Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast Continually Reports tdlwsp.dll has Win32:Alureon


  • This topic is locked This topic is locked
13 replies to this topic

#1 ridius

ridius

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 04 November 2009 - 12:20 AM

I am helping my father clean his Fujitsu Tablet PC running Windows XP Tablet edition. The machine had multiple infections (probably because he didn't have his firewall turned on) and I was able to remove all but one using Avast's Boot Scan function.

Avast OnAccess scanner continually reports finding Win32:Alureon in C:\WINDOWS\system32\tdlwsp.dll. I have continually moved this file to the Chest (Vault), deleted it, etc, and it keeps coming back (about every 10 minutes or so).

I've tried a regular Avast Scan, the scheduled boot scan, and using Windows Defender (which doesn't even find anything). Nothing seems to fix this problem.

I read the guide and my included logs are below and attached.

Thanks in advance for your help!

Ridius

-------------------------------------------------

DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 20:42:40.32 on Tue 11/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.42 [GMT -8:00]

AV: avast! antivirus 4.8.1356 [VPS 091103-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.floorsoft.com/FloorWizard/web/Logon.jsp
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
{621d183a-6e7a-4e8d-ab21-ecb13a9565dd}
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9a7b590b-4b0a-4920-8dd6-68844d42b124}: {421b24d4-4886-6dd8-0294-a0b4b095b7a9}
BHO: {a057a204-bacc-4d26-9990-79a187e2698e} - AVG Security Toolbar
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: SpeedRunner Bar: {cafb2180-ba09-11dc-95ff-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [FjDspMon] c:\program files\fujitsu\utils\FjDspMon.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [FJUPDNV_Chitose] c:\program files\fujitsu\fjdvrupd\fjdvrupd.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\belkin\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Send To &Bluetooth - c:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: bmnet.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134482716859
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156193674890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {4B8DB25F-99F8-4BFA-BA49-37318E172D40} = 65.106.4.146,65.106.7.146
TCP: {5C55CCF8-D010-487C-A167-67B940720C4E} = 66.7.224.17,66.7.224.18
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: nnnnLcBU - nnnnLcBU.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
AppInit_DLLs: wjqrsn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\efccDwxw

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pphxpyfa.default\
FF - prefs.js: browser.startup.homepage - www.drummerworld.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2005-12-20 9216]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-2 64288]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-7-2 32320]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-7-2 23200]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-25 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-25 20560]
R3 DX02;DX02;c:\windows\system32\drivers\dx02.sys [2004-7-29 83712]
R3 Fjbtndrv;Fujitsu LIFEBOOK T3000 Button Driver;c:\windows\system32\drivers\FjBtndrv.sys [2003-6-20 11392]
R3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [2005-7-1 5632]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2005-7-1 31104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
S3 bioschk;FPC BIOS Check Driver;c:\windows\system32\drivers\bioschk.sys [2005-12-13 3909]
S3 FjGenIo;FPC Generic I/O Driver;c:\windows\system32\drivers\FjGenIo.sys [2005-12-13 7168]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-7-1 32640]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2007-6-27 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2007-6-27 73856]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2007-9-18 109080]

=============== Created Last 30 ================

2009-11-03 22:15:39 0 d-----w- C:\mytmp
2009-11-03 21:23:31 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 21:10:11 0 d-----w- c:\docume~1\admini~1\applic~1\Windows Desktop Search
2009-11-03 19:19:14 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-11-03 19:19:10 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-11-03 19:19:09 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-11-03 19:19:05 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-11-03 19:19:00 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-11-03 19:14:13 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-11-03 19:14:13 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2009-11-03 19:14:07 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-11-03 19:14:05 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-11-03 19:14:00 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-11-03 19:13:58 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-11-03 19:13:08 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-11-03 19:13:02 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2009-11-03 19:11:58 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2009-11-03 19:10:58 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2009-11-03 19:09:56 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2009-11-03 19:08:55 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys
2009-11-03 19:07:57 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2009-11-03 19:06:58 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll
2009-11-03 19:05:57 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-11-03 19:04:59 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2009-11-03 19:03:57 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2009-11-03 19:02:59 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2009-11-03 19:01:57 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-11-03 19:00:55 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2009-11-03 18:59:58 112574 -c--a-w- c:\windows\system32\dllcache\ptserlp.sys
2009-11-03 18:58:58 173696 -c--a-w- c:\windows\system32\dllcache\philcam2.sys
2009-11-03 18:57:57 25216 -c--a-w- c:\windows\system32\dllcache\ovsound2.sys
2009-11-03 18:57:53 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe
2009-11-03 18:57:49 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2009-11-03 18:57:46 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
2009-11-03 18:57:42 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2009-11-03 18:57:39 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2009-11-03 18:57:35 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2009-11-03 18:57:32 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2009-11-03 18:57:28 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-11-03 18:57:25 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2009-11-03 18:57:21 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2009-11-03 18:57:18 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2009-11-03 18:57:13 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2009-11-03 18:56:54 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2009-11-03 18:56:51 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2009-11-03 18:56:38 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-11-03 18:56:38 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-11-03 18:56:32 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2009-11-03 18:56:29 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-11-03 18:56:27 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2009-11-03 18:56:17 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2009-11-03 18:56:13 126080 -c--a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-11-03 18:56:07 53248 -c--a-w- c:\windows\system32\dllcache\nextlink.dll
2009-11-03 18:56:07 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-11-03 18:56:05 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2009-11-02 23:32:06 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2009-11-02 23:32:00 39264 -c--a-w- c:\windows\system32\dllcache\neo20xx.sys
2009-11-02 23:30:55 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2009-11-02 23:30:36 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-11-02 23:30:34 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2009-11-02 23:30:26 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-11-02 23:30:11 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-11-02 23:30:08 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2009-11-02 23:30:08 1875968 -c--a-w- c:\windows\system32\dllcache\msir3jp.lex
2009-11-02 23:30:07 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-11-02 23:29:51 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-11-02 23:29:47 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2009-11-02 23:29:46 56832 -c--a-w- c:\windows\system32\dllcache\msdvbnp.ax
2009-11-02 23:29:45 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2009-11-02 23:29:34 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-11-02 23:29:19 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-11-02 23:29:11 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-11-02 23:27:56 802683 -c--a-w- c:\windows\system32\dllcache\ltsm.sys
2009-11-02 23:26:59 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2009-11-02 23:25:57 7168 -c--a-w- c:\windows\system32\dllcache\isapips.dll
2009-11-02 23:24:56 311359 -c--a-w- c:\windows\system32\dllcache\imepadsv.exe
2009-11-02 23:23:59 141056 -c--a-w- c:\windows\system32\dllcache\icam3.sys
2009-11-02 23:22:59 57471 -c--a-w- c:\windows\system32\dllcache\hsf_samp.sys
2009-11-02 23:21:57 48128 -c--a-w- c:\windows\system32\dllcache\hpgt33tk.dll
2009-11-02 23:20:56 17408 -c--a-w- c:\windows\system32\dllcache\gpr400.sys
2009-11-02 23:20:48 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2009-11-02 23:20:46 10624 -c--a-w- c:\windows\system32\dllcache\gameenum.sys
2009-11-02 23:20:42 322432 -c--a-w- c:\windows\system32\dllcache\g400m.sys
2009-11-02 23:20:40 1733120 -c--a-w- c:\windows\system32\dllcache\g400d.dll
2009-11-02 23:20:37 320384 -c--a-w- c:\windows\system32\dllcache\g200m.sys
2009-11-02 23:20:34 470144 -c--a-w- c:\windows\system32\dllcache\g200d.dll
2009-11-02 23:20:32 454912 -c--a-w- c:\windows\system32\dllcache\fxusbase.sys
2009-11-02 23:20:16 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2009-11-02 23:20:13 455296 -c--a-w- c:\windows\system32\dllcache\fusbbase.sys
2009-11-02 23:20:11 455680 -c--a-w- c:\windows\system32\dllcache\fus2base.sys
2009-11-02 23:20:08 7680 -c--a-w- c:\windows\system32\dllcache\ftpctrs2.dll
2009-11-02 23:20:06 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll
2009-11-02 23:18:54 45056 -c--a-w- c:\windows\system32\dllcache\esunid.dll
2009-11-02 23:17:59 283904 -c--a-w- c:\windows\system32\dllcache\emu10k1m.sys
2009-11-02 23:16:59 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2009-11-02 23:15:58 6729 -c--a-w- c:\windows\system32\dllcache\disrvci.dll
2009-11-02 23:14:57 110592 -c--a-w- c:\windows\system32\dllcache\dc260usd.dll
2009-11-02 23:13:59 216064 -c--a-w- c:\windows\system32\dllcache\cpscan.dll
2009-11-02 23:12:58 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe
2009-11-02 23:11:59 66082 -c--a-w- c:\windows\system32\dllcache\c_10005.nls
2009-11-02 23:10:54 23552 -c--a-w- c:\windows\system32\dllcache\atixbar.sys
2009-11-02 23:09:59 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2009-11-02 23:08:05 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2009-11-02 23:07:28 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-11-02 23:06:49 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-11-02 23:06:48 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-11-02 23:06:46 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2009-11-02 23:06:44 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-11-02 23:06:43 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2009-11-02 23:06:42 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-11-02 23:06:21 94720 -c--a-w- c:\windows\system32\dllcache\certmap.ocx
2009-10-31 18:46:16 0 d-----w- c:\docume~1\admini~1\applic~1\Windows Search
2009-10-30 04:42:33 0 d-----w- c:\windows\system32\XPSViewer
2009-10-30 04:39:47 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-30 04:39:46 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-30 04:39:45 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-30 04:39:44 0 d-----w- C:\b3e50e7feb725180d95d5300
2009-10-30 04:28:08 0 d-----w- c:\windows\system32\GroupPolicy
2009-10-30 04:28:08 0 d-----w- c:\program files\Windows Desktop Search
2009-10-30 04:24:28 0 d-----w- c:\program files\Windows Media Connect 2
2009-10-30 04:13:23 0 d-----w- c:\windows\system32\URTTemp
2009-10-20 01:16:37 4 ----a-w- c:\windows\system32\bincd32.dat
2009-10-19 15:18:17 0 d-sh--w- c:\windows\system32\lowsec
2009-10-18 23:14:06 58 ----a-w- c:\windows\wp4.dat
2009-10-18 23:14:06 1 ----a-w- c:\windows\wp3.dat
2009-10-18 23:14:00 96 ----a-w- c:\windows\system32\wwp.htm

==================== Find3M ====================

2009-10-08 21:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 21:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-23 12:55:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 02:35:01 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-01-06 23:40:15 670821 -csha-w- c:\windows\system32\wxwDccfe.ini2
2008-12-24 05:00:47 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122320081224\index.dat

============= FINISH: 20:43:37.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 06 November 2009 - 11:44 PM

Hello ridius,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Note: If you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan"

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ridius

ridius
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 08 November 2009 - 02:25 PM

Edit: forgot to add the MBAM log

Here are the requested logs:

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:

Windows Defender
Eusing Free Registry Cleaner
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
``````````````````````````````
DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````


DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 11:22:20.34 on Sun 11/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.81 [GMT -8:00]

AV: avast! antivirus 4.8.1356 [VPS 091108-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\My Documents\BleepingComputer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.floorsoft.com/FloorWizard/web/Logon.jsp
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,userinit.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
{621d183a-6e7a-4e8d-ab21-ecb13a9565dd}
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9a7b590b-4b0a-4920-8dd6-68844d42b124}: {421b24d4-4886-6dd8-0294-a0b4b095b7a9}
BHO: {a057a204-bacc-4d26-9990-79a187e2698e} - AVG Security Toolbar
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: SpeedRunner Bar: {cafb2180-ba09-11dc-95ff-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [FjDspMon] c:\program files\fujitsu\utils\FjDspMon.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [FJUPDNV_Chitose] c:\program files\fujitsu\fjdvrupd\fjdvrupd.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\belkin\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Send To &Bluetooth - c:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: bmnet.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134482716859
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156193674890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {4B8DB25F-99F8-4BFA-BA49-37318E172D40} = 65.106.4.146,65.106.7.146
TCP: {5C55CCF8-D010-487C-A167-67B940720C4E} = 66.7.224.17,66.7.224.18
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: nnnnLcBU - nnnnLcBU.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
AppInit_DLLs: wjqrsn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\efccDwxw

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pphxpyfa.default\
FF - prefs.js: browser.startup.homepage - www.drummerworld.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2005-12-20 9216]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-2 64288]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-7-2 32320]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-7-2 23200]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-25 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-25 20560]
R3 DX02;DX02;c:\windows\system32\drivers\dx02.sys [2004-7-29 83712]
R3 Fjbtndrv;Fujitsu LIFEBOOK T3000 Button Driver;c:\windows\system32\drivers\FjBtndrv.sys [2003-6-20 11392]
R3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [2005-7-1 5632]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2005-7-1 31104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
S3 bioschk;FPC BIOS Check Driver;c:\windows\system32\drivers\bioschk.sys [2005-12-13 3909]
S3 FjGenIo;FPC Generic I/O Driver;c:\windows\system32\drivers\FjGenIo.sys [2005-12-13 7168]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-7-1 32640]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2007-6-27 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2007-6-27 73856]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2007-9-18 109080]

=============== Created Last 30 ================

2009-11-08 17:48:46 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-11-08 17:48:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 17:48:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 17:48:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 17:48:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-03 22:15:39 0 d-----w- C:\mytmp
2009-11-03 21:23:31 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 21:10:11 0 d-----w- c:\docume~1\admini~1\applic~1\Windows Desktop Search
2009-11-03 19:19:14 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-11-03 19:19:10 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-11-03 19:19:09 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-11-03 19:19:05 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-11-03 19:19:00 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-11-03 19:14:13 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-11-03 19:14:13 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2009-11-03 19:14:07 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-11-03 19:14:05 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-11-03 19:14:00 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-11-03 19:13:58 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-11-03 19:13:08 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-11-03 19:13:02 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2009-11-03 19:11:58 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2009-11-03 19:10:58 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2009-11-03 19:09:56 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2009-11-03 19:08:55 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys
2009-11-03 19:07:57 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2009-11-03 19:06:58 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll
2009-11-03 19:05:57 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-11-03 19:04:59 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2009-11-03 19:03:57 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2009-11-03 19:02:59 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2009-11-03 19:01:57 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-11-03 19:00:55 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2009-11-03 18:59:58 112574 -c--a-w- c:\windows\system32\dllcache\ptserlp.sys
2009-11-03 18:58:58 173696 -c--a-w- c:\windows\system32\dllcache\philcam2.sys
2009-11-03 18:57:57 25216 -c--a-w- c:\windows\system32\dllcache\ovsound2.sys
2009-11-03 18:57:53 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe
2009-11-03 18:57:49 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2009-11-03 18:57:46 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
2009-11-03 18:57:42 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2009-11-03 18:57:39 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2009-11-03 18:57:35 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2009-11-03 18:57:32 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2009-11-03 18:57:28 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-11-03 18:57:25 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2009-11-03 18:57:21 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2009-11-03 18:57:18 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2009-11-03 18:57:13 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2009-11-03 18:56:54 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2009-11-03 18:56:51 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2009-11-03 18:56:38 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-11-03 18:56:38 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-11-03 18:56:32 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2009-11-03 18:56:29 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-11-03 18:56:27 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2009-11-03 18:56:17 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2009-11-03 18:56:13 126080 -c--a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-11-03 18:56:07 53248 -c--a-w- c:\windows\system32\dllcache\nextlink.dll
2009-11-03 18:56:07 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-11-03 18:56:05 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2009-11-02 23:32:06 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2009-11-02 23:32:00 39264 -c--a-w- c:\windows\system32\dllcache\neo20xx.sys
2009-11-02 23:30:55 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2009-11-02 23:30:36 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-11-02 23:30:34 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2009-11-02 23:30:26 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-11-02 23:30:11 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-11-02 23:30:08 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2009-11-02 23:30:08 1875968 -c--a-w- c:\windows\system32\dllcache\msir3jp.lex
2009-11-02 23:30:07 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-11-02 23:29:51 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-11-02 23:29:47 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2009-11-02 23:29:46 56832 -c--a-w- c:\windows\system32\dllcache\msdvbnp.ax
2009-11-02 23:29:45 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2009-11-02 23:29:34 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-11-02 23:29:19 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-11-02 23:29:11 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-11-02 23:27:56 802683 -c--a-w- c:\windows\system32\dllcache\ltsm.sys
2009-11-02 23:26:59 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2009-11-02 23:25:57 7168 -c--a-w- c:\windows\system32\dllcache\isapips.dll
2009-11-02 23:24:56 311359 -c--a-w- c:\windows\system32\dllcache\imepadsv.exe
2009-11-02 23:23:59 141056 -c--a-w- c:\windows\system32\dllcache\icam3.sys
2009-11-02 23:22:59 57471 -c--a-w- c:\windows\system32\dllcache\hsf_samp.sys
2009-11-02 23:21:57 48128 -c--a-w- c:\windows\system32\dllcache\hpgt33tk.dll
2009-11-02 23:20:56 17408 -c--a-w- c:\windows\system32\dllcache\gpr400.sys
2009-11-02 23:20:48 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2009-11-02 23:20:46 10624 -c--a-w- c:\windows\system32\dllcache\gameenum.sys
2009-11-02 23:20:42 322432 -c--a-w- c:\windows\system32\dllcache\g400m.sys
2009-11-02 23:20:40 1733120 -c--a-w- c:\windows\system32\dllcache\g400d.dll
2009-11-02 23:20:37 320384 -c--a-w- c:\windows\system32\dllcache\g200m.sys
2009-11-02 23:20:34 470144 -c--a-w- c:\windows\system32\dllcache\g200d.dll
2009-11-02 23:20:32 454912 -c--a-w- c:\windows\system32\dllcache\fxusbase.sys
2009-11-02 23:20:16 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2009-11-02 23:20:13 455296 -c--a-w- c:\windows\system32\dllcache\fusbbase.sys
2009-11-02 23:20:11 455680 -c--a-w- c:\windows\system32\dllcache\fus2base.sys
2009-11-02 23:20:08 7680 -c--a-w- c:\windows\system32\dllcache\ftpctrs2.dll
2009-11-02 23:20:06 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll
2009-11-02 23:18:54 45056 -c--a-w- c:\windows\system32\dllcache\esunid.dll
2009-11-02 23:17:59 283904 -c--a-w- c:\windows\system32\dllcache\emu10k1m.sys
2009-11-02 23:16:59 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2009-11-02 23:15:58 6729 -c--a-w- c:\windows\system32\dllcache\disrvci.dll
2009-11-02 23:14:57 110592 -c--a-w- c:\windows\system32\dllcache\dc260usd.dll
2009-11-02 23:13:59 216064 -c--a-w- c:\windows\system32\dllcache\cpscan.dll
2009-11-02 23:12:58 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe
2009-11-02 23:11:59 66082 -c--a-w- c:\windows\system32\dllcache\c_10005.nls
2009-11-02 23:10:54 23552 -c--a-w- c:\windows\system32\dllcache\atixbar.sys
2009-11-02 23:09:59 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2009-11-02 23:08:05 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2009-11-02 23:07:28 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-11-02 23:06:49 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-11-02 23:06:48 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-11-02 23:06:46 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2009-11-02 23:06:44 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-11-02 23:06:43 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2009-11-02 23:06:42 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-11-02 23:06:21 94720 -c--a-w- c:\windows\system32\dllcache\certmap.ocx
2009-10-31 18:46:16 0 d-----w- c:\docume~1\admini~1\applic~1\Windows Search
2009-10-30 04:42:33 0 d-----w- c:\windows\system32\XPSViewer
2009-10-30 04:39:47 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-30 04:39:46 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-30 04:39:45 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-30 04:39:44 0 d-----w- C:\b3e50e7feb725180d95d5300
2009-10-30 04:28:08 0 d-----w- c:\windows\system32\GroupPolicy
2009-10-30 04:28:08 0 d-----w- c:\program files\Windows Desktop Search
2009-10-30 04:24:28 0 d-----w- c:\program files\Windows Media Connect 2
2009-10-30 04:13:23 0 d-----w- c:\windows\system32\URTTemp
2009-10-18 23:14:00 96 ----a-w- c:\windows\system32\wwp.htm

==================== Find3M ====================

2009-10-08 21:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 21:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-23 12:55:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 02:35:01 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-01-06 23:40:15 670821 -csha-w- c:\windows\system32\wxwDccfe.ini2
2008-12-24 05:00:47 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122320081224\index.dat

============= FINISH: 11:23:24.60 ===============

Malwarebytes' Anti-Malware 1.41
Database version: 3128
Windows 5.1.2600 Service Pack 3

11/8/2009 11:08:35 AM
mbam-log-2009-11-08 (11-08-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 203821
Time elapsed: 1 hour(s), 15 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 36
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0b63-ff35-4ba9-8be8-aa9eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.dll (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.dll (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Administrator\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{8E5A7E47-8731-42AB-9066-1D66C6F23A59}\RP522\A0536626.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8E5A7E47-8731-42AB-9066-1D66C6F23A59}\RP522\A0536634.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8E5A7E47-8731-42AB-9066-1D66C6F23A59}\RP522\A0536642.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8E5A7E47-8731-42AB-9066-1D66C6F23A59}\RP522\A0536652.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8E5A7E47-8731-42AB-9066-1D66C6F23A59}\RP522\A0536661.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8E5A7E47-8731-42AB-9066-1D66C6F23A59}\RP523\A0537661.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8E5A7E47-8731-42AB-9066-1D66C6F23A59}\RP523\A0537671.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8E5A7E47-8731-42AB-9066-1D66C6F23A59}\RP523\A0538671.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8E5A7E47-8731-42AB-9066-1D66C6F23A59}\RP524\A0538709.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\peyb.tmp (Backdoor.ProRat) -> Quarantined and deleted successfully.
C:\WINDOWS\wp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

After the reboot, I'm still having the same problem.

Ridius

Attached Files


Edited by ridius, 08 November 2009 - 02:31 PM.


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 08 November 2009 - 02:54 PM

Hi ridius,

Do yourself a favor and get rid of (uninstall) Eusing Free Registry Cleaner.
Registry cleaners can mess up so many things. :(
It happened to me one time so I'm not just saying that.

******************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 17
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java SE Runtime Environment 6 Update 1
    Java 6 Update 7
    Java 6 Update 5

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.
Please make sure you turn on the Java Automatic Update Feature
http://java.com/en/download/help/java_update.xml#howto

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.
Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

******************


You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
    Adobe Reader 8.1.2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.
Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.

You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/

******************


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVAST Antivirus, Ad-Watch and Windows Defender before running ComboFix, asthey will prevent it from running.

Disable Ad-Watch to make sure it won't interfere fixing.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

AVAST will cause BSOD unless you disable it like this:
Posted Image

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log..

Edited by SifuMike, 08 November 2009 - 02:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ridius

ridius
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 08 November 2009 - 06:02 PM

So, I can't upgrade Java because a business application isn't compatible with the latest version, but I upgraded Acrobat Reader to the latest.

Here is the combofix log:

ComboFix 09-11-08.03 - Administrator 11/08/2009 14:27.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.145 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091108-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-220523388-329068152-682003330-500
c:\windows\system32\hfsvlpai.ini
c:\windows\system32\iodtvfce.ini
c:\windows\system32\irmhkvms.ini
c:\windows\system32\jaxyvbxg.ini
c:\windows\system32\jnrqqgln.ini
c:\windows\system32\mcsijtal.ini
c:\windows\system32\pjbvkeql.ini
c:\windows\system32\qyysfpdh.ini
c:\windows\system32\tgptkccx.ini
c:\windows\system32\wxwDccfe.ini
c:\windows\system32\wxwDccfe.ini2
c:\windows\system32\xydobhdg.ini
c:\windows\system32\yuupwxqa.ini
c:\windows\Temp\tmp3.tmp
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-08 22:22 . 2005-03-16 13:47 23200 ----a-w- c:\windows\system32\drivers\o2sd.sys
2009-11-08 22:22 . 2005-03-16 13:47 32320 ----a-w- c:\windows\system32\drivers\o2media.sys
2009-11-08 22:22 . 2004-08-04 06:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-08 22:22 . 2004-08-04 06:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-08 22:16 . 2009-11-08 22:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ApplicationHistory
2009-11-08 22:16 . 2009-11-08 22:16 135 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\fusioncache.dat
2009-11-08 22:04 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-08 21:59 . 2009-11-08 21:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-08 21:57 . 2009-11-08 21:58 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-08 21:57 . 2009-11-08 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-08 21:57 . 2009-11-08 21:57 -------- d-----w- c:\program files\NOS
2009-11-08 17:48 . 2009-11-08 17:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-08 17:48 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 17:48 . 2009-11-08 17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 17:48 . 2009-11-08 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 17:48 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 03:39 . 2009-11-05 21:58 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-03 22:15 . 2009-11-03 22:15 -------- d-----w- C:\mytmp
2009-11-03 21:23 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 21:22 . 2009-11-03 21:22 -------- d-----w- c:\program files\Windows Defender
2009-11-03 21:10 . 2009-11-03 21:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-11-03 19:19 . 2008-04-14 13:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-11-03 19:19 . 2001-08-18 06:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-11-03 19:19 . 2008-04-14 13:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-11-03 19:19 . 2001-08-18 06:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-11-03 19:19 . 2001-08-18 06:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-11-03 19:14 . 2001-08-18 06:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-11-03 19:14 . 2001-08-17 20:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-11-03 19:14 . 2008-04-14 06:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-11-03 19:14 . 2008-04-14 08:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-11-03 19:13 . 2008-04-14 06:04 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-11-03 19:13 . 2008-04-14 08:06 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-11-03 19:13 . 2008-04-14 06:05 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2009-11-03 19:11 . 2001-08-17 20:13 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2009-11-03 19:10 . 2001-08-17 21:28 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2009-11-03 19:09 . 2001-08-17 21:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2009-11-03 19:08 . 2001-08-17 20:12 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys
2009-11-03 19:07 . 2004-08-04 12:00 21896 -c--a-w- c:\windows\system32\dllcache\tdipx.sys
2009-11-03 19:06 . 2001-08-18 06:36 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll
2009-11-03 19:05 . 2001-08-17 21:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-11-03 19:04 . 2008-04-14 08:06 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2009-11-03 19:03 . 2001-08-17 22:56 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2009-11-03 19:02 . 2001-08-18 06:36 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2009-11-03 19:01 . 2001-08-17 20:50 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-11-03 19:00 . 2001-08-18 06:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2009-11-03 18:59 . 2001-08-17 21:28 112574 -c--a-w- c:\windows\system32\dllcache\ptserlp.sys
2009-11-03 18:58 . 2001-08-17 22:04 173696 -c--a-w- c:\windows\system32\dllcache\philcam2.sys
2009-11-03 18:57 . 2001-08-17 22:05 25216 -c--a-w- c:\windows\system32\dllcache\ovsound2.sys
2009-11-03 18:57 . 2001-08-18 06:36 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe
2009-11-03 18:57 . 2001-08-18 06:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2009-11-03 18:57 . 2001-08-17 22:05 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
2009-11-03 18:57 . 2001-08-18 06:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2009-11-03 18:57 . 2001-08-17 22:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2009-11-03 18:57 . 2001-08-17 22:05 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2009-11-03 18:57 . 2001-08-17 22:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2009-11-03 18:57 . 2001-08-17 22:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-11-03 18:57 . 2001-08-17 21:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2009-11-03 18:57 . 2001-08-17 20:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2009-11-03 18:57 . 2001-08-17 20:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2009-11-03 18:57 . 2001-08-17 20:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2009-11-03 18:56 . 2001-08-17 20:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2009-11-03 18:56 . 2001-08-18 06:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2009-11-03 18:56 . 2001-08-18 06:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-11-03 18:56 . 2001-08-17 20:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-11-03 18:56 . 2001-08-17 21:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2009-11-03 18:56 . 2001-08-17 21:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-11-03 18:56 . 2008-04-14 08:24 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2009-11-03 18:56 . 2001-08-17 20:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2009-11-03 18:56 . 2001-08-17 20:20 126080 -c--a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-11-03 18:56 . 2004-08-04 12:00 53248 -c--a-w- c:\windows\system32\dllcache\nextlink.dll
2009-11-03 18:56 . 2001-08-17 20:12 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-11-03 18:56 . 2008-04-14 06:05 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2009-11-02 23:32 . 2001-08-17 20:11 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2009-11-02 23:32 . 2001-08-17 20:50 39264 -c--a-w- c:\windows\system32\dllcache\neo20xx.sys
2009-11-02 23:30 . 2001-08-17 20:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2009-11-02 23:30 . 2008-04-14 08:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-11-02 23:30 . 2008-04-14 08:16 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2009-11-02 23:30 . 2001-08-17 21:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-11-02 23:30 . 2001-08-17 22:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-11-02 23:30 . 2008-04-14 08:24 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2009-11-02 23:30 . 2004-08-04 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-11-02 23:29 . 2001-08-17 22:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-11-02 23:29 . 2001-08-17 21:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2009-11-02 23:29 . 2008-04-14 08:16 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2009-11-02 23:29 . 2004-08-04 12:00 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-11-02 23:29 . 2008-04-14 08:16 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-11-02 23:29 . 2001-08-17 21:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-11-02 23:27 . 2008-04-14 08:10 7040 -c--a-w- c:\windows\system32\dllcache\ltotape.sys
2009-11-02 23:26 . 2008-04-14 13:41 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2009-11-02 23:25 . 2004-08-04 12:00 7168 -c--a-w- c:\windows\system32\dllcache\isapips.dll
2009-11-02 23:24 . 2004-08-04 12:00 311359 -c--a-w- c:\windows\system32\dllcache\imepadsv.exe
2009-11-02 23:23 . 2001-08-17 22:05 141056 -c--a-w- c:\windows\system32\dllcache\icam3.sys
2009-11-02 23:22 . 2001-08-17 21:28 57471 -c--a-w- c:\windows\system32\dllcache\hsf_samp.sys
2009-11-02 23:21 . 2001-08-18 06:36 48128 -c--a-w- c:\windows\system32\dllcache\hpgt33tk.dll
2009-11-02 23:21 . 2001-08-18 06:36 89088 -c--a-w- c:\windows\system32\dllcache\hpgt33.dll
2009-11-02 23:21 . 2001-08-18 06:36 123392 -c--a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2009-11-02 23:21 . 2001-08-18 06:36 83968 -c--a-w- c:\windows\system32\dllcache\hpgt21.dll
2009-11-02 23:21 . 2001-08-18 06:36 119296 -c--a-w- c:\windows\system32\dllcache\hpdigwia.dll
2009-11-02 23:21 . 2001-08-17 22:02 2688 -c--a-w- c:\windows\system32\dllcache\hidswvd.sys
2009-11-02 23:21 . 2008-04-14 13:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-11-02 23:21 . 2001-08-17 22:02 8576 -c--a-w- c:\windows\system32\dllcache\hidgame.sys
2009-11-02 23:21 . 2008-04-14 08:06 20352 -c--a-w- c:\windows\system32\dllcache\hidbatt.sys
2009-11-02 23:21 . 2001-08-17 21:28 907456 -c--a-w- c:\windows\system32\dllcache\hcf_msft.sys
2009-11-02 23:21 . 2004-08-04 12:00 36864 -c--a-w- c:\windows\system32\dllcache\hanjadic.dll
2009-11-02 23:21 . 2008-04-14 08:10 28288 -c--a-w- c:\windows\system32\dllcache\grserial.sys
2009-11-02 23:21 . 2001-08-17 21:51 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2009-11-02 23:19 . 2001-08-17 20:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2009-11-02 23:18 . 2004-08-04 12:00 45056 -c--a-w- c:\windows\system32\dllcache\esunid.dll
2009-11-02 23:17 . 2001-08-17 20:19 283904 -c--a-w- c:\windows\system32\dllcache\emu10k1m.sys
2009-11-02 23:16 . 2001-08-17 20:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2009-11-02 23:15 . 2001-08-18 06:36 6729 -c--a-w- c:\windows\system32\dllcache\disrvci.dll
2009-11-02 23:14 . 2001-08-18 06:36 110592 -c--a-w- c:\windows\system32\dllcache\dc260usd.dll
2009-11-02 23:13 . 2001-08-18 06:36 216064 -c--a-w- c:\windows\system32\dllcache\cpscan.dll
2009-11-02 23:12 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe
2009-11-02 23:11 . 2001-08-17 21:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-11-02 23:10 . 2001-08-17 20:49 23552 -c--a-w- c:\windows\system32\dllcache\atixbar.sys
2009-11-02 23:09 . 2004-08-04 12:00 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2009-11-02 23:08 . 2004-08-04 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2009-11-02 23:07 . 2001-08-17 22:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-11-02 23:06 . 2004-08-04 12:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-11-02 23:06 . 2004-08-04 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-11-02 23:06 . 2004-08-04 12:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2009-11-02 23:06 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-11-02 23:06 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2009-11-02 23:06 . 2004-08-04 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 22:03 . 2006-05-31 18:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-03 21:11 . 2005-12-21 23:26 20600 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 19:38 . 2009-05-31 15:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-08 21:57 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 21:57 . 2005-07-02 07:38 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:56 . 2005-07-02 07:38 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-23 12:55 . 2009-06-03 02:35 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 02:35 . 2009-06-03 02:50 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18 . 2005-07-02 07:38 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-07-02 07:38 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2005-07-02 07:39 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2005-07-02 07:39 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FjDspMon"="c:\program files\Fujitsu\Utils\FjDspMon.exe" [2004-10-14 20480]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-02-28 81920]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-02-18 385024]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe" [2005-02-12 249856]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-09-19 33280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-12 413696]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2003-11-12 503875]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-02-18 15:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 12:41 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 12:42 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [12/20/2005 7:29 AM 9216]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/2/2009 6:35 PM 64288]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [11/8/2009 2:22 PM 32320]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [11/8/2009 2:22 PM 23200]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/25/2009 6:44 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/25/2009 6:44 PM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 DX02;DX02;c:\windows\system32\drivers\dx02.sys [7/29/2004 12:27 PM 83712]
R3 Fjbtndrv;Fujitsu LIFEBOOK T3000 Button Driver;c:\windows\system32\drivers\FjBtndrv.sys [6/20/2003 1:30 PM 11392]
R3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [7/1/2005 11:58 PM 5632]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [7/1/2005 11:58 PM 31104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [11/18/1999 5:20 PM 3872]
S3 bioschk;FPC BIOS Check Driver;c:\windows\system32\drivers\bioschk.sys [12/13/2005 7:40 AM 3909]
S3 FjGenIo;FPC Generic I/O Driver;c:\windows\system32\drivers\FjGenIo.sys [12/13/2005 7:40 AM 7168]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [7/1/2005 11:39 PM 14336]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/1/2005 11:58 PM 32640]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [6/27/2007 10:41 AM 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [6/27/2007 10:42 AM 73856]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [7/1/2005 4:49 PM 14208]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [9/18/2007 6:56 AM 109080]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.floorsoft.com/FloorWizard/web/Logon.jsp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
LSP: bmnet.dll
TCP: {4B8DB25F-99F8-4BFA-BA49-37318E172D40} = 65.106.4.146,65.106.7.146
TCP: {5C55CCF8-D010-487C-A167-67B940720C4E} = 66.7.224.17,66.7.224.18
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pphxpyfa.default\
FF - prefs.js: browser.startup.homepage - www.drummerworld.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{621D183A-6E7A-4E8D-AB21-ECB13A9565DD} - (no file)
BHO-{9a7b590b-4b0a-4920-8dd6-68844d42b124} - (no file)
HKLM-Run-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
Notify-nnnnLcBU - nnnnLcBU.dll
AddRemove-Eusing Free Registry Cleaner - c:\progra~1\EUSING~1\UNWISE.EXE
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 14:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2345331811-3564059316-2282366612-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,73,09,e4,56,98,58,4b,9c,a7,fa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,73,09,e4,56,98,58,4b,9c,a7,fa,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1216)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1272)
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(3260)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\System32\tabbtnu.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-11-08 14:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-08 22:48

Pre-Run: 22,537,113,600 bytes free
Post-Run: 22,903,574,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7515C331FA3B8A219D1D0E95E79152DC

#6 ridius

ridius
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 08 November 2009 - 06:38 PM

So I don't know if I should get too excited at this point, but this is the longest Avast has gone without getting any alerts. I haven't had any detections since I ran ComboFix.

Ridius

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 08 November 2009 - 07:55 PM

Hi ridius,

You need to disable your AVAST Antivirus, Ad-Watch and Windows Defender before running ComboFix, asthey will prevent it from running.

Disable Ad-Watch to make sure it won't interfere fixing.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

AVAST will cause BSOD unless you disable it like this:
Posted Image



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 ridius

ridius
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 08 November 2009 - 10:13 PM

So, I don't know where the Ad-Watch is coming from as I can't find it on the machine. This PC used to have Ad-Aware SE installed, but I removed it before I posted the first message.

I followed the instructions to disable Windows Defender and to Disable Avast, then ran the script you provided in ComboFix. Here's the log:

ComboFix 09-11-08.03 - Administrator 11/08/2009 18:57.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.177 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091108-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-09 01:45 . 2009-11-09 01:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-09 01:43 . 2009-11-09 01:43 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-08 22:22 . 2005-03-16 13:47 23200 ----a-w- c:\windows\system32\drivers\o2sd.sys
2009-11-08 22:22 . 2005-03-16 13:47 32320 ----a-w- c:\windows\system32\drivers\o2media.sys
2009-11-08 22:22 . 2004-08-04 06:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-08 22:22 . 2004-08-04 06:59 95360 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-08 22:16 . 2009-11-09 02:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ApplicationHistory
2009-11-08 22:16 . 2009-11-08 22:16 135 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\fusioncache.dat
2009-11-08 22:04 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-08 21:59 . 2009-11-08 21:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-08 21:57 . 2009-11-08 21:58 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-08 21:57 . 2009-11-08 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-08 21:57 . 2009-11-08 21:57 -------- d-----w- c:\program files\NOS
2009-11-08 17:48 . 2009-11-08 17:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-08 17:48 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 17:48 . 2009-11-08 17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 17:48 . 2009-11-08 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 17:48 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 03:39 . 2009-11-05 21:58 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-03 22:15 . 2009-11-03 22:15 -------- d-----w- C:\mytmp
2009-11-03 21:23 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 21:22 . 2009-11-03 21:22 -------- d-----w- c:\program files\Windows Defender
2009-11-03 21:10 . 2009-11-03 21:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-11-03 19:19 . 2008-04-14 13:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-11-03 19:19 . 2001-08-18 06:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-11-03 19:19 . 2008-04-14 13:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-11-03 19:19 . 2001-08-18 06:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-11-03 19:19 . 2001-08-18 06:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-11-03 19:14 . 2001-08-18 06:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-11-03 19:14 . 2001-08-17 20:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-11-03 19:14 . 2008-04-14 06:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-11-03 19:14 . 2008-04-14 08:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-11-03 19:13 . 2008-04-14 06:04 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-11-03 19:13 . 2008-04-14 08:06 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-11-03 19:13 . 2008-04-14 06:05 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2009-11-03 19:11 . 2001-08-17 20:13 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2009-11-03 19:10 . 2001-08-17 21:28 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2009-11-03 19:09 . 2001-08-17 21:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2009-11-03 19:08 . 2001-08-17 20:12 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys
2009-11-03 19:07 . 2004-08-04 12:00 21896 -c--a-w- c:\windows\system32\dllcache\tdipx.sys
2009-11-03 19:06 . 2001-08-18 06:36 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll
2009-11-03 19:05 . 2001-08-17 21:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-11-03 19:04 . 2008-04-14 08:06 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2009-11-03 19:03 . 2001-08-17 22:56 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2009-11-03 19:02 . 2001-08-18 06:36 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2009-11-03 19:01 . 2001-08-17 20:50 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-11-03 19:00 . 2001-08-18 06:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2009-11-03 18:59 . 2001-08-17 21:28 112574 -c--a-w- c:\windows\system32\dllcache\ptserlp.sys
2009-11-03 18:58 . 2001-08-17 22:04 173696 -c--a-w- c:\windows\system32\dllcache\philcam2.sys
2009-11-03 18:57 . 2001-08-17 22:05 25216 -c--a-w- c:\windows\system32\dllcache\ovsound2.sys
2009-11-03 18:57 . 2001-08-18 06:36 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe
2009-11-03 18:57 . 2001-08-18 06:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2009-11-03 18:57 . 2001-08-17 22:05 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
2009-11-03 18:57 . 2001-08-18 06:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2009-11-03 18:57 . 2001-08-17 22:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2009-11-03 18:57 . 2001-08-17 22:05 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2009-11-03 18:57 . 2001-08-17 22:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2009-11-03 18:57 . 2001-08-17 22:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-11-03 18:57 . 2001-08-17 21:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2009-11-03 18:57 . 2001-08-17 20:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2009-11-03 18:57 . 2001-08-17 20:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2009-11-03 18:57 . 2001-08-17 20:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2009-11-03 18:56 . 2001-08-17 20:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2009-11-03 18:56 . 2001-08-18 06:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2009-11-03 18:56 . 2001-08-18 06:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-11-03 18:56 . 2001-08-17 20:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-11-03 18:56 . 2001-08-17 21:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2009-11-03 18:56 . 2001-08-17 21:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-11-03 18:56 . 2008-04-14 08:24 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2009-11-03 18:56 . 2001-08-17 20:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2009-11-03 18:56 . 2001-08-17 20:20 126080 -c--a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-11-03 18:56 . 2004-08-04 12:00 53248 -c--a-w- c:\windows\system32\dllcache\nextlink.dll
2009-11-03 18:56 . 2001-08-17 20:12 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-11-03 18:56 . 2008-04-14 06:05 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2009-11-02 23:32 . 2001-08-17 20:11 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2009-11-02 23:32 . 2001-08-17 20:50 39264 -c--a-w- c:\windows\system32\dllcache\neo20xx.sys
2009-11-02 23:30 . 2001-08-17 20:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2009-11-02 23:30 . 2008-04-14 08:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-11-02 23:30 . 2008-04-14 08:16 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2009-11-02 23:30 . 2001-08-17 21:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-11-02 23:30 . 2001-08-17 22:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-11-02 23:30 . 2008-04-14 08:24 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2009-11-02 23:30 . 2004-08-04 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-11-02 23:29 . 2001-08-17 22:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-11-02 23:29 . 2001-08-17 21:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2009-11-02 23:29 . 2008-04-14 08:16 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2009-11-02 23:29 . 2004-08-04 12:00 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-11-02 23:29 . 2008-04-14 08:16 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-11-02 23:29 . 2001-08-17 21:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-11-02 23:27 . 2008-04-14 08:10 7040 -c--a-w- c:\windows\system32\dllcache\ltotape.sys
2009-11-02 23:26 . 2008-04-14 13:41 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2009-11-02 23:25 . 2004-08-04 12:00 7168 -c--a-w- c:\windows\system32\dllcache\isapips.dll
2009-11-02 23:24 . 2004-08-04 12:00 311359 -c--a-w- c:\windows\system32\dllcache\imepadsv.exe
2009-11-02 23:23 . 2001-08-17 22:05 141056 -c--a-w- c:\windows\system32\dllcache\icam3.sys
2009-11-02 23:22 . 2001-08-17 21:28 57471 -c--a-w- c:\windows\system32\dllcache\hsf_samp.sys
2009-11-02 23:21 . 2001-08-18 06:36 48128 -c--a-w- c:\windows\system32\dllcache\hpgt33tk.dll
2009-11-02 23:21 . 2001-08-18 06:36 89088 -c--a-w- c:\windows\system32\dllcache\hpgt33.dll
2009-11-02 23:21 . 2001-08-18 06:36 123392 -c--a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2009-11-02 23:21 . 2001-08-18 06:36 83968 -c--a-w- c:\windows\system32\dllcache\hpgt21.dll
2009-11-02 23:21 . 2001-08-18 06:36 119296 -c--a-w- c:\windows\system32\dllcache\hpdigwia.dll
2009-11-02 23:21 . 2001-08-17 22:02 2688 -c--a-w- c:\windows\system32\dllcache\hidswvd.sys
2009-11-02 23:21 . 2008-04-14 13:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-11-02 23:21 . 2001-08-17 22:02 8576 -c--a-w- c:\windows\system32\dllcache\hidgame.sys
2009-11-02 23:21 . 2008-04-14 08:06 20352 -c--a-w- c:\windows\system32\dllcache\hidbatt.sys
2009-11-02 23:21 . 2001-08-17 21:28 907456 -c--a-w- c:\windows\system32\dllcache\hcf_msft.sys
2009-11-02 23:21 . 2004-08-04 12:00 36864 -c--a-w- c:\windows\system32\dllcache\hanjadic.dll
2009-11-02 23:21 . 2008-04-14 08:10 28288 -c--a-w- c:\windows\system32\dllcache\grserial.sys
2009-11-02 23:21 . 2001-08-17 21:51 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2009-11-02 23:19 . 2001-08-17 20:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2009-11-02 23:18 . 2004-08-04 12:00 45056 -c--a-w- c:\windows\system32\dllcache\esunid.dll
2009-11-02 23:17 . 2001-08-17 20:19 283904 -c--a-w- c:\windows\system32\dllcache\emu10k1m.sys
2009-11-02 23:16 . 2001-08-17 20:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2009-11-02 23:15 . 2001-08-18 06:36 6729 -c--a-w- c:\windows\system32\dllcache\disrvci.dll
2009-11-02 23:14 . 2001-08-18 06:36 110592 -c--a-w- c:\windows\system32\dllcache\dc260usd.dll
2009-11-02 23:13 . 2001-08-18 06:36 216064 -c--a-w- c:\windows\system32\dllcache\cpscan.dll
2009-11-02 23:12 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe
2009-11-02 23:11 . 2001-08-17 21:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-11-02 23:10 . 2001-08-17 20:49 23552 -c--a-w- c:\windows\system32\dllcache\atixbar.sys
2009-11-02 23:09 . 2004-08-04 12:00 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2009-11-02 23:08 . 2004-08-04 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2009-11-02 23:07 . 2001-08-17 22:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-11-02 23:06 . 2004-08-04 12:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-11-02 23:06 . 2004-08-04 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-11-02 23:06 . 2004-08-04 12:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2009-11-02 23:06 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 01:44 . 2005-12-13 14:16 -------- d-----w- c:\program files\Java
2009-11-08 22:03 . 2006-05-31 18:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-03 21:11 . 2005-12-21 23:26 20600 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 19:38 . 2009-05-31 15:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-08 21:57 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 21:57 . 2005-07-02 07:38 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:56 . 2005-07-02 07:38 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-23 12:55 . 2009-06-03 02:35 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 02:35 . 2009-06-03 02:50 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18 . 2005-07-02 07:38 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-07-02 07:38 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2005-07-02 07:39 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2005-07-02 07:39 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-08_22.40.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-09 02:46 . 2009-11-09 02:46 16384 c:\windows\Temp\Perflib_Perfdata_8d4.dat
+ 2009-11-09 02:45 . 2009-11-09 02:45 16384 c:\windows\Temp\Perflib_Perfdata_174.dat
+ 2009-11-09 01:45 . 2009-11-09 01:44 149280 c:\windows\system32\javaws.exe
+ 2009-11-09 01:45 . 2009-11-09 01:44 145184 c:\windows\system32\javaw.exe
+ 2009-11-09 01:45 . 2009-11-09 01:44 145184 c:\windows\system32\java.exe
+ 2009-11-09 01:44 . 2009-11-09 01:44 537600 c:\windows\Installer\516c3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FjDspMon"="c:\program files\Fujitsu\Utils\FjDspMon.exe" [2004-10-14 20480]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-02-28 81920]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-02-18 385024]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe" [2005-02-12 249856]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2007-09-19 33280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-12 413696]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-09 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2003-11-12 503875]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-02-18 15:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 12:41 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 12:42 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [12/20/2005 7:29 AM 9216]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/2/2009 6:35 PM 64288]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [11/8/2009 2:22 PM 32320]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [11/8/2009 2:22 PM 23200]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/25/2009 6:44 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/25/2009 6:44 PM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 DX02;DX02;c:\windows\system32\drivers\dx02.sys [7/29/2004 12:27 PM 83712]
R3 Fjbtndrv;Fujitsu LIFEBOOK T3000 Button Driver;c:\windows\system32\drivers\FjBtndrv.sys [6/20/2003 1:30 PM 11392]
R3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [7/1/2005 11:58 PM 5632]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [7/1/2005 11:58 PM 31104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [11/18/1999 5:20 PM 3872]
S3 bioschk;FPC BIOS Check Driver;c:\windows\system32\drivers\bioschk.sys [12/13/2005 7:40 AM 3909]
S3 FjGenIo;FPC Generic I/O Driver;c:\windows\system32\drivers\FjGenIo.sys [12/13/2005 7:40 AM 7168]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [7/1/2005 11:39 PM 14336]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/1/2005 11:58 PM 32640]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [6/27/2007 10:41 AM 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [6/27/2007 10:42 AM 73856]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [7/1/2005 4:49 PM 14208]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [9/18/2007 6:56 AM 109080]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.floorsoft.com/FloorWizard/web/Logon.jsp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
LSP: bmnet.dll
TCP: {4B8DB25F-99F8-4BFA-BA49-37318E172D40} = 65.106.4.146,65.106.7.146
TCP: {5C55CCF8-D010-487C-A167-67B940720C4E} = 66.7.224.17,66.7.224.18
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pphxpyfa.default\
FF - prefs.js: browser.startup.homepage - www.drummerworld.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 19:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2345331811-3564059316-2282366612-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,73,09,e4,56,98,58,4b,9c,a7,fa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,73,09,e4,56,98,58,4b,9c,a7,fa,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1208)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1264)
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(3900)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-09 19:09
ComboFix-quarantined-files.txt 2009-11-09 03:09
ComboFix2.txt 2009-11-08 22:48

Pre-Run: 22,721,224,704 bytes free
Post-Run: 22,677,340,160 bytes free

- - End Of File - - EE6FE3FE74179A7C2DDD87D41F2567E5

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 08 November 2009 - 11:45 PM

Hi ridius,

You need to disable your AVAST Antivirus, before running Kaspersky Online Scanner, as it will prevent it from working.

AVAST will cause BSOD unless you disable it like this:
Posted Image

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 ridius

ridius
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 09 November 2009 - 02:24 AM

Well, I ran out of time and had to give the laptop back... so I didn't get to run the Kaspersky web scan. However, I ran multiple Avast scans and Windows Defender scans and didn't find any problems. I haven't gotten any warnings and the overall performance has drastically improved. I also installed all the latest Windows Updates.

I'm fairly confident we got this one, and just wanted to say thank you sooooooo much for you help. I REALLY appreciate it!

Ridius

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 09 November 2009 - 02:30 PM

Your very weclome.

However, I ran multiple Avast scans and Windows Defender scans and didn't find any problems. I haven't gotten any warnings and the overall performance has drastically improved.


Avast and Windows Defender are not enough! They did not find anything previously, so running them again will be not find anything.

I cant guarantee this computer is clean and all that all the malware is removed. :(

This computer still has to be clean up.

I assume your a computer repair shop.

Have your customer post back to this forum and we will continue cleaning.

Edited by SifuMike, 09 November 2009 - 02:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 ridius

ridius
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 09 November 2009 - 03:50 PM

I'm not a repair shop, I just know about computers and was helping my dad fix his. I'll have him run Kaspersky web scan tonight on his machine and have him post the report.

Just as an FYI, Avast was the one reporting the virus in the first place, and now it's not reporting anything.

Ridius

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 09 November 2009 - 03:54 PM

Sounds good. :(
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 19 November 2009 - 11:18 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users