Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rigel Sent Me Here!


  • This topic is locked This topic is locked
3 replies to this topic

#1 bob snelgrove

bob snelgrove

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 29 June 2009 - 08:37 PM

Hi guys,

Here is my original thread:

http://www.bleepingcomputer.com/forums/ind...p;#entry1319879


Here is my log, step 6:





DDS (Ver_09-06-26.01) - NTFSx86
Run by Bob at 6:35:10.50 on Mon 06/29/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3582.890 [GMT -7:00]

AV: AVG Internet Security 3-pack *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Internet Security 3-pack *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: AVG Anti-Spyware *enabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Wavexpress\TVTonic\WXRSS.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Roland\VSC32\Vsc32Cnf.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\DeltaIITray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Fraps\fraps.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Users\Bob\Desktop\fixpc\ocx19hkg.exe
C:\Users\Bob\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\msfeedssync.exe
C:\Program Files\FeedReader30\feedreader.exe
C:\Program Files\IQcobra\iquote32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Bob\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://slickdeals.net/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = sas.r2.attbi.com;*.local
uURLSearchHooks: Craigslist Toolbar: {2cff8b6a-9a4c-4192-b925-c6ffa19340e4} - c:\program files\craigslist\tbCra1.dll
mURLSearchHooks: Craigslist Toolbar: {2cff8b6a-9a4c-4192-b925-c6ffa19340e4} - c:\program files\craigslist\tbCra1.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AddTask Class: {24f06550-65e3-4d1c-8cfe-839c296b5530} - c:\program files\eread7.0\IEeREAD.dll
BHO: Craigslist Toolbar: {2cff8b6a-9a4c-4192-b925-c6ffa19340e4} - c:\program files\craigslist\tbCra1.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AddTask Class: {6a19c29d-ed45-4483-8999-9f939c8161f2} - c:\program files\eread7.0\WebHook.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SACert Class: {740fe5fb-65f1-46c5-9e54-a19c8a8d7ac2} - c:\windows\system32\SoftAheadCert.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: Craigslist Toolbar: {2cff8b6a-9a4c-4192-b925-c6ffa19340e4} - c:\program files\craigslist\tbCra1.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Fraps] c:\fraps\FRAPS.EXE
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [feedreader.exe] "c:\program files\feedreader30\feedreader.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [vsc32cnf.exe] c:\program files\roland\vsc32\vsc32cnf.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RegistryMechanic]
mRun: [<NO NAME>]
mRun: [DeltaIITaskbarApp] c:\windows\system32\DeltaIITray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\bob\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office12\OUTLOOK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
IE: Search Image on TinEye - file://c:\users\bob\documents\tineye 1.0\TinEye.js
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: allmusic.com\www
Trusted Zone: fidelity.com\login
Trusted Zone: fidelity.com\www
Trusted Zone: line6.net
Trusted Zone: myciti.com\*.da-us
Trusted Zone: sjlibrary.org\mill1
Trusted Zone: yifanmall.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {4AA13313-DAC0-4DFF-93A1-619D06C30BC8} = 208.67.220.220,208.67.222.222
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skyline - {3a4f9195-65a8-11d5-85c1-0001023952c1} - c:\program files\skyline\terraexplorer\TerraExplorerX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\bob\appdata\roaming\mozilla\firefox\profiles\fiil3cyz.default\
FF - prefs.js: browser.startup.homepage - hxxps://oltx.fidelity.com/ftgw/fbc/ofsummary/defaultPage | philsgang.com | http://www.freestockcharts.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - component: c:\program files\mozilla firefox\extensions\loginking@loginking.com\components\LoginKing.dll
FF - component: c:\users\bob\appdata\roaming\mozilla\firefox\profiles\fiil3cyz.default\extensions\{2cff8b6a-9a4c-4192-b925-c6ffa19340e4}\components\FFAlert.dll
FF - component: c:\users\bob\appdata\roaming\mozilla\firefox\profiles\fiil3cyz.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\bob\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\bob\appdata\roaming\mozilla\plugins\npAbacast.dll
FF - plugin: c:\users\bob\appdata\roaming\mozilla\plugins\NPAbacheck.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-11 12552]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2008-10-23 23832]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-11 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-11 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-24 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-4-24 1368952]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [2009-6-19 941784]
R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [2007-9-6 5504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-2-4 1153368]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-24 92008]
R2 WebCamHelper;WebCamHelper;c:\progra~1\avwebc~2\WebCamHelper.sys [2009-6-19 2688]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2009-5-25 302728]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [2008-2-27 951284]
S2 AVWEBCAM;AV WebCam, WDM Video Capture;c:\windows\system32\drivers\avwebcam.sys [2009-6-19 13696]
S2 gupdate1c98f36efb071e5;Google Update Service (gupdate1c98f36efb071e5);c:\program files\google\update\GoogleUpdate.exe [2009-2-14 133104]
S3 camvid20;Philips ToUcam Camera; Video;c:\windows\system32\drivers\camdrv21.sys [2008-1-2 253909]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-06-26 19:27 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-06-26 19:27 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-06-26 19:27 <DIR> --d----- c:\users\bob\appdata\roaming\SUPERAntiSpyware.com
2009-06-26 19:27 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-25 22:13 <DIR> --d----- c:\program files\FeedReader30
2009-06-25 21:35 287,279,441 a------- c:\windows\MEMORY.DMP
2009-06-24 17:12 <DIR> --d----- c:\users\bob\appdata\roaming\Malwarebytes
2009-06-24 17:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 17:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-24 17:12 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-24 17:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-24 17:12 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-22 17:54 <DIR> --d----- c:\program files\SlySoft
2009-06-20 06:50 3,018 a------- c:\windows\Dext2001.ini
2009-06-20 06:50 <DIR> --d----- c:\program files\Philips Webcam
2009-06-19 17:36 98,304 a------- c:\windows\system32\SoftAheadCert.dll
2009-06-19 17:35 <DIR> --d----- c:\program files\AV WebCam Morpher GOLD
2009-06-19 16:08 <DIR> --d----- C:\AV_LOGS
2009-06-19 16:06 13,696 a------- c:\windows\system32\drivers\avwebcam.sys
2009-06-19 16:06 <DIR> --d----- c:\program files\AV WebCam Morpher
2009-06-19 16:04 0 a------- c:\windows\VDVD.INI
2009-06-19 16:04 0 a------- c:\windows\Cover.INI
2009-06-19 16:04 0 a------- c:\windows\avvcnvrt.INI
2009-06-19 16:04 0 a------- c:\windows\VMorpher.INI
2009-06-19 15:58 29 a------- c:\windows\AVFTP.INI
2009-06-19 15:54 <DIR> --d----- c:\program files\AV Video Morpher
2009-06-19 15:44 11,881,356 a------- c:\windows\system32\video-morpher.exe
2009-06-19 15:00 <DIR> --d----- c:\programdata\WebcamMax
2009-06-19 15:00 <DIR> --d----- c:\progra~2\WebcamMax
2009-06-19 15:00 <DIR> --d----- c:\users\bob\appdata\roaming\Webcammax
2009-06-19 14:57 941,784 a------- c:\windows\system32\drivers\CAMTHWDM.sys
2009-06-19 14:57 <DIR> --d----- c:\program files\WebcamMax
2009-06-19 09:11 76 ---shr-- c:\windows\CT4CET.bin
2009-06-19 09:11 <DIR> --d----- c:\program files\common files\Reallusion
2009-06-19 09:10 5,627,904 a------- c:\windows\system32\LiveCamVirtual.ocx
2009-06-19 09:09 <DIR> --d----- c:\program files\Creative Live! Cam
2009-06-19 09:09 <DIR> --d----- c:\program files\Dell
2009-06-19 09:08 <DIR> --d----- c:\program files\Creative
2009-06-10 06:05 623,616 a------- c:\windows\system32\localspl.dll
2009-06-10 06:04 2,034,688 a------- c:\windows\system32\win32k.sys
2009-06-10 06:03 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-10 06:03 828,416 a------- c:\windows\system32\wininet.dll
2009-06-10 06:03 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-09 09:02 <DIR> --d----- c:\windows\userstartmenu
2009-06-09 09:02 <DIR> --d----- c:\windows\userdesktop
2009-06-09 09:02 <DIR> --d----- c:\windows\desktop
2009-06-09 09:02 <DIR> --d----- c:\windows\commondesktop
2009-06-09 09:02 <DIR> --d----- c:\program files\IQcobra
2009-05-31 16:14 <DIR> --d----- c:\programdata\TomTom
2009-05-31 16:14 <DIR> --d----- c:\progra~2\TomTom
2009-05-31 16:13 <DIR> --d----- c:\users\bob\appdata\roaming\TomTom
2009-05-31 16:13 <DIR> --d----- c:\program files\TomTom International B.V
2009-05-31 16:13 <DIR> --d----- c:\program files\TomTom HOME 2

==================== Find3M ====================

2009-06-28 19:13 1,800 a------- c:\windows\system32\tmp.reg
2009-06-20 06:50 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-20 06:50 143,360 a------- c:\windows\inf\infstor.dat
2009-06-20 06:50 51,200 a------- c:\windows\inf\infpub.dat
2009-06-10 14:37 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 06:46 20 ----h--- c:\programdata\PKP_DLbx.DAT
2009-06-08 06:46 20 ----h--- c:\progra~2\PKP_DLbx.DAT
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-27 08:14 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-25 05:01 89,256 -------- c:\windows\system32\ElbyCDIO.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-24 09:04 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-10 23:33 986,600 a------- c:\windows\system32\winload.exe
2009-04-10 23:33 926,184 a------- c:\windows\system32\winresume.exe
2009-04-10 23:33 614,376 a------- c:\windows\system32\ci.dll
2009-04-10 23:32 50,664 a------- c:\windows\system32\PSHED.DLL
2009-04-10 23:32 3,601,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-10 23:32 3,549,672 a------- c:\windows\system32\ntoskrnl.exe
2009-04-10 23:32 438,744 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-04-10 23:32 245,736 a------- c:\windows\system32\clfs.sys
2009-04-10 23:32 177,128 a------- c:\windows\system32\halmacpi.dll
2009-04-10 23:32 140,776 a------- c:\windows\system32\halacpi.dll
2009-04-10 23:32 17,896 a------- c:\windows\system32\kd1394.dll
2009-04-10 23:32 19,944 a------- c:\windows\system32\kdusb.dll
2009-04-10 23:32 17,384 a------- c:\windows\system32\kdcom.dll
2009-04-10 23:27 627,200 a------- c:\windows\system32\sethc.exe
2009-04-10 23:22 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-04-10 23:21 37,376 a------- c:\windows\system32\cdd.dll
2009-04-10 22:03 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-04-10 22:03 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-04-10 21:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-10 21:54 2,048 a------- c:\windows\system32\mferror.dll
2009-04-10 21:39 16,384 a------- c:\windows\system32\iscsilog.dll
2009-04-10 21:27 2,560 a------- c:\windows\system32\msimsg.dll
2009-04-10 21:23 289,792 a------- c:\windows\system32\atmfd.dll
2009-04-10 21:12 617,984 a------- c:\windows\system32\adtschema.dll
2009-04-10 18:59 107,612 a------- c:\windows\system32\StructuredQuerySchema.bin
2009-04-07 07:13 16,608 a------- c:\windows\gdrv.sys
2009-02-22 09:03 1,995,603 a------- c:\users\bob\appdata\roaming\steelgtr.zip
2008-09-18 06:40 87,608 a------- c:\users\bob\appdata\roaming\inst.exe
2008-09-18 06:40 47,360 a------- c:\users\bob\appdata\roaming\pcouffin.sys
2008-08-26 16:04 60,744 a------- c:\users\bob\g2mdlhlpx.exe
2008-07-05 08:30 20 ----h--- c:\programdata\PKP_DLck.DAT
2008-07-05 08:30 20 ----h--- c:\progra~2\PKP_DLck.DAT
2008-06-23 23:18 0 a------- c:\programdata\PKP_DLbz.DAT
2008-06-23 23:18 0 a------- c:\progra~2\PKP_DLbz.DAT
2008-04-03 21:18 174 a--sh--- c:\program files\desktop.ini
2008-01-17 18:07 22,328 a------- c:\users\bob\appdata\roaming\PnkBstrK.sys
2008-01-02 19:04 32 a------- c:\programdata\ezsid.dat
2008-01-02 19:04 32 a------- c:\progra~2\ezsid.dat
2007-12-26 08:55 38,947,797 a------- c:\users\bob\avg7_503a1171_vnu.exe
2007-12-02 10:42 2,096,352 a------- c:\users\bob\infinst_autol.zip
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-09-04 19:46 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-04 19:46 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-04 19:46 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 6:35:57.76 ===============


thx!


bob

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:58 PM

Posted 02 July 2009 - 02:05 PM

Hello Bob,

Since you have a nasty rootkit, we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus, Windows Defender and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bob snelgrove

bob snelgrove
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 02 July 2009 - 04:09 PM

Hi Mike,

I have a case open over at geekstogo:


http://www.geekstogo.com/forum/I-Don-t-Kno...ng-t243536.html


I hadn't heard from you guys and was panicking! The guy helping me is a trainee and is slow advancing as he has to check with the "boss".


Look it over and please advise. I just want to be honest and upfront!


thx

bob

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:58 PM

Posted 02 July 2009 - 04:13 PM

Hi bob,

Thanks for telling me.

Double posting is greatly frowned on by all malware removal forums as it wastes our time and creates back logs.

Since you are being helped at Geekstogo forum I will close this post.

Edited by SifuMike, 02 July 2009 - 06:52 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users