Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security-Tool Warnings


  • This topic is locked This topic is locked
20 replies to this topic

#1 cawrenn

cawrenn

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 19 October 2009 - 11:25 PM

When I log on to the computer my desktop turns grey and all of the items on desktop disappear. After signing onto the internet, Security-Tool Warnings appear constantly and the computer eventually shuts down.


DDS (Ver_09-10-13.01) - NTFSx86
Run by new at 0:01:21.28 on Tue 10/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.381 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAOLACSAOLAcsd.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
c:WINDOWSMicrosoft.NETFrameworkv1.0.3705NetfxUpdate.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:WINDOWSMicrosoft.NETFrameworkv1.1.4322netfxupdate.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32ctfmon.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesTOSHIBATOSCDSPDtoscdspd.exe
C:Program FilesAIM6aim6.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesAIM6aolsoftware.exe
C:Program FilesInternet ExplorerIexplore.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesInternet ExplorerIexplore.exe
C:Documents and SettingsnewDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.aportals.net/pubac/ac.php?aid=187&sid=av
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:program filesaskbardisbarbinaskBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg8avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
BHO: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:program filesiwintbiWi1.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:program filesaskbardisbarbinaskBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg8toolbarIEToolbar.dll
TB: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:program filesiwintbiWi1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogletoolbar1.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
uRun: [TOSCDSPD] c:program filestoshibatoscdspdtoscdspd.exe
uRun: [Protection System] c:program filesprotection systempsystem.exe
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Aim6] "c:program filesaim6aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
mRun: [61132518] c:docume~1alluse~1applic~16113251861132518.exe
mRun: [PromoReg] c:windowstemp_ex-08.exe
dRun: [MySpaceIM] c:program filesmyspaceimMySpaceIM.exe
IE: &Google Search - c:program filesgoogleGoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:program filesgoogleGoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:program filesgoogleGoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:program filesgoogleGoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: Similar Pages - c:program filesgoogleGoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:program filesgoogleGoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: ljJYSkHb - ljJYSkHb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-10-16 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-10-16 108552]
R2 avg8wd;AVG Free8 WatchDog;c:progra~1avgavg8avgwdsvc.exe [2009-10-16 297752]
R2 NetFxUpdate_v1.0.3705;Microsoft .NET Framework v1.0.3705 Update;c:windowsmicrosoft.netframeworkv1.0.3705netfxupdate.exe [2004-9-29 82976]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:windowsmicrosoft.netframeworkv1.1.4322netfxupdate.exe [2007-1-15 73728]
R2 tdudf;TOSHIBA UDF File System Driver;c:windowssystem32driverstdudf.sys [2006-6-28 98816]
R3 NPF;WinPcap Packet Driver (NPF);c:windowssystem32driversnpf.sys [2007-11-15 34064]
S3 motccgp;Motorola USB Composite Device Driver;c:windowssystem32driversmotccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:windowssystem32driversmotccgpfl.sys [2008-8-21 8320]
S4 iWinTrusted;iWinTrusted;c:program filesiwin gamesiWinTrusted.exe [2009-7-9 78104]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:program filesviewpointcommonViewpointService.exe [2008-12-22 24652]

=============== Created Last 30 ================

2009-10-19 01:44 <DIR> --d----- c:program filesMalwarebytes' Anti-Malware
2009-10-19 01:31 3,550,592 a------- C:explorer.exe.exe
2009-10-18 23:58 <DIR> --d----- c:program filesWinPcap
2009-10-18 23:55 <DIR> --d----- c:docume~1alluse~1applic~161132518
2009-10-16 12:36 <DIR> --d-h--- C:$AVG8.VAULT$
2009-10-16 03:29 11,952 a------- c:windowssystem32avgrsstx.dll
2009-10-16 03:29 108,552 a------- c:windowssystem32driversavgtdix.sys
2009-10-16 03:29 335,240 a------- c:windowssystem32driversavgldx86.sys
2009-10-16 03:29 <DIR> --d----- c:windowssystem32driversAvg
2009-10-16 03:29 <DIR> --d----- c:docume~1alluse~1applic~1AVG Security Toolbar
2009-10-08 12:02 1,089,593 -c------ c:windowssystem32dllcachentprint.cat
2009-10-07 16:38 <DIR> --d----- c:windowssystem32XPSViewer
2009-10-07 16:38 597,504 -c------ c:windowssystem32dllcacheprintfilterpipelinesvc.exe
2009-10-07 16:38 575,488 -c------ c:windowssystem32dllcachexpsshhdr.dll
2009-10-07 16:38 89,088 -c------ c:windowssystem32dllcachefilterpipelineprintproc.dll
2009-10-07 16:38 575,488 -------- c:windowssystem32xpsshhdr.dll
2009-10-07 16:38 117,760 -------- c:windowssystem32prntvpt.dll
2009-10-07 16:38 1,676,288 -c------ c:windowssystem32dllcachexpssvcs.dll
2009-10-07 16:38 <DIR> --d----- C:a6badf2579fe530f70862efe516988
2009-10-07 16:38 1,676,288 -------- c:windowssystem32xpssvcs.dll
2009-10-07 16:37 <DIR> --d----- c:windowsSxsCaPendDel
2009-10-05 14:55 128,512 -c------ c:windowssystem32dllcachedhtmled.ocx

==================== Find3M ====================

2009-09-11 10:18 136,192 a------- c:windowssystem32msv1_0.dll
2009-09-04 17:03 58,880 a------- c:windowssystem32msasn1.dll
2009-08-26 04:00 247,326 a------- c:windowssystem32strmdll.dll
2009-08-05 05:01 204,800 a------- c:windowssystem32mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:windowssystem32ntoskrnl.exe
2009-08-04 10:20 2,066,048 a------- c:windowssystem32ntkrnlpa.exe
2009-01-16 14:08 392 ac-sh--- c:windowssystem32Nmlmoqss.ini2
2009-03-05 16:21 16,384 ac-sh--- c:windowssystem32configsystemprofileapplication datamicrosoftinternet exploreruserdataindex.dat
2009-07-14 15:30 16,384 ac-sh--- c:windowssystem32configsystemprofileietldcacheindex.dat
2009-03-05 13:11 16,384 ac-sh--- c:windowssystem32configsystemprofilelocal settingsapplication datamicrosoftfeeds cacheindex.dat
2008-12-24 06:02 32,768 ac-sh--- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008122420081225index.dat

============= FINISH: 0:02:42.45 ===============

Since I have posted this Topic, I have figured out on my own how to rid my computer from the Security-Tool Warnings, but, the only problem I am still having is that whenever I get onto IE my browser shows websites that I have not ever visited and this is after I complete a Disk Clean-Up. I cannot figure out what this is so if someone has any suggestions please help. Thank You!

===========

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 19 August 2010 - 12:54 AM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:08 AM

Posted 29 October 2009 - 01:35 AM

Hi,

Post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 cawrenn

cawrenn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 31 October 2009 - 12:27 AM

DDS (Ver_09-10-26.01) - NTFSx86
Run by new at 1:18:33.62 on Sat 10/31/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.531 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! antivirus 4.8.1356 [VPS 091030-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\new\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.aportals.net/pubac/ac.php?aid=187&sid=av
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Protection System] c:\program files\protection system\psystem.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: ljJYSkHb - ljJYSkHb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-25 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-16 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-16 108552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-25 20560]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-16 297752]
R2 NetFxUpdate_v1.0.3705;Microsoft .NET Framework v1.0.3705 Update;c:\windows\microsoft.net\framework\v1.0.3705\netfxupdate.exe [2004-9-29 82976]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe --> c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-22 24652]

=============== Created Last 30 ================

2009-10-26 04:37:23 0 d-----w- c:\program files\CCleaner
2009-10-19 05:44:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 05:31:29 3550592 ----a-w- C:\explorer.exe.exe
2009-10-19 03:58:21 0 d-----w- c:\program files\WinPcap
2009-10-19 03:55:34 0 d-----w- c:\docume~1\alluse~1\applic~1\61132518
2009-10-16 16:36:30 0 d--h--w- C:\$AVG8.VAULT$
2009-10-16 07:29:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-16 07:29:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-16 07:29:42 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-16 07:29:36 0 d-----w- c:\windows\system32\drivers\Avg
2009-10-16 07:29:34 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-08 16:02:10 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-10-07 20:38:15 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-07 20:38:15 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 20:38:15 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-07 20:38:15 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-07 20:38:15 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-07 20:38:14 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-07 20:38:14 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-07 20:38:14 0 d-----w- C:\a6badf2579fe530f70862efe516988
2009-10-07 20:37:54 0 d-----w- c:\windows\SxsCaPendDel
2009-10-05 18:55:29 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-01-16 18:08:08 392 -csha-w- c:\windows\system32\Nmlmoqss.ini2
2009-03-05 20:21:42 16384 -csha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2009-07-14 19:30:45 16384 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-03-05 17:11:12 16384 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-12-24 10:02:35 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122420081225\index.dat

============= FINISH: 1:19:57.92 ===============

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:08 AM

Posted 31 October 2009 - 05:35 AM

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 cawrenn

cawrenn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 01 November 2009 - 05:51 PM

Tried to run combofix and it did not work...then tried manually downloading it and still didn't work. Here is the DDS file from after I tried everything.

DDS (Ver_09-10-26.01) - NTFSx86
Run by new at 17:46:06.98 on Sun 11/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.413 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! antivirus 4.8.1356 [VPS 091101-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1246637031\ee\aolsoftware.exe
C:\Documents and Settings\new\Desktop\ComboFix.exe
C:\Documents and Settings\new\Desktop\ComboFix.exe
C:\Documents and Settings\new\Desktop\ComboFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\new\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.aportals.net/pubac/ac.php?aid=187&sid=av
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Protection System] c:\program files\protection system\psystem.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: ljJYSkHb - ljJYSkHb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-25 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-16 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-16 108552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-25 20560]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-16 297752]
R2 NetFxUpdate_v1.0.3705;Microsoft .NET Framework v1.0.3705 Update;c:\windows\microsoft.net\framework\v1.0.3705\netfxupdate.exe [2004-9-29 82976]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe --> c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-21 24652]

=============== Created Last 30 ================

2009-10-26 04:37:23 0 d-----w- c:\program files\CCleaner
2009-10-19 05:44:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 05:31:29 3550592 ----a-w- C:\explorer.exe.exe
2009-10-19 03:58:21 0 d-----w- c:\program files\WinPcap
2009-10-19 03:55:34 0 d-----w- c:\docume~1\alluse~1\applic~1\61132518
2009-10-16 16:36:30 0 d--h--w- C:\$AVG8.VAULT$
2009-10-16 07:29:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-16 07:29:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-16 07:29:42 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-16 07:29:36 0 d-----w- c:\windows\system32\drivers\Avg
2009-10-16 07:29:34 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-08 16:02:10 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-10-07 20:38:15 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-07 20:38:15 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 20:38:15 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-07 20:38:15 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-07 20:38:15 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-07 20:38:14 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-07 20:38:14 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-07 20:38:14 0 d-----w- C:\a6badf2579fe530f70862efe516988
2009-10-07 20:37:54 0 d-----w- c:\windows\SxsCaPendDel
2009-10-05 18:55:29 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-01-16 18:08:08 392 -csha-w- c:\windows\system32\Nmlmoqss.ini2
2009-03-05 20:21:42 16384 -csha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2009-07-14 19:30:45 16384 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-03-05 17:11:12 16384 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-12-24 10:02:35 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122420081225\index.dat

============= FINISH: 17:47:15.37 ===============

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:08 AM

Posted 02 November 2009 - 01:00 AM

Hi,

Rename ComboFix file -> cawrenn.exe and try to run it.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 cawrenn

cawrenn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 03 November 2009 - 03:26 AM

ComboFix 09-11-02.02 - new 11/03/2009 3:17.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.512 [GMT -5:00]
Running from: c:\documents and settings\new\Desktop\cawrenn.exe.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\This One\Desktop\Security Tool.lnk
c:\documents and settings\This One\Start Menu\Programs\Security Tool.lnk
c:\program files\Common
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
C:\VDM108.tmp
C:\VDM109.tmp
c:\windows\config.ini
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\kb913800.exe
c:\windows\mywallpaper.bmp
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACphevmtivpuxnkbymx.sys
c:\windows\system32\iwvcovuk.ini
c:\windows\system32\kokeogfp.ini
c:\windows\system32\ljfminuk.ini
c:\windows\system32\Nmlmoqss.ini
c:\windows\system32\Nmlmoqss.ini2
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\UACgevoqwbwtixjikpki.dll
c:\windows\system32\UAChfvsothywowlrsbgj.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACpamechrxskytdwqlj.dll
c:\windows\system32\UACpetjgvsyfjxbxldmb.dll
c:\windows\system32\UACpwsrfqxmnmdplwdxr.dll
c:\windows\system32\UACqbxqtcejxxtuvdlul.dll
c:\windows\system32\UACwbyrvkopxe.log
c:\windows\system32\vfdpglso.ini
c:\windows\system32\vntdkujd.ini
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\xtciampm.ini
c:\windows\zysalwhkkw.exe
c:\windows\zysaoxcjiy.exe
c:\windows\zysapghucv.exe
c:\windows\zysaxyczld.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-03 07:18 . 2009-11-03 07:39 -------- d-----w- C:\cawrenn.exe
2009-11-03 07:00 . 2009-11-03 07:14 -------- d-----w- C:\AVGTemp
2009-10-26 04:37 . 2009-10-26 04:37 -------- d-----w- c:\program files\CCleaner
2009-10-26 02:29 . 2009-10-26 02:29 -------- d-----w- c:\program files\Alwil Software
2009-10-19 08:07 . 2009-10-19 21:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-19 05:44 . 2009-10-28 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 05:31 . 2009-10-19 05:31 3550592 ----a-w- C:\explorer.exe.exe
2009-10-19 03:55 . 2009-10-21 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\61132518
2009-10-16 18:04 . 2009-10-16 18:04 -------- d-----w- c:\documents and settings\new\Application Data\AdobeUM
2009-10-16 16:36 . 2009-11-02 12:14 -------- d-----w- C:\$AVG8.VAULT$
2009-10-16 07:29 . 2009-11-03 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-13 05:38 . 2009-10-13 05:38 -------- d-----w- c:\documents and settings\new\Local Settings\Application Data\AIM
2009-10-08 18:22 . 2009-10-08 18:22 -------- d-----w- c:\documents and settings\new\Local Settings\Application Data\PCHealth
2009-10-07 20:38 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-07 20:38 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-07 20:38 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-07 20:38 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-07 20:38 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 20:38 . 2009-10-07 20:38 -------- d-----w- C:\a6badf2579fe530f70862efe516988
2009-10-07 20:38 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-07 20:38 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-07 20:37 . 2009-10-26 05:30 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-06 16:15 . 2009-10-06 16:15 -------- d-----w- c:\documents and settings\new\Local Settings\Application Data\Adobe
2009-10-05 20:09 . 2009-10-05 20:09 -------- d-----w- c:\documents and settings\new\Local Settings\Application Data\KodakGallery
2009-10-05 20:06 . 2009-10-05 20:06 -------- d-----w- c:\documents and settings\new\Application Data\acccore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 03:57 . 2006-10-19 07:04 50088 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 05:21 . 2009-10-19 05:21 -------- d-----w- c:\documents and settings\This One\Application Data\Viewpoint
2009-10-14 23:05 . 2009-02-26 04:11 50088 -c--a-w- c:\documents and settings\C&M Dawg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 20:54 . 2007-04-19 01:07 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-10-06 01:21 . 2007-04-19 01:06 -------- d-----w- c:\program files\Logitech
2009-09-11 14:18 . 2006-10-19 04:52 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-10-19 04:52 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-10-19 04:53 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-06-22 21:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-10-19 04:52 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-10-19 04:54 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2006-10-19 05:20 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2006-10-19 05:20 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-10-19 05:20 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 12:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-10-19 05:20 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2006-10-19 04:52 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-10-19 05:20 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-10-19 05:20 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2006-10-19 04:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 02:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-14 5562368]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\TOSHIBA\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\TOSHIBA\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\TOSHIBA\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"TODDSrv"=2 (0x2)
"Swupdtmr"=2 (0x2)
"ose"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iWinTrusted"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"avg8wd"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)
"ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\1246637031\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe --> c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 10:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 10:49 PM 8320]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/21/2008 11:41 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.aportals.net/pubac/ac.php?aid=187&sid=av
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe
Notify-avgrsstarter - avgrsstx.dll
Notify-ljJYSkHb - ljJYSkHb.dll
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 03:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(640)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-03 3:23
ComboFix-quarantined-files.txt 2009-11-03 08:23

Pre-Run: 86,532,812,800 bytes free
Post-Run: 86,495,604,736 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 529DD6DEC2828761258DD7C75259A1CC




DDS (Ver_09-10-26.01) - NTFSx86
Run by new at 3:25:19.04 on Tue 11/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.534 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\new\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.aportals.net/pubac/ac.php?aid=187&sid=av
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe --> c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-21 24652]

=============== Created Last 30 ================

2009-11-03 07:21:03 0 d-sha-r- C:\cmdcons
2009-11-03 07:18:46 98816 ----a-w- c:\windows\sed.exe
2009-11-03 07:18:46 77312 ----a-w- c:\windows\MBR.exe
2009-11-03 07:18:46 236544 ----a-w- c:\windows\PEV.exe
2009-11-03 07:18:46 161792 ----a-w- c:\windows\SWREG.exe
2009-11-03 07:18:31 0 d-----w- C:\cawrenn.exe
2009-11-03 07:00:11 0 d-----w- C:\AVGTemp
2009-10-26 04:37:23 0 d-----w- c:\program files\CCleaner
2009-10-19 05:44:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 05:31:29 3550592 ----a-w- C:\explorer.exe.exe
2009-10-19 03:55:34 0 d-----w- c:\docume~1\alluse~1\applic~1\61132518
2009-10-16 16:36:30 0 d-----w- C:\$AVG8.VAULT$
2009-10-16 07:29:34 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-08 16:02:10 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-10-07 20:38:15 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-07 20:38:15 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 20:38:15 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-07 20:38:15 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-07 20:38:15 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-07 20:38:14 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-07 20:38:14 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-07 20:38:14 0 d-----w- C:\a6badf2579fe530f70862efe516988
2009-10-07 20:37:54 0 d-----w- c:\windows\SxsCaPendDel
2009-10-05 18:55:29 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-03-05 20:21:42 16384 -csha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2009-07-14 19:30:45 16384 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-03-05 17:11:12 16384 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-12-24 10:02:35 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122420081225\index.dat

============= FINISH: 3:25:27.03 ===============

#8 cawrenn

cawrenn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 03 November 2009 - 03:34 AM

Ok, so for me to run the combofix, Avast and AVG were deleted so now I have no virus protection. Do I need to download one or the other again? Thanks so much for helping me thus far!

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:08 AM

Posted 03 November 2009 - 05:13 AM

Ok, so for me to run the combofix, Avast and AVG were deleted so now I have no virus protection. Do I need to download one or the other again?

You may reinstall one of those when we're ready. Not sure why those got deleted though.

Please start Malwarebytes' Anti-Malware (MBAM), update its definitions thru update tab and do a quick scan. Let MBAM remove all its findings and post back the report it creates with a fresh dds.txt log.

Are you familiar with this file: C:\explorer.exe.exe?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 cawrenn

cawrenn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 03 November 2009 - 08:52 AM

c:/explorer.exe.exe is the sysinternals.com

Malwarebytes' Anti-Malware 1.41
Database version: 3092
Windows 5.1.2600 Service Pack 3

11/3/2009 8:48:05 AM
mbam-log-2009-11-03 (08-48-05).txt

Scan type: Quick Scan
Objects scanned: 124049
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0cb66ba8-5e1f-4963-93d1-e1d6b78fe9a2} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\61132518 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)




DDS (Ver_09-10-26.01) - NTFSx86
Run by new at 8:49:41.50 on Tue 11/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.491 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\new\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.aportals.net/pubac/ac.php?aid=187&sid=av
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe --> c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-21 24652]

=============== Created Last 30 ================

2009-11-03 13:41:06 0 d-----w- c:\docume~1\new\applic~1\Malwarebytes
2009-11-03 13:41:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 13:41:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 13:41:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-03 07:21:03 0 d-sha-r- C:\cmdcons
2009-11-03 07:18:46 98816 ----a-w- c:\windows\sed.exe
2009-11-03 07:18:46 77312 ----a-w- c:\windows\MBR.exe
2009-11-03 07:18:46 236544 ----a-w- c:\windows\PEV.exe
2009-11-03 07:18:46 161792 ----a-w- c:\windows\SWREG.exe
2009-11-03 07:18:31 0 d-----w- C:\cawrenn.exe
2009-11-03 07:00:11 0 d-----w- C:\AVGTemp
2009-10-26 04:37:23 0 d-----w- c:\program files\CCleaner
2009-10-19 05:44:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 05:31:29 3550592 ----a-w- C:\explorer.exe.exe
2009-10-16 16:36:30 0 d-----w- C:\$AVG8.VAULT$
2009-10-16 07:29:34 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-08 16:02:10 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-10-07 20:38:15 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-07 20:38:15 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 20:38:15 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-07 20:38:15 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-07 20:38:15 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-07 20:38:14 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-07 20:38:14 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-07 20:38:14 0 d-----w- C:\a6badf2579fe530f70862efe516988
2009-10-07 20:37:54 0 d-----w- c:\windows\SxsCaPendDel
2009-10-05 18:55:29 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-03-05 20:21:42 16384 -csha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2009-07-14 19:30:45 16384 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-03-05 17:11:12 16384 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-12-24 10:02:35 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122420081225\index.dat

============= FINISH: 8:49:58.10 ===============

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:08 AM

Posted 03 November 2009 - 11:49 AM

Could you also post a fresh attach.txt (from DDS run), please? :(

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 cawrenn

cawrenn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 03 November 2009 - 01:04 PM

Sorry about that. :(


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/9/2006 4:17:49 PM
System Uptime: 11/3/2009 11:50:26 AM (2 hours ago)

Motherboard: TOSHIBA | | Satellite L35
Processor: Intel® Celeron® M CPU 410 @ 1.46GHz | U23 | 1466/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 80.551 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP494: 4/10/2009 7:22:24 AM - System Checkpoint
RP495: 4/24/2009 10:37:35 PM - System Checkpoint
RP496: 4/25/2009 2:00:04 PM - Software Distribution Service 3.0
RP497: 6/8/2009 2:19:45 PM - Software Distribution Service 3.0
RP498: 6/10/2009 9:58:59 PM - System Checkpoint
RP499: 6/10/2009 11:11:01 PM - Installed Windows XP Wdf01005.
RP500: 6/11/2009 10:14:33 AM - Software Distribution Service 3.0
RP501: 6/15/2009 11:07:26 AM - System Checkpoint
RP502: 6/18/2009 12:44:18 AM - System Checkpoint
RP503: 6/20/2009 12:31:35 AM - Software Distribution Service 3.0
RP504: 6/21/2009 8:46:26 AM - System Checkpoint
RP505: 6/22/2009 8:46:42 AM - System Checkpoint
RP506: 6/22/2009 5:50:07 PM - Software Distribution Service 3.0
RP507: 6/23/2009 11:01:52 AM - Software Distribution Service 3.0
RP508: 6/25/2009 12:42:42 PM - System Checkpoint
RP509: 6/27/2009 12:15:53 AM - System Checkpoint
RP510: 6/28/2009 1:44:34 PM - System Checkpoint
RP511: 7/2/2009 3:01:29 PM - System Checkpoint
RP512: 7/3/2009 4:18:06 PM - System Checkpoint
RP513: 7/5/2009 11:59:58 PM - System Checkpoint
RP514: 7/7/2009 10:42:43 PM - System Checkpoint
RP515: 7/11/2009 11:18:47 AM - System Checkpoint
RP516: 11/3/2009 3:27:13 AM - ComboFix created restore point
RP517: 11/3/2009 4:07:05 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
AIM 6
AIM Toolbar
AIMTunes
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
Ask Toolbar
Atheros Client Utility
Atheros Wireless LAN MiniPCI/PCIe card Driver
ATI Control Panel
ATI Display Driver
Bejeweled 2 Deluxe
CCleaner (remove only)
CCScore
CD/DVD Drive Acoustic Silencer
Critical Update for Windows Media Player 11 (KB959772)
Desktop Dialer
Download Updater (AOL LLC)
DVD-RAM Driver
EPSON Printer Software
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Exam Guide North Carolina
fflink
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 7
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
LiveUpdate 3.1 (Symantec Corporation)
Logitech Audio Echo Cancellation Component
Logitech Video Enumerator
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MVision
MySpaceIM
netbrdg
Netflix Movie Viewer
Office 2003 Trial Assistant
OfotoXMI
Otto
Picasa 2
Polar Bowler
Polar Golfer
QuickTime
RealPlayer Basic
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
SCRABBLE
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SFR
SHASTA
skin0001
SKINXSDK
Sonic Encoders
staticcr
Synaptics Pointing Device Driver
tooltips
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Game Console
Toshiba Hotkey Utility
Toshiba Media Center Game Console
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Touchpad Utility
Toshiba Utility
TOSHIBA Zooming Utility
Touch and Launch
Uninstall AOL Emergency Connect Utility 1.0
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
VPRINTOL
WebFldrs XP
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WIRELESS
Yahoo! Music Engine

==== Event Viewer Messages From Past Week ========

11/3/2009 3:39:44 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000369' while processing the file 'Combo-Fix.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/3/2009 3:33:48 AM, error: PlugPlayManager [11] - The device Root\LEGACY_NPF\0000 disappeared from the system without first being prepared for removal.
11/3/2009 3:22:55 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
11/3/2009 3:19:40 AM, error: Service Control Manager [7034] - The Microsoft .NET Framework v1.0.3705 Update service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 7:33:01 AM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
11/2/2009 7:33:01 AM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
11/2/2009 7:33:01 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
11/2/2009 7:33:01 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
11/2/2009 7:33:01 AM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2.
11/2/2009 7:33:01 AM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2.
11/2/2009 5:15:01 PM, error: Print [6161] - The document Friday,_October_16,_2009[1].pdf owned by new failed to print on printer Auto HP PSC 750 on RUSSWINXP. Data type: NT EMF 1.008. Size of the spool file in bytes: 3063040. Number of bytes printed: 0. Total number of pages in the document: 3. Number of pages printed: 0. Client machine: \\TOSHIBA-USER. Win32 error code returned by the print processor: 53 (0x35).
11/2/2009 5:14:52 PM, error: Print [6161] - The document Friday,_October_16,_2009[1].pdf owned by new failed to print on printer Auto HP PSC 750 on RUSSWINXP. Data type: NT EMF 1.008. Size of the spool file in bytes: 3145728. Number of bytes printed: 0. Total number of pages in the document: 3. Number of pages printed: 0. Client machine: \\TOSHIBA-USER. Win32 error code returned by the print processor: 53 (0x35).
11/1/2009 4:00:22 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework, Version 2.0 (KB928365).
11/1/2009 12:35:48 AM, error: Service Control Manager [7000] - The Microsoft .NET Framework v1.1.4322 Update service failed to start due to the following error: The system cannot find the file specified.
11/1/2009 12:34:42 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:08 AM

Posted 03 November 2009 - 03:58 PM

Hi,

Uninstall Ask Toolbar if not installed on purpose.


Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 16.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 cawrenn

cawrenn
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 04 November 2009 - 07:12 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, November 4, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, November 04, 2009 05:26:53
Records in database: 3126921
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 68080
Threats found: 10
Infected objects found: 20
Suspicious objects found: 0
Scan duration: 01:51:31


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06D80000\4EFC6BF6.VBN Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.lu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06D80001\4EFC6C07.VBN Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.lu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E8C0000\4ECE7473.VBN Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E8C0002\4ECE78ED.VBN Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E8C0003\4ECE7B3E.VBN Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E8C0004\4ECE7B70.VBN Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E8C0006\4ECE9823.VBN Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E8C0007\4ECC5EDA.VBN Infected: Trojan-Clicker.WMA.Agent.d 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACphevmtivpuxnkbymx.sys.vir Infected: Rootkit.Win32.Agent.moy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACgevoqwbwtixjikpki.dll.vir Infected: Trojan.Win32.Tdss.ajkj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpamechrxskytdwqlj.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpetjgvsyfjxbxldmb.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpwsrfqxmnmdplwdxr.dll.vir Infected: Trojan.Win32.Tdss.anrc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACqbxqtcejxxtuvdlul.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP515\A0080241.sys Infected: Rootkit.Win32.Agent.moy 1
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP515\A0080242.dll Infected: Trojan.Win32.Tdss.ajkj 1
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP515\A0080243.dll Infected: Trojan.Win32.Tdss.anrc 1
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP515\A0080244.dll Infected: Packed.Win32.TDSS.y 1
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP515\A0080245.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{ADAE5F4D-3A8F-42F7-8894-D60087AD60B2}\RP515\A0080246.dll Infected: Trojan.Win32.TDSS.adzz 1

Selected area has been scanned.


DDS (Ver_09-10-26.01) - NTFSx86
Run by new at 4:44:32.70 on Wed 11/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.573 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\new\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.aportals.net/pubac/ac.php?aid=187&sid=av
uURLSearchHooks: H - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe --> c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-21 24652]

=============== Created Last 30 ================

2009-11-04 09:37:00 0 d-----w- C:\cawrenn.exe18c
2009-11-04 06:50:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-04 06:50:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-04 05:42:38 0 d-----w- c:\windows\system32\Adobe
2009-11-04 05:23:01 0 d-----w- C:\cawrenn.exe23018c
2009-11-03 13:41:06 0 d-----w- c:\docume~1\new\applic~1\Malwarebytes
2009-11-03 13:41:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 13:41:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 13:41:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-03 07:21:03 0 d-sha-r- C:\cmdcons
2009-11-03 07:18:46 98816 ----a-w- c:\windows\sed.exe
2009-11-03 07:18:46 77312 ----a-w- c:\windows\MBR.exe
2009-11-03 07:18:46 236544 ----a-w- c:\windows\PEV.exe
2009-11-03 07:18:46 161792 ----a-w- c:\windows\SWREG.exe
2009-11-03 07:18:31 0 d-----w- C:\cawrenn.exe
2009-11-03 07:00:11 0 d-----w- C:\AVGTemp
2009-10-26 04:37:23 0 d-----w- c:\program files\CCleaner
2009-10-19 05:44:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 05:31:29 3550592 ----a-w- C:\explorer.exe.exe
2009-10-16 16:36:30 0 d-----w- C:\$AVG8.VAULT$
2009-10-16 07:29:34 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-08 16:02:10 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-10-07 20:38:15 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-07 20:38:15 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 20:38:15 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-07 20:38:15 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-07 20:38:15 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-07 20:38:14 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-07 20:38:14 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-07 20:38:14 0 d-----w- C:\a6badf2579fe530f70862efe516988
2009-10-07 20:37:54 0 d-----w- c:\windows\SxsCaPendDel
2009-10-05 18:55:29 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-03-05 20:21:42 16384 -csha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2009-07-14 19:30:45 16384 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-03-05 17:11:12 16384 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-12-24 10:02:35 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122420081225\index.dat

============= FINISH: 4:44:40.82 ===============
DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/9/2006 4:17:49 PM
System Uptime: 11/4/2009 2:36:07 AM (2 hours ago)

Motherboard: TOSHIBA | | Satellite L35
Processor: Intel® Celeron® M CPU 410 @ 1.46GHz | U23 | 1466/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 81.327 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP516: 11/3/2009 3:27:13 AM - ComboFix created restore point
RP517: 11/3/2009 4:07:05 AM - Software Distribution Service 3.0
RP518: 11/4/2009 1:36:21 AM - Removed Adobe Reader 7.0
RP519: 11/4/2009 2:06:29 AM - Removed Java™ 6 Update 5
RP520: 11/4/2009 2:07:20 AM - Removed Java™ SE Runtime Environment 6 Update 1
RP521: 11/4/2009 2:11:17 AM - Removed J2SE Runtime Environment 5.0 Update 7
RP522: 11/4/2009 2:49:38 AM - Installed Java™ 6 Update 17
RP523: 11/4/2009 4:00:57 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Shockwave Player 11.5
AIM 6
AIM Toolbar
AIMTunes
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
Atheros Client Utility
Atheros Wireless LAN MiniPCI/PCIe card Driver
ATI Control Panel
ATI Display Driver
Bejeweled 2 Deluxe
CCleaner (remove only)
CCScore
CD/DVD Drive Acoustic Silencer
Critical Update for Windows Media Player 11 (KB959772)
Desktop Dialer
Download Updater (AOL LLC)
DVD-RAM Driver
EPSON Printer Software
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Exam Guide North Carolina
fflink
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
InterVideo WinDVD for TOSHIBA
Java™ 6 Update 17
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
LiveUpdate 3.1 (Symantec Corporation)
Logitech Audio Echo Cancellation Component
Logitech Video Enumerator
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MVision
MySpaceIM
netbrdg
Netflix Movie Viewer
Office 2003 Trial Assistant
OfotoXMI
Otto
Picasa 2
Polar Bowler
Polar Golfer
QuickTime
RealPlayer Basic
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
SCRABBLE
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SFR
SHASTA
skin0001
SKINXSDK
Sonic Encoders
staticcr
Synaptics Pointing Device Driver
tooltips
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Game Console
Toshiba Hotkey Utility
Toshiba Media Center Game Console
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Touchpad Utility
Toshiba Utility
TOSHIBA Zooming Utility
Touch and Launch
Uninstall AOL Emergency Connect Utility 1.0
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
VPRINTOL
WebFldrs XP
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WIRELESS
Yahoo! Music Engine

==== Event Viewer Messages From Past Week ========

11/4/2009 5:37:42 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
11/3/2009 3:39:44 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000369' while processing the file 'Combo-Fix.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/3/2009 3:33:48 AM, error: PlugPlayManager [11] - The device Root\LEGACY_NPF\0000 disappeared from the system without first being prepared for removal.
11/3/2009 3:22:55 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
11/3/2009 3:19:40 AM, error: Service Control Manager [7034] - The Microsoft .NET Framework v1.0.3705 Update service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 7:33:01 AM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
11/2/2009 7:33:01 AM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
11/2/2009 7:33:01 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
11/2/2009 7:33:01 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
11/2/2009 7:33:01 AM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2.
11/2/2009 7:33:01 AM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2.
11/2/2009 5:15:01 PM, error: Print [6161] - The document Friday,_October_16,_2009[1].pdf owned by new failed to print on printer Auto HP PSC 750 on RUSSWINXP. Data type: NT EMF 1.008. Size of the spool file in bytes: 3063040. Number of bytes printed: 0. Total number of pages in the document: 3. Number of pages printed: 0. Client machine: \\TOSHIBA-USER. Win32 error code returned by the print processor: 53 (0x35).
11/2/2009 5:14:52 PM, error: Print [6161] - The document Friday,_October_16,_2009[1].pdf owned by new failed to print on printer Auto HP PSC 750 on RUSSWINXP. Data type: NT EMF 1.008. Size of the spool file in bytes: 3145728. Number of bytes printed: 0. Total number of pages in the document: 3. Number of pages printed: 0. Client machine: \\TOSHIBA-USER. Win32 error code returned by the print processor: 53 (0x35).
11/1/2009 4:00:22 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework, Version 2.0 (KB928365).
11/1/2009 12:35:48 AM, error: Service Control Manager [7000] - The Microsoft .NET Framework v1.1.4322 Update service failed to start due to the following error: The system cannot find the file specified.
11/1/2009 12:34:42 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================


ComboFix 09-11-03.03 - new 11/04/2009 4:38.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.625 [GMT -5:00]
Running from: c:\documents and settings\new\Desktop\cawrenn.exe.exe
Command switches used :: c:\documents and settings\new\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 06:50 . 2009-11-04 06:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-04 05:42 . 2009-11-04 05:45 -------- d-----w- c:\windows\system32\Adobe
2009-11-04 05:23 . 2009-11-04 05:30 -------- d-----w- C:\cawrenn.exe23018c
2009-11-03 13:41 . 2009-11-03 13:41 -------- d-----w- c:\documents and settings\new\Application Data\Malwarebytes
2009-11-03 13:41 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 13:41 . 2009-11-03 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 13:41 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 07:18 . 2009-11-03 07:39 -------- d-----w- C:\cawrenn.exe
2009-11-03 07:00 . 2009-11-03 07:14 -------- d-----w- C:\AVGTemp
2009-10-26 04:37 . 2009-10-26 04:37 -------- d-----w- c:\program files\CCleaner
2009-10-26 02:29 . 2009-10-26 02:29 -------- d-----w- c:\program files\Alwil Software
2009-10-19 08:07 . 2009-10-19 21:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-19 05:44 . 2009-11-03 13:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 05:31 . 2009-10-19 05:31 3550592 ----a-w- C:\explorer.exe.exe
2009-10-16 18:04 . 2009-10-16 18:04 -------- d-----w- c:\documents and settings\new\Application Data\AdobeUM
2009-10-16 16:36 . 2009-11-02 12:14 -------- d-----w- C:\$AVG8.VAULT$
2009-10-16 07:29 . 2009-11-03 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-13 05:38 . 2009-10-13 05:38 -------- d-----w- c:\documents and settings\new\Local Settings\Application Data\AIM
2009-10-08 18:22 . 2009-10-08 18:22 -------- d-----w- c:\documents and settings\new\Local Settings\Application Data\PCHealth
2009-10-07 20:38 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-07 20:38 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-07 20:38 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-07 20:38 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-07 20:38 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 20:38 . 2009-10-07 20:38 -------- d-----w- C:\a6badf2579fe530f70862efe516988
2009-10-07 20:38 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-07 20:38 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-07 20:37 . 2009-10-26 05:30 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-06 16:15 . 2009-10-06 16:15 -------- d-----w- c:\documents and settings\new\Local Settings\Application Data\Adobe
2009-10-05 20:09 . 2009-10-05 20:09 -------- d-----w- c:\documents and settings\new\Local Settings\Application Data\KodakGallery
2009-10-05 20:06 . 2009-10-05 20:06 -------- d-----w- c:\documents and settings\new\Application Data\acccore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 06:49 . 2006-10-19 08:17 -------- d-----w- c:\program files\Java
2009-11-03 08:41 . 2006-10-19 07:04 50088 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 05:21 . 2009-10-19 05:21 -------- d-----w- c:\documents and settings\This One\Application Data\Viewpoint
2009-10-14 23:05 . 2009-02-26 04:11 50088 -c--a-w- c:\documents and settings\C&M Dawg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 20:54 . 2007-04-19 01:07 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-10-06 01:21 . 2007-04-19 01:06 -------- d-----w- c:\program files\Logitech
2009-09-11 14:18 . 2006-10-19 04:52 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-10-19 04:52 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-10-19 04:53 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-06-22 21:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-10-19 04:52 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-10-19 04:54 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2006-10-19 05:20 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2006-10-19 05:20 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-10-19 05:20 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 12:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-10-19 05:20 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2006-10-19 04:52 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-10-19 05:20 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-10-19 05:20 1929952 ----a-w- c:\windows\system32\wuaueng.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-03_08.21.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-04 05:45 . 2009-11-04 05:45 87618 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2009-10-29 05:27 . 2009-10-29 05:27 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-10-29 04:55 . 2009-10-29 04:55 79488 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2009-10-29 05:45 . 2009-10-29 05:45 67000 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2009-10-29 05:29 . 2009-10-29 05:29 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-11-04 06:50 . 2009-11-04 06:49 149280 c:\windows\system32\javaws.exe
+ 2009-11-04 06:50 . 2009-11-04 06:49 145184 c:\windows\system32\javaw.exe
+ 2009-11-04 06:50 . 2009-11-04 06:49 145184 c:\windows\system32\java.exe
- 2006-12-09 21:17 . 2006-12-09 21:13 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2006-12-09 21:17 . 2009-11-04 06:06 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-10-29 04:55 . 2009-10-29 04:55 132472 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2009-10-29 05:27 . 2009-10-29 05:27 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2009-10-29 05:43 . 2009-10-29 05:43 464312 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1152602.exe
+ 2009-10-29 05:29 . 2009-10-29 05:29 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2009-10-29 05:28 . 2009-10-29 05:28 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2009-10-29 04:55 . 2009-10-29 04:55 713216 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2009-10-29 05:26 . 2009-10-29 05:26 503808 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2009-10-29 05:44 . 2009-10-29 05:44 210360 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2009-10-29 05:28 . 2009-10-29 05:28 131072 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2009-10-29 05:01 . 2009-10-29 05:01 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2009-10-29 04:55 . 2009-10-29 04:55 1886320 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2009-10-29 05:05 . 2009-10-29 05:05 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2009-11-04 06:49 . 2009-11-04 06:49 1757696 c:\windows\Installer\c4493.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-04 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-14 5562368]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\TOSHIBA\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\TOSHIBA\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\TOSHIBA\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"TODDSrv"=2 (0x2)
"Swupdtmr"=2 (0x2)
"ose"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iWinTrusted"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"avg8wd"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)
"ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\1246637031\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe --> c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 10:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 10:49 PM 8320]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/21/2008 11:41 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.aportals.net/pubac/ac.php?aid=187&sid=av
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 04:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1248)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-04 4:43
ComboFix-quarantined-files.txt 2009-11-04 09:43
ComboFix2.txt 2009-11-04 05:29
ComboFix3.txt 2009-11-03 08:23

Pre-Run: 87,248,826,368 bytes free
Post-Run: 87,296,749,568 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=1 Sets=1,2,3,4

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:08 AM

Posted 04 November 2009 - 09:51 AM

Good. All detected items seem to be either quarantined (not harmful anymore) or in system restore. We'll clean the system restore in the final phase.

How's the system running now? Still issues left?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users