attach.txt also so posted it just in case.

I really appreciate your help so far :)

Cheers

Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 10 June 2009 - 05:58 PM

Hello.

Java was not updated: Java™ 6 Update 13

Please update it to Java 6 update 14 now. Refer to my previous instruction if needed.

Regarding with what Kaspersky found.

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\608C0663.wma Infected: Trojan-Downloader.WMA.Wimad.o 1
C:\Documents and Settings\Chrissie\My Documents\MY Downloads\BSINSTALL.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Documents and Settings\Chrissie\My Documents\MY Downloads\setup_ares.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 3
C:\Documents and Settings\Chrissie\My Documents\MY Downloads\setup_ares.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 1
C:\Documents and Settings\Sov\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\TightVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1


I suggest you delete that WHOLE Norton Anti-virus folder, since you don't use or have Norton anymore: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus <- This folder

Then, I suggest you remove the 3 files detected by Kaspersky in the MY Download folder.
C:\Documents and Settings\Chrissie\My Documents\MY Downloads <- This folder

Everything Kaspersky detected were optional to delete, since they are not-a-virus but more of a "risk-file" or "risk-tool".

The files in the TightVNC folder is part of the program TightVNC 1.2.9 you have installed, so don't worry about those.

Just do what I have said above and then take a new DDS log for me.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 wispa

wispa
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:05:30 PM

Posted 11 June 2009 - 04:49 AM

Hello and thanks for your response.

I checked the JRE download and was surprised to see that I did download the update 14 as it was already sitting on my desktop, but then saw that I inadvertently ran a different file - v.13 which I had downloaded in May and was also sitting on my desktop, with the intention of updating and never did!!! So I obviously didn't check the name of the file too clearly and do apologise for that! :thumbup2:

Anyway, v.14 is on now and I have deleted files as suggested. What do you suggest I do with the outlook.pst - go through and delete all suspicious emails??

Here is my new DDS for you:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Chrissie at 19:27:47.20 on Thu 11/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.1042 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chrissie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/ig?hl=en
uSearch Page = hxxp://www.google.com.au/ig?hl=en
mStart Page = hxxp://www.google.com.au/ig?hl=en
uInternet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.* 127.*;<local>
uInternet Settings,ProxyServer = proxy.iprimus.com.au:8080
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [bacstray] BacsTray.exe
mRun: [FusionRemote] c:\program files\dvico\fusionhdtv\remote\FusionRc.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\chrissie\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag scrapbooks\agremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://games.bigfishgames.com/en_mysteryofsharkisla/online/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://gateway.frankston.vic.gov.au/vdesk/cachecleaner.cab#version=6030,2008,0904,1937
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/f5tunsrv.cab#version=6030,2009,327,1558
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/InstallerControl.cab#version=6030,2008,0904,1950
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/urTermProxy.cab#version=6020,2008,0717,1602
DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - hxxps://firepass.frankston.vic.gov.au/vdesk/terminal/msrdp.cab#version=5,2,3790,0
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://acer.oberon-media.com/online/online2/luxor_amun_rising/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://games.bigfishgames.com/en_big-city-adventure-sydney-australia/online/JBGamePlayer.cab
DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} - hxxp://expressit.broderbund.com/plugin/Download.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://acer.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://acer.oberon-media.com/online/online2/diner_dash/DinerDash.1.0.0.80.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://gateway.frankston.vic.gov.au/vdesk/terminal/urxhost.cab#version=6030,2009,327,1548
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrissie\applic~1\mozilla\firefox\profiles\60xmjbtu.default\
FF - plugin: c:\documents and settings\chrissie\application data\mozilla\firefox\profiles\60xmjbtu.default\extensions\{3191e4ce-790e-42be-b2e0-223475263b7e}\plugins\NPuroamCleaner.dll
FF - plugin: c:\documents and settings\chrissie\application data\mozilla\firefox\profiles\60xmjbtu.default\extensions\{dbbb3167-6e81-400f-bbfd-bd8921726f52}\plugins\NPuroamHost.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-14 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-9-1 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-27 298776]
R3 CX88VID;FusionHDTV 88x AvStream Video Capture;c:\windows\system32\drivers\zl88avs.sys [2008-1-16 336128]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [2006-7-16 26568]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-16 1174152]

=============== Created Last 30 ================

2009-06-11 19:25 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-07 11:49 <DIR> a-dshr-- C:\cmdcons
2009-06-07 11:47 161,792 a------- c:\windows\SWREG.exe
2009-06-07 11:47 154,624 a------- c:\windows\PEV.exe
2009-06-07 11:47 98,816 a------- c:\windows\sed.exe
2009-05-23 10:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-23 10:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-23 10:58 <DIR> --d----- c:\docume~1\chrissie\applic~1\SUPERAntiSpyware.com
2009-05-23 10:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-23 10:23 <DIR> --d----- c:\program files\SpywareBlaster
2009-05-20 22:45 644 a------- c:\windows\wininit.ini
2009-05-20 22:03 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-20 22:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-16 21:32 <DIR> --d----- c:\program files\Trend Micro
2009-05-14 18:48 <DIR> --d----- c:\docume~1\chrissie\applic~1\WinPatrol
2009-05-14 18:48 <DIR> --d----- c:\program files\BillP Studios

==================== Find3M ====================

2009-06-11 19:25 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-11 12:40 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-11 12:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-10 10:59 114,688 a------- C:\Fport.exe
2009-03-28 22:01 87,947 a------- c:\windows\hpoins06.dat
2009-03-28 15:47 23,332 a------- c:\windows\system32\emptyregdb.dat
2008-04-05 15:50 0 a------- c:\program files\temp01
2008-03-05 19:32 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 19:28:27.65 ===============

Thanks and cheers

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 11 June 2009 - 04:50 PM

Hello.

Anyway, v.14 is on now and I have deleted files as suggested. What do you suggest I do with the outlook.pst - go through and delete all suspicious emails??

I would empty all/at least try to empty out all e-mails you have recieved. I'm sure you can't delete ALL of them but it would be best if you can at least remove most of them. I would be careful with mails that have attachments, unkown senders and delete them. I can not help you or tell you which specific file as Kaspersky only told us that there are one or more infected mails in the OutLook program. If we delete that file ALL of your mail and the outlook mail file itself would be gone as well.

With that said, you will need to delete them manually.

Let me know how it goes or if you have any questions.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 wispa

wispa
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:05:30 PM

Posted 12 June 2009 - 06:00 AM

Thanks Extremeboy.

I have deleted most of emails in that particular pst so that should be gone now.

I then thought I would check to see if my USB memory stick would be picked up and I was blown away cos it did. Drive F appeared before my very eyes - YES!!! :thumbup2: That has gotta be as a result of your help :-)

What would you suggest I do now? Do you think that my PC is clean now? I know one of the previous infections was rootkit.pakes but couldnt find much on that so wasnt sure how serious that was. Same with spyware.banker and trojan-spy.win32.agent.xxxx which kept setting off the autochk.dll file. This particular file event kept getting picked up by Scotty WinPatrol every few minutes but that hasn't happened since you have been helping me. Maybe because it's gone or maybe because I stopped WinPatrol when running the virus checkers for the combo-fix. I am not sure.

What I guess I am asking is, if I should trust my PC now and whether I can use online banking etc.

Thanks and cheers




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users