Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem with Backdoor.Win32.Agent.ahgv


  • This topic is locked This topic is locked
11 replies to this topic

#1 Nickkin

Nickkin

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 14 June 2009 - 12:20 AM

My F-secure antivirus identified 25 viruses & only able to quarantine two. Below are the F-Secure Antivirus report, DDS.txt and Attch.txt file. I hope someone can help me remove them. Thank you.

Scanning Report
14 June 2009 10:18:42 - 12:56:22
Scanning type: Perform full computer check
Target: C:\ D:\ + system + rootkits
Result: 25 malware found
Backdoor.Win32.Agent.ahgv (virus)
* C:\Documents and Settings\user\Local Settings\Temp\050.exe
* C:\Documents and Settings\user\Local Settings\Temp\123.exe
* C:\Documents and Settings\user\Local Settings\Temp\203.exe
* C:\Documents and Settings\user\Local Settings\Temp\286.exe
* C:\Documents and Settings\user\Local Settings\Temp\376.exe
* C:\Documents and Settings\user\Local Settings\Temp\524.exe
* C:\Documents and Settings\user\Local Settings\Temp\631.exe
* C:\Documents and Settings\user\Local Settings\Temp\802.exe
* C:\Documents and Settings\user\Local Settings\Temp\912.exe
* C:\Documents and Settings\user\Local Settings\Temp\928.exe
* C:\Documents and Settings\user\Local Settings\Temp\973.exe

Trojan-GameThief.Win32.OnLineGames.bktw (virus)
* C:\Documents and Settings\user\Local Settings\Temp\387.exe
* C:\Documents and Settings\user\Local Settings\Temp\455.exe
* C:\Documents and Settings\user\Local Settings\Temp\472.exe
* C:\Documents and Settings\user\Local Settings\Temp\566.exe
* C:\Documents and Settings\user\Local Settings\Temp\630.exe
* C:\Documents and Settings\user\Local Settings\Temp\636.exe
* C:\Documents and Settings\user\Local Settings\Temp\666.exe
* C:\Documents and Settings\user\Local Settings\Temp\732.exe
* C:\Documents and Settings\user\Local Settings\Temp\786.exe
* C:\Documents and Settings\user\Local Settings\Temp\794.exe
* C:\Documents and Settings\user\Local Settings\Temp\819.exe
* C:\Documents and Settings\user\Local Settings\Temp\942.exe

Backdoor.Win32.Agent (virus)
* Action: quarantined

Trojan-GameThief.Win32.OnLineGames (virus)
* Action: quarantined

Statistics
Scanned:
* Files: 64552
* Not scanned: 29

Result:
* Viruses: 25
* Spyware: 0
* Suspicious items: 0
* Riskware: 0

Actions:
* Disinfected: 0
* Renamed: 0
* Deleted: 0
* Quarantined: 2
* Failed: 0

Boot Sectors:
* Scanned: 2
* Infected: 0
* Suspicious items: 0
* Disinfected: 0

Files not scanned:
* Cannot open file (click here for more info) C:\PAGEFILE.SYS
* Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SAM
* Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\050.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\123.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\203.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\286.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\376.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\387.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\455.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\472.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\524.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\566.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\630.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\631.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\636.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\666.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\732.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\786.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\794.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\802.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\819.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\912.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\928.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\942.EXE
* Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\973.EXE

DDS.txt
----------

DDS (Ver_09-05-14.01) - NTFSx86
Run by user at 13:12:36.18 on Sun 06/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.953.389 [GMT 8:00]

AV: F-Secure Anti-Virus 2009 9.00 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://pc.toshiba-asia.com/registeronline/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Taskman=c:\recycler\s-1-5-21-7195200303-8735550056-445075691-8828\winmap32.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Toshiba Controls Utility] "c:\program files\toshiba\controls\VolumeIndicator.exe"
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [TPSMain] TPSMain.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [F-Secure Manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer"

updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
StartupFolder: c:\docume~1\user\startm~1\programs\startup\remind~1.lnk - c:\program files\caere\omnipagepro90\ereg\REMIND32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\f-secure internet security\fsps\program\FSLSP.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\0198ldf7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\all users\application data\google\toolbar for

firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\all users\application data\google\toolbar for

firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-3-26 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-3-26 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure internet security\hips\drivers\fshs.sys [2009-3-26 66720]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure internet security\anti-virus\fsgk32st.exe [2009-3-26 215648]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-11-4 14336]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [2009-3-15 732160]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys [2009-3-26 84608]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure internet security\orsp client\fsorsp.exe [2009-3-26 55904]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-9-7 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2008-5-2 6912]
S2 MKEMUSB;Panasonic Digital Palmcorder;c:\windows\system32\drivers\Mkemusb.sys [2009-3-28 14308]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;c:\windows\system32\drivers\Mkeusbi.sys [2009-3-28 16640]
S3 DCamUSBMke2;Panasonic USB Video Camera;c:\windows\system32\drivers\Mkeusbi2.sys [2009-3-28 15872]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-5-18 7680]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2008-9-7 288000]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-3-15 57408]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2009-5-18 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2009-5-18 104960]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure internet security\anti-virus\win2k\fsfilter.sys [2009-3-26 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure internet security\anti-virus\win2k\fsrec.sys [2009-3-26 25184]

=============== Created Last 30 ================

2009-06-14 12:30 727 a------- C:\error.fstmp
2009-06-14 12:30 0 a------- C:\infect.fstmp
2009-06-11 22:48 <DIR> --d-h--- c:\windows\PIF
2009-06-11 11:38 <DIR> --d----- c:\program files\Trend Micro
2009-06-11 11:23 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-06-11 11:23 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 11:22 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-11 11:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 11:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-01 12:11 572 a------- c:\windows\maxlink.ini
2009-06-01 12:10 22 a------- c:\windows\OP70.INI
2009-06-01 12:10 299,520 a------- c:\windows\Uninsop9.exe
2009-06-01 12:10 97,280 a------- c:\windows\system32\opshel32.dll
2009-06-01 12:10 44,032 a------- c:\windows\OP9Deins.exe
2009-06-01 12:09 <DIR> --d----- c:\windows\Pixtran
2009-06-01 12:09 <DIR> --d----- c:\program files\common files\Caere
2009-06-01 12:09 <DIR> --d----- c:\program files\Caere
2009-06-01 12:08 <DIR> --d----- c:\program files\Canon
2009-06-01 12:08 304,128 a------- c:\windows\IsUninst.exe
2009-06-01 12:08 299,520 a------- c:\windows\uninst.exe
2009-06-01 12:08 <DIR> --d----- c:\documents and settings\user\WINDOWS
2009-06-01 12:07 323,644 a----r-- c:\windows\system32\UCS32P.DLL
2009-06-01 12:07 339,968 a----r-- c:\windows\system32\N067UFW.dll
2009-06-01 12:07 28,720 a----r-- c:\windows\system32\SG62CPL.DLL
2009-06-01 12:07 114,688 a----r-- c:\windows\system32\SG62UUD.DLL
2009-06-01 12:07 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-06-01 12:07 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-05-25 10:34 <DIR> --d----- c:\program files\MetaTrader - FXOpen2
2009-05-18 13:35 110,080 a----r-- c:\windows\system32\drivers\ZTEusbnet.sys
2009-05-18 13:35 104,960 a----r-- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2009-05-18 13:35 104,960 a----r-- c:\windows\system32\drivers\zteusbvoice.sys
2009-05-18 13:35 105,344 a----r-- c:\windows\system32\drivers\ZTEusbnmea.sys
2009-05-18 13:35 104,960 a----r-- c:\windows\system32\drivers\ZTEusbser6k.sys
2009-05-18 13:35 <DIR> --d----- c:\docume~1\user\applic~1\Vodafone
2009-05-18 13:35 7,680 a----r-- c:\windows\system32\drivers\massfilter.sys
2009-05-18 13:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Vodafone
2009-05-18 13:34 <DIR> --d----- c:\program files\Vodafone

==================== Find3M ====================

2009-05-07 23:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 12:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 12:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-27 11:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-17 20:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 22:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 13:13:51.51 ===============


Attach.txt
-----------

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/7/2008 12:22:02 PM
System Uptime: 6/14/2009 8:52:20 AM (5 hours ago)

Motherboard: TOSHIBA | | Satellite L310
Processor: Intel® Core™2 Duo CPU T5800 @ 2.00GHz | U2E1 | 1994/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 121 GiB total, 99.224 GiB free.
D: is FIXED (NTFS) - 112 GiB total, 105.444 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® Wireless WiFi Link 5100
Device ID: PCI\VEN_8086&DEV_4232&SUBSYS_12018086&REV_00\4&2BCEBCDB&0&00E5
Manufacturer: Intel Corporation
Name: Intel® Wireless WiFi Link 5100
PNP Device ID: PCI\VEN_8086&DEV_4232&SUBSYS_12018086&REV_00\4&2BCEBCDB&0&00E5
Service: NETw5x32

==== System Restore Points ===================

RP34: 3/15/2009 6:05:46 PM - Installed REALTEK RTL8187B Wireless LAN Driver
RP35: 3/15/2009 6:06:56 PM - Installed Atheros Driver Installation Program
RP36: 3/15/2009 6:08:40 PM - Installed Atheros Driver Installation Program
RP37: 3/15/2009 6:09:49 PM - Installed Marvell Miniport Driver
RP38: 3/15/2009 6:30:21 PM - Software Distribution Service 3.0
RP39: 3/16/2009 11:49:04 AM - Installed Windows Media Player 11
RP40: 3/16/2009 11:49:39 AM - Installed Windows XP Wudf01000.
RP41: 3/16/2009 11:51:15 AM - Installed Windows XP MSCompPackV1.
RP42: 3/16/2009 11:51:29 AM - Installed Windows XP KB926239.
RP43: 3/16/2009 12:03:29 PM - Installed Windows XP Service Pack 3.
RP44: 3/16/2009 12:13:19 PM - Installed Windows XP KB950762.
RP45: 3/16/2009 12:13:51 PM - Installed Windows XP KB951066.
RP46: 3/16/2009 12:14:26 PM - Installed Windows XP KB951376-v2.
RP47: 3/16/2009 12:15:00 PM - Installed Windows XP KB951748.
RP48: 3/16/2009 12:15:33 PM - Installed Windows XP KB952287.
RP49: 3/16/2009 12:16:02 PM - Installed Windows XP KB954211.
RP50: 3/16/2009 12:16:35 PM - Installed Windows XP KB954600.
RP51: 3/16/2009 12:17:04 PM - Installed Windows XP KB955069.
RP52: 3/16/2009 12:17:37 PM - Installed Windows XP KB956802.
RP53: 3/16/2009 12:18:06 PM - Installed Windows XP KB956803.
RP54: 3/16/2009 12:18:36 PM - Installed Windows XP KB956841.
RP55: 3/16/2009 12:19:12 PM - Installed Windows XP KB957095.
RP56: 3/16/2009 12:19:41 PM - Installed Windows XP KB957097.
RP57: 3/16/2009 12:20:09 PM - Installed Windows XP KB958644.
RP58: 3/16/2009 12:42:24 PM - Software Distribution Service 3.0
RP59: 3/26/2009 12:35:21 PM - System Checkpoint
RP60: 3/26/2009 12:36:29 PM - Avira AntiVir Personal - 3/26/2009 12:36
RP61: 3/26/2009 1:16:50 PM - is 9.00 build 149 Installation
RP62: 3/26/2009 1:22:06 PM - Installed WinZip 12.0
RP63: 3/26/2009 1:57:55 PM - Installed EndNote X2
RP64: 3/26/2009 2:51:05 PM - is 9.00 build 149 Installation
RP65: 3/26/2009 3:49:06 PM - Software Distribution Service 3.0
RP66: 3/28/2009 11:43:08 AM - Installed USB Device Driver 3.00P
RP67: 3/28/2009 11:48:45 AM - Unsigned driver install
RP68: 3/30/2009 11:26:41 AM - Installed QuickTime
RP69: 3/30/2009 3:05:23 PM - Installed PowerProducer
RP70: 3/31/2009 9:30:38 AM - Installed Windows XP KB958644.
RP71: 3/31/2009 5:08:54 PM - Software Distribution Service 3.0
RP72: 4/1/2009 9:26:01 AM - Installed Microsoft Office XP Professional with FrontPage
RP73: 4/1/2009 5:13:20 PM - Software Distribution Service 3.0
RP74: 4/2/2009 4:23:13 PM - Removed Microsoft Office XP Professional with FrontPage
RP75: 4/15/2009 9:33:01 AM - System Checkpoint
RP76: 4/16/2009 10:16:20 AM - System Checkpoint
RP77: 4/19/2009 2:23:19 PM - System Checkpoint
RP78: 4/19/2009 5:09:00 PM - Software Distribution Service 3.0
RP79: 4/27/2009 11:18:57 AM - Installed Java™ 6 Update 13
RP80: 4/28/2009 11:52:00 AM - System Checkpoint
RP81: 4/29/2009 3:11:09 PM - Printer Driver Canon iP1200 Installed
RP82: 5/4/2009 3:19:01 PM - System Checkpoint
RP83: 5/10/2009 10:48:39 AM - System Checkpoint
RP84: 5/12/2009 11:12:38 AM - System Checkpoint
RP85: 5/14/2009 7:25:12 AM - Software Distribution Service 3.0
RP86: 5/18/2009 1:09:22 PM - System Checkpoint
RP87: 5/18/2009 1:34:15 PM - Installed Vodafone Mobile Connect Lite.
RP88: 5/20/2009 11:00:05 AM - System Checkpoint
RP89: 5/24/2009 11:12:01 AM - System Checkpoint
RP90: 5/24/2009 1:05:13 PM - Printer Driver Canon iP1200 Installed
RP91: 5/26/2009 11:30:40 AM - System Checkpoint
RP92: 6/1/2009 12:10:48 PM - Installed Scan Manager 5.2
RP93: 6/5/2009 6:46:06 PM - System Checkpoint
RP94: 6/10/2009 6:37:07 PM - System Checkpoint
RP95: 6/10/2009 7:14:48 PM - Software Distribution Service 3.0
RP96: 6/11/2009 2:49:25 PM - Software Distribution Service 3.0
RP97: 6/12/2009 7:35:13 AM - Software Distribution Service 3.0
RP98: 6/14/2009 9:08:03 AM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Advanced SystemCare 3
Aleo Flash Intro Banner Maker 2.9
Apple Software Update
Atheros Driver Installation Program
Banner Maker Pro Version 7
Bluetooth Stack for Windows by Toshiba
Camera Assistant Software for Toshiba
Canon iP1200
Canon ScanGear Toolbox 3.0
CCleaner (remove only)
Conexant HD Audio
Core FTP LE 2.1
Critical Update for Windows Media Player 11 (KB959772)
CyberLink PowerProducer
Defraggler (remove only)
Easy GIF Animator 4.8
EndNote X2
F-Secure Anti-Virus 2009
HDAUDIO Soft Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel® Graphics Media Accelerator Driver
ISI ResearchSoft - Export Helper
Java™ 6 Update 13
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Malwarebytes' Anti-Malware
Marvell Miniport Driver
MetaTrader - FXOpen 4.00
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.7)
MSN
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
neroxml
OANDA FXTrade
OmniPage Pro 9.0
QuickTime
REALTEK RTL8187B Wireless LAN Driver
Scan Manager 5.2
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
TOSHIBA Assist
TOSHIBA ConfigFree
Toshiba Controls Utility
Toshiba Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Utility
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Device Driver 3.00P
Vodafone Mobile Connect Lite
WebFldrs XP
Winamp
Windows Driver Package - Intel (NETw5x32) net (04/27/2008 12.0.0.73)
Windows Driver Package - Intel (w29n51) net (12/19/2007 9.0.4.39)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip 12.0
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

6/8/2009 2:50:37 PM, error: Dhcp [1002] - The IP address lease 10.164.220.56 for the Network Card with network address 00A0C6000000 has been denied by the

DHCP server 10.141.238.173 (The DHCP Server sent a DHCPNACK message).
6/7/2009 8:26:05 AM, error: Dhcp [1002] - The IP address lease 10.164.151.201 for the Network Card with network address 00A0C6000000 has been denied by the

DHCP server 10.58.122.245 (The DHCP Server sent a DHCPNACK message).
6/14/2009 12:22:55 PM, error: F-Secure Gatekeeper [1] -
6/13/2009 11:08:47 AM, error: Dhcp [1002] - The IP address lease 10.141.202.188 for the Network Card with network address 00A0C6000000 has been denied by

the DHCP server 10.176.33.233 (The DHCP Server sent a DHCPNACK message).
6/12/2009 9:57:19 PM, error: Dhcp [1002] - The IP address lease 10.164.4.157 for the Network Card with network address 00A0C6000000 has been denied by the

DHCP server 10.58.222.193 (The DHCP Server sent a DHCPNACK message).
6/12/2009 9:55:19 PM, error: Dhcp [1002] - The IP address lease 10.164.244.94 for the Network Card with network address 00A0C6000000 has been denied by the

DHCP server 10.164.4.158 (The DHCP Server sent a DHCPNACK message).
6/12/2009 9:52:44 PM, error: Dhcp [1002] - The IP address lease 10.141.163.37 for the Network Card with network address 00A0C6000000 has been denied by the

DHCP server 10.164.244.93 (The DHCP Server sent a DHCPNACK message).
6/12/2009 7:42:50 AM, error: Dhcp [1002] - The IP address lease 10.176.146.220 for the Network Card with network address 00A0C6000000 has been denied by the

DHCP server 10.58.239.101 (The DHCP Server sent a DHCPNACK message).
6/12/2009 2:46:43 PM, error: Dhcp [1002] - The IP address lease 10.58.102.47 for the Network Card with network address 00A0C6000000 has been denied by the

DHCP server 10.141.152.54 (The DHCP Server sent a DHCPNACK message).
6/12/2009 11:33:51 PM, error: Dhcp [1002] - The IP address lease 10.58.222.192 for the Network Card with network address 00A0C6000000 has been denied by the

DHCP server 10.58.197.38 (The DHCP Server sent a DHCPNACK message).
6/11/2009 8:02:40 AM, error: Service Control Manager [7000] - The Panasonic Digital Palmcorder service failed to start due to the following error: The

service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/11/2009 12:54:05 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume

'HarddiskVolume1'. It has stopped monitoring the volume.
6/11/2009 1:06:55 PM, error: PlugPlayManager [11] - The device Root\LEGACY_FSBL\0000 disappeared from the system without first being prepared for removal.
6/10/2009 9:21:38 AM, error: Dhcp [1002] - The IP address lease 10.164.52.168 for the Network Card with network address 00A0C6000000 has been denied by the

DHCP server 10.176.171.73 (The DHCP Server sent a DHCPNACK message).
6/10/2009 11:13:37 AM, error: Dhcp [1002] - The IP address lease 10.58.228.223 for the Network Card with network address 00A0C6000000 has been denied by the

DHCP server 10.164.201.198 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:59 AM

Posted 22 June 2009 - 05:02 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Nickkin

Nickkin
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 22 June 2009 - 11:56 PM

Thank you for your response. My computer is still infected. I always receive a warning from F-secure antivirus but it can't removed the virus. Computer is running slow & it seems like some program is running all the time as the hard drive light is always blinking. Below is the latest result of DDS scan. I have also attach the attach.txt file as requested.

DDS (Ver_09-05-14.01) - NTFSx86
Run by user at 12:48:58.51 on Tue 06/23/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.953.413 [GMT 8:00]

AV: F-Secure Anti-Virus 2009 9.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Nero\Nero 7\Core\nero.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://pc.toshiba-asia.com/registeronline/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Taskman=c:\recycler\s-1-5-21-7195200303-8735550056-445075691-8828\winmap32.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Toshiba Controls Utility] "c:\program files\toshiba\controls\VolumeIndicator.exe"
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [TPSMain] TPSMain.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [F-Secure Manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer"

updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\remind~1.lnk - c:\program files\caere\omnipagepro90\ereg\REMIND32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\f-secure internet security\fsps\program\FSLSP.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\0198ldf7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\all users\application data\google\toolbar for

firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\all users\application data\google\toolbar for

firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-3-26 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-3-26 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure internet security\hips\drivers\fshs.sys [2009-3-26 66720]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/06/21 13:48:26];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [2007-9-6 5504]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure internet security\anti-virus\fsgk32st.exe [2009-3-26 215648]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-11-4 14336]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [2009-3-15 732160]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys [2009-3-26 84608]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure internet security\orsp client\fsorsp.exe [2009-3-26 55904]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-9-7 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2008-5-2 6912]
S2 MKEMUSB;Panasonic Digital Palmcorder;c:\windows\system32\drivers\Mkemusb.sys [2009-3-28 14308]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;c:\windows\system32\drivers\Mkeusbi.sys [2009-3-28 16640]
S3 DCamUSBMke2;Panasonic USB Video Camera;c:\windows\system32\drivers\Mkeusbi2.sys [2009-3-28 15872]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-5-18 7680]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2008-9-7 288000]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-3-15 57408]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2009-5-18 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2009-5-18 104960]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure internet security\anti-virus\win2k\fsfilter.sys [2009-3-26 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure internet security\anti-virus\win2k\fsrec.sys [2009-3-26 25184]

=============== Created Last 30 ================

2009-06-23 12:30 644 a------- C:\error.fstmp
2009-06-23 12:30 0 a------- C:\infect.fstmp
2009-06-21 13:47 <DIR> --d----- c:\program files\common files\CyberLink
2009-06-21 13:45 29,480 a------- c:\windows\system32\msxml3a.dll
2009-06-18 08:49 <DIR> --d----- c:\program files\AdvancedDVDPlayer
2009-06-17 14:39 0 a------- c:\windows\Cover.INI
2009-06-17 14:39 0 a------- c:\windows\VDVD.INI
2009-06-17 14:39 0 a------- c:\windows\avvcnvrt.INI
2009-06-17 14:39 0 a------- c:\windows\VMorpher.INI
2009-06-17 14:37 29 a------- c:\windows\AVFTP.INI
2009-06-16 18:01 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-06-16 16:31 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-16 16:31 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-16 16:31 <DIR> --d----- c:\windows\ie8updates
2009-06-16 16:30 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-16 16:28 <DIR> -cd-h--- c:\windows\ie8
2009-06-11 22:48 <DIR> --d-h--- c:\windows\PIF
2009-06-11 11:38 <DIR> --d----- c:\program files\Trend Micro
2009-06-11 11:23 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-06-11 11:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 11:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-01 12:11 572 a------- c:\windows\maxlink.ini
2009-06-01 12:10 22 a------- c:\windows\OP70.INI
2009-06-01 12:10 299,520 a------- c:\windows\Uninsop9.exe
2009-06-01 12:10 97,280 a------- c:\windows\system32\opshel32.dll
2009-06-01 12:10 44,032 a------- c:\windows\OP9Deins.exe
2009-06-01 12:09 <DIR> --d----- c:\windows\Pixtran
2009-06-01 12:09 <DIR> --d----- c:\program files\common files\Caere
2009-06-01 12:09 <DIR> --d----- c:\program files\Caere
2009-06-01 12:08 <DIR> --d----- c:\program files\Canon
2009-06-01 12:08 304,128 a------- c:\windows\IsUninst.exe
2009-06-01 12:08 299,520 a------- c:\windows\uninst.exe
2009-06-01 12:08 <DIR> --d----- c:\documents and settings\user\WINDOWS
2009-06-01 12:07 323,644 a----r-- c:\windows\system32\UCS32P.DLL
2009-06-01 12:07 339,968 a----r-- c:\windows\system32\N067UFW.dll
2009-06-01 12:07 28,720 a----r-- c:\windows\system32\SG62CPL.DLL
2009-06-01 12:07 114,688 a----r-- c:\windows\system32\SG62UUD.DLL
2009-06-01 12:07 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-06-01 12:07 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-05-25 10:34 <DIR> --d----- c:\program files\MetaTrader - FXOpen2

==================== Find3M ====================

2009-05-13 13:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 23:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-27 11:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-17 20:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 22:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-16 12:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012009031620090317\index.dat

============= FINISH: 12:49:24.79 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:59 AM

Posted 23 June 2009 - 12:13 PM

Hi there,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Nickkin

Nickkin
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 24 June 2009 - 12:05 AM

Below is the ComboFix log.txt after I run it & the Combo.Fix.txt file is uploaded as an attachment.


ComboFix 09-06-23.01 - user 06/24/2009 12:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.953.629 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: F-Secure Anti-Virus 2009 9.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-5927217005-7923537170-584871498-7631
c:\recycler\S-1-5-21-7195200303-8735550056-445075691-8828
c:\recycler\S-1-5-21-5927217005-7923537170-584871498-7631\Desktop.ini
c:\recycler\S-1-5-21-7195200303-8735550056-445075691-8828\Desktop.ini
c:\recycler\S-1-5-21-7195200303-8735550056-445075691-8828\winmap32.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 06:24 . 2009-06-23 06:24 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-21 05:54 . 2009-06-23 02:12 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Cyberlink
2009-06-21 05:47 . 2009-06-21 05:47 -------- d-----w- c:\program files\Common Files\CyberLink
2009-06-21 05:45 . 2009-06-21 05:44 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-06-21 05:44 . 2009-06-21 05:44 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2009-06-18 00:49 . 2009-06-21 06:05 -------- d-----w- c:\program files\AdvancedDVDPlayer
2009-06-16 10:01 . 2009-06-16 10:01 -------- d-sh--w- c:\documents and settings\user\IETldCache
2009-06-16 08:31 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-16 08:31 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-16 08:31 . 2009-06-16 08:31 -------- d-----w- c:\windows\ie8updates
2009-06-16 08:30 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-16 08:28 . 2009-06-16 08:30 -------- dc-h--w- c:\windows\ie8
2009-06-11 14:48 . 2009-06-11 14:48 -------- d--h--w- c:\windows\PIF
2009-06-11 03:38 . 2009-06-11 03:38 -------- d-----w- c:\program files\Trend Micro
2009-06-11 03:23 . 2009-06-11 03:23 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-06-11 03:22 . 2009-06-21 06:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 03:22 . 2009-06-11 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-01 04:17 . 2009-06-01 04:17 -------- d-----w- c:\documents and settings\user\Application Data\Canon
2009-06-01 04:10 . 1998-10-16 01:45 44032 ----a-w- c:\windows\OP9Deins.exe
2009-06-01 04:10 . 1998-10-12 10:13 97280 ----a-w- c:\windows\system32\opshel32.dll
2009-06-01 04:10 . 1998-10-12 10:08 299520 ----a-w- c:\windows\Uninsop9.exe
2009-06-01 04:09 . 2009-06-01 04:10 -------- d-----w- c:\program files\Common Files\Caere
2009-06-01 04:09 . 2009-06-01 04:09 -------- d-----w- c:\windows\Pixtran
2009-06-01 04:09 . 2009-06-01 04:09 -------- d-----w- c:\program files\Caere
2009-06-01 04:08 . 2009-06-01 04:08 -------- d-----w- c:\program files\Canon
2009-06-01 04:08 . 1998-01-23 04:22 304128 ----a-w- c:\windows\IsUninst.exe
2009-06-01 04:08 . 1997-04-08 12:08 299520 ----a-w- c:\windows\uninst.exe
2009-06-01 04:08 . 2009-06-01 04:08 -------- d-----w- c:\documents and settings\user\WINDOWS
2009-06-01 04:07 . 2001-12-11 09:12 323644 ----a-r- c:\windows\system32\UCS32P.DLL
2009-06-01 04:07 . 2001-09-21 01:01 339968 ----a-r- c:\windows\system32\N067UFW.dll
2009-06-01 04:07 . 2001-12-11 09:12 28720 ----a-r- c:\windows\system32\SG62CPL.DLL
2009-06-01 04:07 . 2001-12-11 09:12 114688 ----a-r- c:\windows\system32\SG62UUD.DLL
2009-06-01 04:07 . 2008-04-13 16:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-06-01 04:07 . 2008-04-13 16:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 04:12 . 2009-03-26 06:01 -------- d-----w- c:\documents and settings\user\Application Data\EndNote
2009-06-23 06:25 . 2009-04-27 03:19 -------- d-----w- c:\program files\Java
2009-06-22 08:15 . 2009-04-15 05:36 -------- d-----w- c:\program files\MetaTrader - FXOpen
2009-06-21 06:09 . 2009-05-25 02:34 -------- d-----w- c:\program files\MetaTrader - FXOpen2
2009-06-21 05:54 . 2009-03-30 07:08 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-06-21 05:54 . 2009-03-30 07:08 -------- d-----w- c:\documents and settings\user\Application Data\CyberLink
2009-06-21 05:47 . 2008-09-07 05:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-21 05:45 . 2009-03-30 07:06 -------- d-----w- c:\program files\CyberLink
2009-06-21 05:44 . 2009-03-30 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2009-06-21 02:31 . 2009-03-26 05:16 -------- d-----w- c:\program files\F-Secure Internet Security
2009-06-15 01:57 . 2009-04-15 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-31 02:21 . 2009-04-07 07:03 -------- d-----w- c:\program files\Html2Php Magic
2009-05-24 05:04 . 2009-05-24 05:04 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-05-21 03:33 . 2009-04-27 03:19 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-18 05:35 . 2009-05-18 05:35 -------- d-----w- c:\documents and settings\user\Application Data\Vodafone
2009-05-18 05:35 . 2009-05-18 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-05-18 05:35 . 2009-05-18 05:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\Vodafone
2009-05-18 05:34 . 2009-05-18 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Vodafone
2009-05-18 05:34 . 2009-05-18 05:34 -------- d-----w- c:\program files\Vodafone
2009-05-18 05:34 . 2008-09-07 05:05 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-14 07:25 . 2009-04-05 05:59 -------- d-----w- c:\program files\CoreFTP
2009-05-14 07:25 . 2009-03-31 08:04 -------- d-----w- c:\program files\CoffeeCup Software
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-28 12:47 . 2008-09-07 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-27 03:18 . 2009-04-27 03:18 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-30 07:08 . 2008-09-07 06:48 74320 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-30 07:05 . 2009-03-30 07:05 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe
2009-03-26 06:51 . 2009-03-26 06:51 33408 ----a-w- c:\windows\system32\drivers\fsbts.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"Toshiba Controls Utility"="c:\program files\TOSHIBA\Controls\VolumeIndicator.exe" [2008-05-02 77824]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2008-05-02 1773568]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-04 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-04 141848]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2008-10-14 182936]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2008-10-14 957024]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-11-04 2087424]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-04-27 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-05-07 75048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2008-01-28 268152]

c:\documents and settings\user\Start Menu\Programs\Startup\
reminder-ScanSoft Product Registration.lnk - c:\program files\Caere\OmniPagePro90\EREG\REMIND32.EXE [2009-6-1 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-1-25 2938184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [3/26/2009 2:51 PM 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [3/26/2009 2:51 PM 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [3/26/2009 2:51 PM 66720]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/06/21 13:48];c:\program files\CyberLink\PowerDVD9\000.fcl [5/7/2009 9:05 PM 87536]
R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [9/6/2007 6:15 PM 5504]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [11/4/2008 11:39 AM 14336]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [3/15/2009 6:03 PM 732160]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [3/26/2009 2:51 PM 84608]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [3/26/2009 2:51 PM 55904]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [9/7/2008 1:07 PM 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [5/2/2008 1:41 PM 6912]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [5/18/2009 1:35 PM 7680]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [9/7/2008 1:04 PM 288000]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [3/15/2009 6:07 PM 57408]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [5/18/2009 1:35 PM 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [5/18/2009 1:35 PM 104960]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [3/26/2009 2:51 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [3/26/2009 2:51 PM 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2009-06-24 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-SECU~1\ANTI-V~1\fsav.exe [2009-03-26 13:00]

2009-06-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 14:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://pc.toshiba-asia.com/registeronline/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 12:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(796)
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
.
Completion time: 2009-06-24 13:00
ComboFix-quarantined-files.txt 2009-06-24 05:00

Pre-Run: 107,427,737,600 bytes free
Post-Run: 107,479,781,376 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

193 --- E O F --- 2009-06-16 08:32

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:59 AM

Posted 24 June 2009 - 11:08 AM

Hi,

Instead of posting ComboFix log twice you should had posted a fresh dds.txt log. Could you post it, please? :thumbup2:

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Nickkin

Nickkin
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 24 June 2009 - 09:42 PM

Sorry for that. This is the latest DDS.txt log. I run F-secure this morning and there is no more virus detected. Possibly ComboFix has already remove it. However. pls take a look at the report just in case if there are still suspicious items. Thank you.


DDS (Ver_09-05-14.01) - NTFSx86
Run by user at 10:37:58.84 on Thu 06/25/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.953.310 [GMT 8:00]

AV: F-Secure Anti-Virus 2009 9.00 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\MetaTrader - FXOpen\terminal.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://pc.toshiba-asia.com/registeronline/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Toshiba Controls Utility] "c:\program files\toshiba\controls\VolumeIndicator.exe"
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [TPSMain] TPSMain.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [F-Secure Manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\remind~1.lnk - c:\program files\caere\omnipagepro90\ereg\REMIND32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\f-secure internet security\fsps\program\FSLSP.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\0198ldf7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-3-26 33408]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-3-26 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure internet security\hips\drivers\fshs.sys [2009-3-26 66720]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/06/21 13:48:26];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [2007-9-6 5504]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure internet security\anti-virus\fsgk32st.exe [2009-3-26 215648]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-11-4 14336]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [2009-3-15 732160]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys [2009-3-26 84608]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure internet security\orsp client\fsorsp.exe [2009-3-26 55904]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-9-7 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2008-5-2 6912]
S2 MKEMUSB;Panasonic Digital Palmcorder;c:\windows\system32\drivers\Mkemusb.sys [2009-3-28 14308]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;c:\windows\system32\drivers\Mkeusbi.sys [2009-3-28 16640]
S3 DCamUSBMke2;Panasonic USB Video Camera;c:\windows\system32\drivers\Mkeusbi2.sys [2009-3-28 15872]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-5-18 7680]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2008-9-7 288000]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-3-15 57408]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2009-5-18 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2009-5-18 104960]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure internet security\anti-virus\win2k\fsfilter.sys [2009-3-26 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure internet security\anti-virus\win2k\fsrec.sys [2009-3-26 25184]

=============== Created Last 30 ================

2009-06-24 12:59 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-24 12:56 <DIR> a-dshr-- C:\cmdcons
2009-06-24 12:55 161,792 a------- c:\windows\SWREG.exe
2009-06-24 12:55 155,136 a------- c:\windows\PEV.exe
2009-06-24 12:55 98,816 a------- c:\windows\sed.exe
2009-06-24 12:54 <DIR> --ds---- C:\ComboFix
2009-06-21 13:47 <DIR> --d----- c:\program files\common files\CyberLink
2009-06-21 13:45 29,480 a------- c:\windows\system32\msxml3a.dll
2009-06-18 08:49 <DIR> --d----- c:\program files\AdvancedDVDPlayer
2009-06-17 14:39 0 a------- c:\windows\Cover.INI
2009-06-17 14:39 0 a------- c:\windows\VDVD.INI
2009-06-17 14:39 0 a------- c:\windows\avvcnvrt.INI
2009-06-17 14:39 0 a------- c:\windows\VMorpher.INI
2009-06-17 14:37 29 a------- c:\windows\AVFTP.INI
2009-06-16 18:01 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-06-16 16:31 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-16 16:31 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-16 16:31 <DIR> --d----- c:\windows\ie8updates
2009-06-16 16:30 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-16 16:28 <DIR> -cd-h--- c:\windows\ie8
2009-06-11 22:48 <DIR> --d-h--- c:\windows\PIF
2009-06-11 11:38 <DIR> --d----- c:\program files\Trend Micro
2009-06-11 11:23 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-06-11 11:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 11:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-01 12:11 572 a------- c:\windows\maxlink.ini
2009-06-01 12:10 22 a------- c:\windows\OP70.INI
2009-06-01 12:10 299,520 a------- c:\windows\Uninsop9.exe
2009-06-01 12:10 97,280 a------- c:\windows\system32\opshel32.dll
2009-06-01 12:10 44,032 a------- c:\windows\OP9Deins.exe
2009-06-01 12:09 <DIR> --d----- c:\windows\Pixtran
2009-06-01 12:09 <DIR> --d----- c:\program files\common files\Caere
2009-06-01 12:09 <DIR> --d----- c:\program files\Caere
2009-06-01 12:08 <DIR> --d----- c:\program files\Canon
2009-06-01 12:08 304,128 a------- c:\windows\IsUninst.exe
2009-06-01 12:08 299,520 a------- c:\windows\uninst.exe
2009-06-01 12:08 <DIR> --d----- c:\documents and settings\user\WINDOWS
2009-06-01 12:07 323,644 a----r-- c:\windows\system32\UCS32P.DLL
2009-06-01 12:07 339,968 a----r-- c:\windows\system32\N067UFW.dll
2009-06-01 12:07 28,720 a----r-- c:\windows\system32\SG62CPL.DLL
2009-06-01 12:07 114,688 a----r-- c:\windows\system32\SG62UUD.DLL
2009-06-01 12:07 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-06-01 12:07 15,104 a------- c:\windows\system32\drivers\usbscan.sys

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 13:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 23:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 20:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 22:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-16 12:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009031620090317\index.dat

============= FINISH: 10:39:10.73 ===============

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:59 AM

Posted 25 June 2009 - 10:43 AM

Looks quite good. However, let's run an online scanner to make sure nothing bad is hiding there :thumbup2:


Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read the requirements and privacy statement then click on the Accept button.
  • The program will launch and start to download the latest definition files.
  • You will be prompted to install an application from Kaspersky. Click Run
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • Click on Save Report As....
  • Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Save this report to a convenient place.
  • Copy and paste that information into your topic.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
If you need a tutorial, see here

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Nickkin

Nickkin
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 25 June 2009 - 10:23 PM

Karspersky online scan did not identify any threat on my computer. I guess it is now clean. My PC also seems to be working well compared to before.

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:59 AM

Posted 26 June 2009 - 10:58 AM

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type "c:\documents and settings\user\Desktop\ComboFix.exe" /u in the runbox and click OK


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
  • hosts file:
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  • Click the start button (at the lower left hand corner of your screen)
  • Click run
  • In the dialog box, type services.msc
  • hit enter, then locate dns client
  • Highlight it, then double-click it.
  • On the dropdown box, change the setting from automatic to manual.
  • Click ok

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :thumbup2:

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Nickkin

Nickkin
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 27 June 2009 - 09:54 PM

My computer is running very well now & I have performed the required task above. Thank you very much for your help.

Nick

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:59 AM

Posted 28 June 2009 - 05:56 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users