Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with tdlwsp.dll


  • This topic is locked This topic is locked
61 replies to this topic

#1 Interpulse20

Interpulse20

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 16 November 2009 - 10:28 AM

Hi,
my name is Richard and I'm running Vista Home Premium on a Dell Studio Duo Core.
I run Zone Alarm firewall, Windows Defender and AVG anti virus.

Recently AVG antivirus has begun detecting tdlwsp.dll and cannot remove it.

I Googled it and some people say that Windows Defender can remove it.

I updated Windows Defender and ran a scan.
It detected Alureon.gen!U and in the description it relates this to tdlwsp.dll.
I instruct Defender to remove it and it asks to reboot.
After rebooting, if I scan again, its still there.
I tried it in safe mode and no luck.
Now AVG is detecting 3 instances of tdlwsp.dll

Please help me to remove this infection,
Thankyou in advance,
Rich. :(


DDS (Ver_09-10-26.01) - NTFSx86
Run by Admin at 2:05:01.56 on Tue 17/11/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3030.1771 [GMT 11:00]

SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\STacSV.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\dlcgcoms.exe
C:\Program Files\Sensible Vision\Fast Access\FAService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Dell AIO 810\DLCGmon.exe
C:\Program Files\Sensible Vision\Fast Access\FATrayMon.exe
C:\Program Files\Sensible Vision\Fast Access\FATrayAlert.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Users\Admin\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.com.au/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FAIESSOHelper Class: {a2f122da-055f-4df7-8f24-7354dbdba85b} - c:\program files\sensible vision\fast access\FAIESSO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Firefox mod: {e5768708-806b-4ced-9ae8-7c855eb782f7} - lofd32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [FAStartup]
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [dlcgmon.exe] "c:\program files\dell aio 810\dlcgmon.exe"
mRun: [FATrayAlert] c:\program files\sensible vision\fast access\FATrayMon.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: FastAccess - c:\program files\sensible vision\fast access\FALogNot.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
LSA: Notification Packages = scecli FAPassSync

================= FIREFOX ===================

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\clxkyvc3.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-11 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-11 108552]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_ae0b52e0\AEstSrv.exe [2009-3-9 81920]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-11 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-11 297752]
R2 FAService;FAService;c:\program files\sensible vision\fast access\FAService.exe [2008-11-10 2344200]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-5 112640]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-3-9 212992]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2009-3-9 3663360]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [2009-3-9 144672]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [2009-3-9 269536]
S2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\docklogin.exe --> c:\program files\dell\delldock\DockLogin.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-16 135664]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-3-8 29736]
S3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\drivers\facap.sys [2008-9-24 232832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S4 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-9-11 464264]

=============== Created Last 30 ================

2009-11-16 11:31:37 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-11-15 13:21:20 0 d-----w- c:\programdata\Google
2009-11-13 07:54:53 25 ----a-w- c:\windows\.prj
2009-11-13 07:53:18 0 d-----w- c:\program files\PageBreeze
2009-11-11 07:33:17 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 07:32:54 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-11 05:43:34 330296874 ----a-w- c:\windows\MEMORY.DMP
2009-11-04 08:04:04 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-04 08:03:52 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-04 08:03:45 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-04 08:03:45 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-03 13:44:06 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-31 16:13:12 0 d-----w- c:\program files\Windows Portable Devices
2009-10-31 16:12:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-31 16:03:22 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-10-31 16:03:21 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-10-31 16:03:20 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-10-31 16:01:49 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-31 16:00:20 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-31 16:00:19 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-31 16:00:19 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-29 08:14:27 12800 ----a-w- c:\windows\system32\lofd32.dll
2009-10-28 09:11:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 09:11:57 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 01:55:52 0 d-----w- c:\program files\CDRWIN 6
2009-10-26 01:55:38 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-21 15:04:28 0 d-----w- c:\program files\IEToolbar
2009-10-21 15:03:51 889000 ----a-w- c:\windows\vgep4557.exe
2009-10-21 14:35:41 0 d-----w- c:\users\admin\appdata\roaming\LimeWire
2009-10-21 00:21:59 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-10-21 00:17:25 0 d-----r- c:\program files\Skype
2009-10-21 00:17:21 0 d-----w- c:\programdata\Skype

==================== Find3M ====================

2009-11-16 11:26:43 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-11-02 09:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 16:13:05 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 16:13:05 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-31 16:13:04 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-31 16:13:04 143360 ----a-w- c:\windows\inf\infstor.dat
2009-10-09 02:25:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:25 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-16 07:17:03 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 16:10:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-17 13:50:54 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-06-17 13:50:54 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-06-17 13:50:54 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-06-17 12:25:37 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-06-17 12:25:37 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-06-17 12:25:37 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-03-08 23:07:58 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 2:06:31.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:14 PM

Posted 23 November 2009 - 12:56 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Interpulse20

Interpulse20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 23 November 2009 - 09:22 PM

Thanks for your reply. I understand how busy it must get and appreciate your help very much.

I've followed your instructions and here are my DDS, Attach and Gmer logs...

Cheers,
Rich



DDS (Ver_09-11-24.01) - NTFSx86
Run by Admin at 12:51:52.05 on Tue 24/11/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3030.1824 [GMT 11:00]

SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\STacSV.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\dlcgcoms.exe
C:\Program Files\Sensible Vision\Fast Access\FAService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell AIO 810\DLCGmon.exe
C:\Program Files\Sensible Vision\Fast Access\FATrayMon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sensible Vision\Fast Access\FATrayAlert.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Gif Animator Toolbar Helper: {96372ab6-15eb-4316-b497-71c741bc548c} - c:\program files\easy gif animator extension\v3.3.0.3\EasyGifAnimator_Toolbar.dll
BHO: FAIESSOHelper Class: {a2f122da-055f-4df7-8f24-7354dbdba85b} - c:\program files\sensible vision\fast access\FAIESSO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Firefox mod: {e5768708-806b-4ced-9ae8-7c855eb782f7} - lofd32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Easy Gif Animator Toolbar: {35065594-9169-4a34-b167-fc4865038e53} - c:\program files\easy gif animator extension\v3.3.0.3\EasyGifAnimator_Toolbar.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [dlcgmon.exe] "c:\program files\dell aio 810\dlcgmon.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [FAStartup]
mRun: [FATrayAlert] c:\program files\sensible vision\fast access\FATrayMon.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: FastAccess - c:\program files\sensible vision\fast access\FALogNot.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
LSA: Notification Packages = scecli FAPassSync

================= FIREFOX ===================

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\clxkyvc3.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-11 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-11 108552]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-5 112640]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-3-9 212992]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2009-3-9 3663360]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [2009-3-9 144672]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [2009-3-9 269536]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-3-8 29736]
S3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\drivers\facap.sys [2008-9-24 232832]

=============== Created Last 30 ================

2009-11-24 00:43:38 15872 ----a-w- c:\windows\system32\tdlcmd.dll
2009-11-21 10:20:09 23409 ----a-w- c:\users\admin\.recently-used.xbel
2009-11-20 04:07:45 0 d-----w- c:\program files\AskBarDis
2009-11-20 04:07:07 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-20 04:06:56 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-11-20 04:06:56 293528 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2009-11-20 04:06:56 0 d-----w- c:\windows\system32\ZoneLabs
2009-11-20 03:29:08 27112 ----a-w- c:\windows\system32\drivers\msahci.sys
2009-11-20 03:27:12 98816 ----a-w- c:\windows\sed.exe
2009-11-20 03:27:12 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 03:27:12 267264 ----a-w- c:\windows\PEV.exe
2009-11-20 03:27:12 161792 ----a-w- c:\windows\SWREG.exe
2009-11-20 02:55:35 0 d-----w- c:\programdata\Office Genuine Advantage
2009-11-19 13:15:42 236160 ----a-w- c:\windows\EasyGifAnimator_Toolbar_Uninstaller_970.exe
2009-11-19 13:15:42 0 d-----w- c:\program files\Easy Gif Animator Extension
2009-11-19 13:15:11 0 d-----w- c:\program files\Easy GIF Animator
2009-11-19 13:10:08 0 d-----w- c:\program files\JanSoft
2009-11-19 12:50:42 0 d-----w- C:\Multimedia Files
2009-11-19 12:50:32 0 d-----w- c:\program files\Microsoft GIF Animator
2009-11-19 07:32:14 0 d-----w- c:\users\admin\.thumbnails
2009-11-19 07:30:50 0 d-----w- c:\users\admin\.gimp-2.6
2009-11-19 07:29:19 0 d-----w- c:\program files\GIMP-2.0
2009-11-15 13:21:20 0 d-----w- c:\programdata\Google
2009-11-13 07:54:53 25 ----a-w- c:\windows\.prj
2009-11-13 07:53:18 0 d-----w- c:\program files\PageBreeze
2009-11-11 07:33:17 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 07:32:54 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-11 05:43:34 330296874 ----a-w- c:\windows\MEMORY.DMP
2009-11-04 08:04:04 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-04 08:03:52 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-04 08:03:45 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-04 08:03:45 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-03 13:44:06 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-31 16:13:12 0 d-----w- c:\program files\Windows Portable Devices
2009-10-31 16:12:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-31 16:03:22 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-10-31 16:03:21 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-10-31 16:03:20 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-10-31 16:01:49 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-31 16:00:20 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-31 16:00:19 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-31 16:00:19 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-29 08:14:27 12800 ----a-w- c:\windows\system32\lofd32.dll
2009-10-28 09:11:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 09:11:57 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 01:55:52 0 d-----w- c:\program files\CDRWIN 6
2009-10-26 01:55:38 0 d-----w- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-11-20 04:07:03 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-20 04:07:03 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-20 04:07:03 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-02 09:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 16:13:05 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-21 15:04:26 889000 ----a-w- c:\windows\vgep4557.exe
2009-10-21 00:21:59 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-10-09 02:25:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-16 07:17:03 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 16:10:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-17 13:50:54 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-06-17 13:50:54 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-06-17 13:50:54 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-03-08 23:07:58 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 12:54:13.35 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-24.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 9/03/2009 2:39:29 AM
System Uptime: 24/11/2009 12:47:09 PM (0 hours ago)

Motherboard: Dell Inc. | | 0D176M
Processor: Intel® Core™2 Duo CPU T6400 @ 2.00GHz | U2E1 | 2000/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 223 GiB total, 183.28 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.73 GiB free.
E: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: facap, FastAccess Video Capture
Device ID: ROOT\IMAGE\0000
Manufacturer: Sensible Vision
Name: facap, FastAccess Video Capture
PNP Device ID: ROOT\IMAGE\0000
Service: FACAP

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Install Manager
AVG Free 8.5
Bonjour
Broadcom Gigabit NetLink Controller
Catalyst Control Center InstallProxy
CDRWIN 6.1
Choice Guard
Compatibility Pack for the 2007 Office system
CutePDF Writer 2.8
Dell-eBay
Dell AIO 810
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide
Dell Resource CD
Dell Support Center (Support Software)
Dell Touchpad
Dell Video Chat (remove only)
DHTML Editing Component
Easy GIF Animator 5.02
Easy Gif Animator Extension
EDocs
FastAccess
GIMP 2.6.7
Google Earth
Google Update Helper
GoToAssist 8.0.0.514
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IDT Audio
Integrated Webcam Driver (1.00.03.0919)
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless WiFi Driver
Intel® TV Wizard
iTunes
Junk Mail filter update
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft GIF Animator
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Small Business 2007 Trial
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Movies
Mozilla Firefox (3.5.5)
MSVCRT
OGA Notifier 2.0.0048.0
PageBreeze Free HTML Editor
PowerDVD
QuickSet
QuickTime
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.05
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype web features
Skype™ 4.1
Switch Sound File Converter
System Requirements Lab
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb975960)
VC 9.0 Runtime
VLC media player 1.0.2
WIDCOMM Bluetooth Software 6.1.0.4402
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
ZoneAlarm
ZoneAlarm Spy Blocker Toolbar

==== Event Viewer Messages From Past Week ========

24/11/2009 2:28:00 AM, Error: Microsoft-Windows-Windows Defender [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...threatid=144991 Scan ID: {9C4F402B-86BF-48E2-ABB2-6B63F3D418AE} Scan Type: AntiMalware User: NT AUTHORITY\NETWORK SERVICE Name: Trojan:Win32/Alureon.CT ID: 144991 Severity ID: 5 Category ID: 8 Path: Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
24/11/2009 12:49:10 PM, Error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
24/11/2009 12:49:10 PM, Error: Service Control Manager [7000] - The Dock Login Service service failed to start due to the following error: The system cannot find the file specified.
23/11/2009 6:37:03 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {33165973-C15A-48BD-8892-C93B377CEA45}. The error: "3" Happened while starting this command: C:\PROGRA~1\Dell\QuickSet\MOBILI~1.EXE -Embedding
23/11/2009 6:36:56 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {1B6176CE-4C9D-4AC1-A880-D8309E6BA6CD}. The error: "3" Happened while starting this command: C:\PROGRA~1\Dell\QuickSet\MOBILI~1.EXE -Embedding
23/11/2009 6:36:49 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {D69FD0D1-3072-4FD8-8A09-767C09A9ECCC}. The error: "3" Happened while starting this command: C:\PROGRA~1\Dell\QuickSet\MOBILI~1.EXE -Embedding
23/11/2009 3:59:05 PM, Error: EventLog [6008] - The previous system shutdown at 3:57:33 PM on 23/11/2009 was unexpected.
23/11/2009 12:35:36 PM, Error: EventLog [6008] - The previous system shutdown at 11:23:35 AM on 23/11/2009 was unexpected.
22/11/2009 2:28:51 AM, Error: Microsoft-Windows-Windows Defender [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...threatid=144991 Scan ID: {A6AEFF61-4E66-4BFB-BBCD-154416B5C27E} Scan Type: AntiMalware User: NT AUTHORITY\NETWORK SERVICE Name: Trojan:Win32/Alureon.CT ID: 144991 Severity ID: 5 Category ID: 8 Path: Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
21/11/2009 2:14:01 AM, Error: Microsoft-Windows-Windows Defender [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...threatid=144991 Scan ID: {234C603A-2CAD-4BE8-A9C3-5B1DFB097F5E} Scan Type: AntiMalware User: NT AUTHORITY\NETWORK SERVICE Name: Trojan:Win32/Alureon.CT ID: 144991 Severity ID: 5 Category ID: 8 Path: Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
21/11/2009 12:45:50 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0022FB31A88E has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
20/11/2009 8:10:28 PM, Error: EventLog [6008] - The previous system shutdown at 8:08:56 PM on 20/11/2009 was unexpected.
20/11/2009 4:47:48 AM, Error: EventLog [6008] - The previous system shutdown at 4:46:29 AM on 20/11/2009 was unexpected.
20/11/2009 3:07:11 PM, Error: Service Control Manager [7030] - The TrueVector Internet Monitor service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
20/11/2009 2:28:31 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
20/11/2009 1:55:30 AM, Error: Microsoft-Windows-Windows Defender [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...threatid=144991 Scan ID: {3CB6AEDD-B618-42CA-8341-F8CD0BA40A03} Scan Type: AntiMalware User: NT AUTHORITY\NETWORK SERVICE Name: Trojan:Win32/Alureon.CT ID: 144991 Severity ID: 5 Category ID: 8 Path: Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
19/11/2009 9:43:11 PM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
19/11/2009 11:47:30 AM, Error: EventLog [6008] - The previous system shutdown at 11:45:20 AM on 19/11/2009 was unexpected.
18/11/2009 6:54:30 PM, Error: EventLog [6008] - The previous system shutdown at 6:52:04 PM on 18/11/2009 was unexpected.
18/11/2009 10:20:23 AM, Error: EventLog [6008] - The previous system shutdown at 10:53:08 PM on 17/11/2009 was unexpected.
17/11/2009 2:29:33 AM, Error: Microsoft-Windows-Windows Defender [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...threatid=143471 Scan ID: {EACD92D7-56D9-4514-B9EC-C37097FFD04C} Scan Type: AntiMalware User: My-PC\Admin Name: Trojan:Win32/Alureon.gen!U ID: 143471 Severity ID: 5 Category ID: 8 Path: Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.

==== End Of File ===========================





GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-24 13:21:25
Windows 6.0.6002 Service Pack 2
Running: wp74ck6r.exe; Driver: C:\Users\Admin\AppData\Local\Temp\pxldypoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x93062880]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x930624E0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x9305F828]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x93075D9C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x93062C36]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x93073AF8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x93073D12]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x93077780]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x93062CDE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x9305FD0A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x93076698]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x93076414]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x930734F8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x93076BC6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x93076C3E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x93076D2E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x9305FBA2]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x93074F18]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x93077370]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x93076DA6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x9306216A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x930771B0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x93062680]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x9305FEF8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x9307611A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x93074486]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x93074362]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x93073F30]

INT 0x62 ? 8682EE88
INT 0x62 ? 8682EE88
INT 0x72 ? 8682EE88
INT 0x92 ? 8682EE88
INT 0xA2 ? 84F4DBF8
INT 0xA2 ? 84F4DBF8
INT 0xA2 ? 84F4DBF8
INT 0xA2 ? 84F4DBF8
INT 0xA2 ? 8682EE88
INT 0xA2 ? 8682EE88
INT 0xA2 ? 8682EE88
INT 0xA2 ? 84F4DBF8
INT 0xB2 ? 8682EE88

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 13D 820B6880 4 Bytes [80, 28, 06, 93] {SUB BYTE [EAX], 0x6; XCHG EBX, EAX}
.text ntkrnlpa.exe!KeSetEvent + 1C1 820B6904 4 Bytes [E0, 24, 06, 93] {LOOPNZ 0x26; PUSH ES; XCHG EBX, EAX}
.text ntkrnlpa.exe!KeSetEvent + 1D9 820B691C 4 Bytes [28, F8, 05, 93]
.text ntkrnlpa.exe!KeSetEvent + 1E9 820B692C 4 Bytes [9C, 5D, 07, 93] {PUSHF ; POP EBP; POP ES; XCHG EBX, EAX}
.text ntkrnlpa.exe!KeSetEvent + 205 820B6948 12 Bytes [36, 2C, 06, 93, F8, 3A, 07, ...]
.text ...
? System32\Drivers\spsv.sys The system cannot find the path specified. !
.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x82C81000]
.text USBPORT.SYS!DllUnload 8A73841B 5 Bytes JMP 8682E468
.text an1oct7a.SYS 82DA7000 22 Bytes [82, A3, 3C, 82, 6C, A2, 3C, ...]
.text an1oct7a.SYS 82DA7017 45 Bytes [00, 32, A7, 79, 82, 3D, A5, ...]
.text an1oct7a.SYS 82DA7045 135 Bytes [0A, 0B, 82, FD, 89, 04, 82, ...]
.text an1oct7a.SYS 82DA70CE 10 Bytes [00, 00, 00, 00, 00, 00, 02, ...]
.text an1oct7a.SYS 82DA70DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [826906D6] \SystemRoot\System32\Drivers\spsv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82690042] \SystemRoot\System32\Drivers\spsv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82690800] \SystemRoot\System32\Drivers\spsv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [826900C0] \SystemRoot\System32\Drivers\spsv.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8269013E] \SystemRoot\System32\Drivers\spsv.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8269FE9C] \SystemRoot\System32\Drivers\spsv.sys
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortNotification] CC358B04
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortWritePortUchar] 8382DCCF
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 100D8BA5
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F82DCA0
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortStallExecution] 54771129
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortMoveMemory] 8B108910
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortInitialize] B18D0502
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8
IAT \SystemRoot\System32\Drivers\an1oct7a.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 858DF1F8
Device \FileSystem\fastfat \FatCdrom B09F51F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 84F4F1F8
Device \Driver\usbuhci \Device\USBPDO-0 84FBC1F8
Device \Driver\usbuhci \Device\USBPDO-1 84FBC1F8
Device \Driver\usbuhci \Device\USBPDO-2 84FBC1F8
Device \Driver\usbehci \Device\USBPDO-3 84FBA1F8
Device \Driver\usbuhci \Device\USBPDO-4 84FBC1F8

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 84FBC1F8
Device \Driver\usbuhci \Device\USBPDO-6 84FBC1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{2FD47E83-BF45-4B44-98DF-2C60D86CC87D} 89F191F8
Device \Driver\sptd \Device\185534236 spsv.sys
Device \Driver\volmgr \Device\HarddiskVolume1 84F4F1F8
Device \Driver\usbehci \Device\USBPDO-7 84FBA1F8
Device \Driver\volmgr \Device\HarddiskVolume2 84F4F1F8
Device \Driver\cdrom \Device\CdRom0 868E51F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 [82C7D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort0 [82C7D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [82C7D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort2 [82C7D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort3 [82C7D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 [82C7D9B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\msahci \Device\Ide\PciIde0Channel0 858DE1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 858DE1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel4 858DE1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel5 858DE1F8
Device \Driver\cdrom \Device\CdRom1 868E51F8
Device \Driver\netbt \Device\NetBt_Wins_Export 89F191F8
Device \Driver\Smb \Device\NetbiosSmb 894FD1F8
Device \Driver\PCI_PNP6223 \Device\0000004c spsv.sys
Device \Driver\netbt \Device\NetBT_Tcpip_{8E3F4A4E-313F-4FA7-A35B-179144D2359A} 89F191F8
Device \Driver\iScsiPrt \Device\RaidPort0 86A571F8

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 84FBC1F8
Device \Driver\usbuhci \Device\USBFDO-1 84FBC1F8
Device \Driver\usbuhci \Device\USBFDO-2 84FBC1F8
Device \Driver\usbehci \Device\USBFDO-3 84FBA1F8
Device \Driver\usbuhci \Device\USBFDO-4 84FBC1F8
Device \Driver\usbuhci \Device\USBFDO-5 84FBC1F8
Device \Driver\usbuhci \Device\USBFDO-6 84FBC1F8
Device \Driver\usbehci \Device\USBFDO-7 84FBA1F8
Device \Driver\an1oct7a \Device\Scsi\an1oct7a1 868E91F8
Device \Driver\an1oct7a \Device\Scsi\an1oct7a1Port5Path0Target0Lun0 868E91F8
Device \FileSystem\fastfat \Fat B09F51F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 9233E1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\00234dea2df5
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBD 0x32 0x64 0xC6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x36 0xB0 0xE2 0xCF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x99 0xF0 0x95 0x72 ...
Reg HKLM\SYSTEM\ControlSet026\Services\BthPort\Parameters\Keys\00234dea2df5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBD 0x32 0x64 0xC6 ...
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x36 0xB0 0xE2 0xCF ...
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x99 0xF0 0x95 0x72 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:14 PM

Posted 24 November 2009 - 01:05 AM

Hi,

Uninstall Daemon tools for now. Then download SPTD setup file and execute it. In dialog that appears press "Uninstall" button and then SPTD will remove itself from your Windows installation. After that, run GMER again and post back its log.


It seems you've run ComboFix there by yourself (not advisable to do so!). Post contents of c:\ComboFix.txt file, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Interpulse20

Interpulse20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 24 November 2009 - 01:59 AM

Hi,
I have followed your instructions and here's my new Gmer scan, as well as my combofix scan.
Incidentally, combofix didnt seem to run due to the fact that it could detected something to do with Zone Alarm even though Zone Alarm was disabled.
Cheers,
Rich

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-24 17:56:25
Windows 6.0.6002 Service Pack 2
Running: qt7id8pk.exe; Driver: C:\Users\Admin\AppData\Local\Temp\pxldypoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x8279B000]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 [827979B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort0 [827979B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [827979B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort2 [827979B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort3 [827979B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 [827979B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\00234dea2df5
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBD 0x32 0x64 0xC6 ...
Reg HKLM\SYSTEM\ControlSet026\Services\BthPort\Parameters\Keys\00234dea2df5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet026\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBD 0x32 0x64 0xC6 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{31D4F82E-1C88-4EAC-A777-65B85395E2C3}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31D4F82E-1C88-4EAC-A777-65B85395E2C3}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31D4F82E-1C88-4EAC-A777-65B85395E2C3}@Path \Microsoft\Windows Defender\MP Scheduled Scan
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31D4F82E-1C88-4EAC-A777-65B85395E2C3}@Triggers 0x15 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31D4F82E-1C88-4EAC-A777-65B85395E2C3}@DynamicInfo 0x03 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\MP Scheduled Scan@Id {31D4F82E-1C88-4EAC-A777-65B85395E2C3}

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----






ComboFix 09-11-11.02 - Admin 20/11/2009 14:58.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3030.1886 [GMT 11:00]
Running from: c:\users\Admin\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500\desktop.ini
c:\$recycle.bin\S-1-5-21-3946519151-573142694-2756214966-500
c:\$recycle.bin\S-1-5-21-3946519151-573142694-2756214966-500\desktop.ini
c:\program files\IEToolbar

.
((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))
.

2009-11-20 04:00 . 2009-11-20 04:00 -------- d-----w- c:\users\Admin\AppData\Local\temp
2009-11-20 04:00 . 2009-11-20 04:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-20 03:29 . 2009-04-11 06:32 27112 ----a-w- c:\windows\system32\drivers\msahci.sys
2009-11-20 02:58 . 2009-02-15 13:11 293528 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2009-11-20 02:55 . 2009-11-20 02:55 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-19 17:52 . 2009-11-20 03:58 15872 ----a-w- c:\windows\system32\tdlcmd.dll
2009-11-19 13:15 . 2009-11-19 13:15 236160 ----a-w- c:\windows\EasyGifAnimator_Toolbar_Uninstaller_970.exe
2009-11-19 13:15 . 2009-11-19 13:15 -------- d-----w- c:\program files\Easy Gif Animator Extension
2009-11-19 13:15 . 2009-11-19 13:15 4096 d-----w- c:\program files\Easy GIF Animator
2009-11-19 13:10 . 2009-11-19 13:10 -------- d-----w- c:\program files\JanSoft
2009-11-19 12:50 . 2009-11-19 12:50 -------- d-----w- C:\Multimedia Files
2009-11-19 12:50 . 2009-11-19 12:50 4096 d-----w- c:\program files\Microsoft GIF Animator
2009-11-19 07:32 . 2009-11-19 13:30 -------- d-----w- c:\users\Admin\AppData\Roaming\gtk-2.0
2009-11-19 07:32 . 2009-11-19 07:32 -------- d-----w- c:\users\Admin\.thumbnails
2009-11-19 07:30 . 2009-11-19 17:44 8192 d-----w- c:\users\Admin\.gimp-2.6
2009-11-19 07:29 . 2009-11-19 07:29 -------- d-----w- c:\program files\GIMP-2.0
2009-11-15 13:20 . 2009-11-15 13:36 -------- d-----w- c:\program files\Google
2009-11-15 13:19 . 2009-11-15 13:36 -------- d-----w- c:\users\Admin\AppData\Local\Google
2009-11-13 07:53 . 1998-11-22 03:23 84992 ----a-w- c:\windows\system32\Ledit32.dll
2009-11-13 07:53 . 1998-06-17 13:00 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2009-11-13 07:53 . 1997-02-24 06:44 70656 ----a-w- c:\windows\system32\vspell32.dll
2009-11-13 07:53 . 2008-09-12 03:55 1245184 ----a-w- c:\windows\system32\ChilkatCert.dll
2009-11-13 07:53 . 2008-09-12 03:50 1105920 ----a-w- c:\windows\system32\ChilkatFtp2.dll
2009-11-13 07:53 . 2009-11-13 07:54 4096 d-----w- c:\program files\PageBreeze
2009-11-11 07:33 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 07:32 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-04 08:04 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-11-04 08:04 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-04 08:04 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-11-04 08:04 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-04 08:03 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-11-04 08:03 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-11-04 08:03 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-04 08:03 . 2009-08-06 08:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-04 08:03 . 2009-08-06 07:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-31 16:13 . 2009-10-31 16:13 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-31 16:03 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-10-31 16:03 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-10-31 16:03 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-10-31 16:01 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-31 16:01 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-31 16:01 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-31 16:01 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-31 16:01 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-31 16:01 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-31 16:01 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-31 16:01 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-31 16:01 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-31 16:01 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-31 16:01 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-31 16:01 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-31 16:00 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-31 16:00 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-31 16:00 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-29 08:14 . 2009-10-29 08:14 12800 ----a-w- c:\windows\system32\lofd32.dll
2009-10-28 09:11 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 09:11 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 01:55 . 2009-10-26 01:55 4096 d-----w- c:\program files\CDRWIN 6
2009-10-26 01:55 . 2009-10-26 01:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-21 15:03 . 2009-10-21 15:04 889000 ----a-w- c:\windows\vgep4557.exe
2009-10-21 14:35 . 2009-10-21 15:05 4096 d-----w- c:\users\Admin\AppData\Roaming\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 17:48 . 2009-09-24 10:18 12807422 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-19 05:44 . 2009-10-21 00:18 4096 d-----w- c:\users\Admin\AppData\Roaming\Skype
2009-11-19 05:02 . 2009-10-21 00:21 -------- d-----w- c:\users\Admin\AppData\Roaming\skypePM
2009-11-18 03:07 . 2009-10-06 16:10 4096 d-----w- c:\users\Admin\AppData\Roaming\vlc
2009-11-11 08:42 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 08:32 . 2009-03-08 08:03 8192 d-----w- c:\programdata\Microsoft Help
2009-11-02 09:42 . 2009-10-02 18:56 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 16:13 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 16:12 . 2009-10-31 16:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-30 04:48 . 2009-10-09 23:41 4096 d-----w- c:\programdata\Apple Computer
2009-10-23 11:59 . 2009-10-07 09:43 -------- d-----w- c:\program files\dl_Cats
2009-10-23 04:43 . 2009-10-23 04:43 1580116 ----a-w- c:\programdata\SPLD015.tmp
2009-10-21 16:39 . 2009-03-08 08:00 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-21 08:53 . 2009-03-08 08:15 -------- d-----w- c:\programdata\Sonic
2009-10-21 00:21 . 2009-10-21 00:21 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-10-21 00:17 . 2009-10-21 00:17 -------- d-----r- c:\program files\Skype
2009-10-21 00:17 . 2009-10-21 00:17 -------- d-----w- c:\program files\Common Files\Skype
2009-10-21 00:17 . 2009-10-21 00:17 -------- d-----w- c:\programdata\Skype
2009-10-19 19:43 . 2009-09-11 14:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-10 09:59 . 2009-10-10 09:59 -------- d-----w- c:\users\Admin\AppData\Roaming\NCH Software
2009-10-10 09:58 . 2009-10-10 09:58 -------- d-----w- c:\programdata\NCH Swift Sound
2009-10-10 09:58 . 2009-10-10 09:58 -------- d-----w- c:\users\Admin\AppData\Roaming\NCH Swift Sound
2009-10-10 09:58 . 2009-10-10 09:58 -------- d-----w- c:\program files\NCH Swift Sound
2009-10-10 09:31 . 2009-10-09 23:42 -------- d-----w- c:\users\Admin\AppData\Roaming\Apple Computer
2009-10-09 23:42 . 2009-10-09 23:42 4096 d-----w- c:\program files\iTunes
2009-10-09 23:42 . 2009-10-09 23:42 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-09 23:42 . 2009-10-09 23:42 -------- d-----w- c:\program files\iPod
2009-10-09 23:42 . 2009-10-09 23:40 -------- d-----w- c:\program files\Common Files\Apple
2009-10-09 23:41 . 2009-10-09 23:41 -------- d-----w- c:\program files\Bonjour
2009-10-09 23:41 . 2009-10-09 23:41 4096 d-----w- c:\program files\QuickTime
2009-10-09 23:40 . 2009-10-09 23:40 4096 d-----w- c:\program files\Apple Software Update
2009-10-09 23:40 . 2009-10-09 23:40 -------- d-----w- c:\programdata\Apple
2009-10-09 02:25 . 2009-10-09 02:25 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-08 08:36 . 2009-10-08 08:36 -------- d-----w- c:\program files\Mustek
2009-10-08 08:35 . 2009-03-08 07:55 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-10-08 01:21 . 2009-10-08 00:15 32768 d-----w- c:\program files\Dell AIO 810
2009-10-08 01:10 . 2009-10-08 01:10 1102896 ----a-w- c:\programdata\SPL90CE.tmp
2009-10-07 06:46 . 2009-10-07 06:46 49152 d-----w- c:\program files\GPLGS
2009-10-07 06:44 . 2009-10-07 06:44 -------- d-----w- c:\program files\Acro Software
2009-10-06 16:13 . 2009-06-17 12:12 6756 ----a-w- c:\users\Admin\AppData\Local\d3d9caps.dat
2009-10-06 16:08 . 2009-10-06 16:08 -------- d-----w- c:\program files\VideoLAN
2009-09-25 02:10 . 2009-10-31 16:02 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-31 16:02 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-31 16:02 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-31 16:02 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-31 16:02 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-31 16:02 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-31 16:02 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-31 16:02 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-31 16:02 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-31 16:02 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-31 16:02 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-31 16:02 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-31 16:02 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-31 16:02 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-31 16:02 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-31 16:02 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-31 16:02 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-31 16:02 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-31 16:02 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-31 16:02 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-31 16:02 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-31 16:02 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-31 16:02 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-31 16:02 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-31 16:02 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-31 16:02 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-31 16:02 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-21 08:42 . 2009-09-21 08:42 -------- d-----w- c:\users\Admin\AppData\Roaming\CyberLink
2009-09-21 08:42 . 2009-09-21 08:42 -------- d-----w- c:\programdata\CyberLink
2009-09-21 06:09 . 2009-09-21 06:09 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-14 09:29 . 2009-10-14 06:31 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-11 15:54 . 2009-06-17 12:12 100256 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-10 18:36 . 2009-09-10 18:36 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-10 16:48 . 2009-10-14 06:33 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 16:10 . 2009-09-10 16:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-10 16:10 . 2009-09-10 16:10 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-10 16:10 . 2009-09-10 16:10 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-10 16:10 . 2009-09-10 16:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-04 11:41 . 2009-10-14 06:31 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27 . 2009-09-10 18:12 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-10 18:12 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-14 18:54 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 18:54 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 18:54 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 18:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-03-08 23:07 . 2009-03-08 23:03 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5768708-806B-4ced-9AE8-7C855EB782F7}]
2009-10-29 08:14 12800 ----a-w- c:\windows\System32\lofd32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"dlcgmon.exe"="c:\program files\Dell AIO 810\dlcgmon.exe" [2007-01-12 431600]
"FATrayAlert"="c:\program files\Sensible Vision\Fast Access\FATrayMon.exe" [2008-11-10 95496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
2008-11-10 06:16 140552 ----a-w- c:\program files\Sensible Vision\Fast Access\FALogNot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-08 08:09 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli FAPassSync

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:f0,1b,60,f3,9f,36,ca,01

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [11/09/2009 3:10 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [11/09/2009 3:10 AM 108552]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\AEstSrv.exe [9/03/2009 10:29 AM 81920]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/09/2009 3:10 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/09/2009 3:10 AM 297752]
R2 FAService;FAService;c:\program files\Sensible Vision\Fast Access\FAService.exe [10/11/2008 5:16 PM 2344200]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [5/12/2008 3:25 AM 112640]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\k57nd60x.sys [9/03/2009 10:29 AM 212992]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [9/03/2009 10:29 AM 3663360]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\System32\drivers\OA008Ufd.sys [9/03/2009 10:29 AM 144672]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\System32\drivers\OA008Vid.sys [9/03/2009 10:29 AM 269536]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe --> c:\program files\Dell\DellDock\DockLogin.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/11/2009 12:25 AM 135664]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [8/03/2009 6:59 PM 29736]
S3 FACAP;facap, FastAccess Video Capture;c:\windows\System32\drivers\facap.sys [24/09/2008 10:36 PM 232832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [21/01/2008 1:23 PM 21504]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 13:24]

2009-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 13:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clxkyvc3.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-FAStartup - (no file)
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 15:00
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8A02DF61]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(644)
c:\windows\system32\FAPassSync.dll
.
Completion time: 2009-11-20 15:03
ComboFix-quarantined-files.txt 2009-11-20 04:03

Pre-Run: 196,503,810,048 bytes free
Post-Run: 196,880,818,176 bytes free

- - End Of File - - 4D991AF5641BB8EEBA4268752C918DA0

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:14 PM

Posted 24 November 2009 - 02:17 AM

Hi,

Run ComboFix and let it update itself. Post back the resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Interpulse20

Interpulse20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 24 November 2009 - 02:30 AM

Hi,
I ran combofix, it said it was outdated and gave me the choice to either exit or continue in "reduced functionality mode"
So I chose the latter.... here is the log it produced.

ComboFix 09-11-11.02 - Admin 24/11/2009 18:21.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3030.1728 [GMT 11:00]
Running from: c:\users\Admin\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.

2009-11-24 07:24 . 2009-11-24 07:24 -------- d-----w- c:\users\Admin\AppData\Local\temp
2009-11-24 07:24 . 2009-11-24 07:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-24 07:24 . 2009-11-24 07:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-24 00:43 . 2009-11-24 06:36 15872 ----a-w- c:\windows\system32\tdlcmd.dll
2009-11-20 04:07 . 2009-11-20 04:07 4096 d-----w- c:\program files\AskBarDis
2009-11-20 04:06 . 2009-02-15 13:11 293528 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2009-11-20 03:29 . 2009-04-11 06:32 27112 ----a-w- c:\windows\system32\drivers\msahci.sys
2009-11-20 02:55 . 2009-11-20 02:55 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-19 13:15 . 2009-11-19 13:15 236160 ----a-w- c:\windows\EasyGifAnimator_Toolbar_Uninstaller_970.exe
2009-11-19 13:15 . 2009-11-19 13:15 -------- d-----w- c:\program files\Easy Gif Animator Extension
2009-11-19 13:15 . 2009-11-19 13:15 4096 d-----w- c:\program files\Easy GIF Animator
2009-11-19 13:10 . 2009-11-19 13:10 -------- d-----w- c:\program files\JanSoft
2009-11-19 12:50 . 2009-11-19 12:50 -------- d-----w- C:\Multimedia Files
2009-11-19 12:50 . 2009-11-19 12:50 4096 d-----w- c:\program files\Microsoft GIF Animator
2009-11-19 07:32 . 2009-11-20 07:04 -------- d-----w- c:\users\Admin\AppData\Roaming\gtk-2.0
2009-11-19 07:32 . 2009-11-19 07:32 -------- d-----w- c:\users\Admin\.thumbnails
2009-11-19 07:30 . 2009-11-21 13:03 8192 d-----w- c:\users\Admin\.gimp-2.6
2009-11-19 07:29 . 2009-11-19 07:29 -------- d-----w- c:\program files\GIMP-2.0
2009-11-15 13:20 . 2009-11-15 13:36 -------- d-----w- c:\program files\Google
2009-11-15 13:19 . 2009-11-15 13:36 -------- d-----w- c:\users\Admin\AppData\Local\Google
2009-11-13 07:53 . 1998-11-22 03:23 84992 ----a-w- c:\windows\system32\Ledit32.dll
2009-11-13 07:53 . 1998-06-17 13:00 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2009-11-13 07:53 . 1997-02-24 06:44 70656 ----a-w- c:\windows\system32\vspell32.dll
2009-11-13 07:53 . 2008-09-12 03:55 1245184 ----a-w- c:\windows\system32\ChilkatCert.dll
2009-11-13 07:53 . 2008-09-12 03:50 1105920 ----a-w- c:\windows\system32\ChilkatFtp2.dll
2009-11-13 07:53 . 2009-11-13 07:54 4096 d-----w- c:\program files\PageBreeze
2009-11-11 07:33 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 07:32 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-04 08:04 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-11-04 08:04 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-04 08:04 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-11-04 08:04 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-04 08:03 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-11-04 08:03 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-11-04 08:03 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-04 08:03 . 2009-08-06 08:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-04 08:03 . 2009-08-06 07:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-31 16:13 . 2009-10-31 16:13 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-31 16:03 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-10-31 16:03 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-10-31 16:03 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-10-31 16:01 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-31 16:01 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-31 16:01 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-31 16:01 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-31 16:01 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-31 16:01 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-31 16:01 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-31 16:01 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-31 16:01 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-31 16:01 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-31 16:01 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-31 16:01 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-31 16:00 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-31 16:00 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-31 16:00 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-29 08:14 . 2009-10-29 08:14 12800 ----a-w- c:\windows\system32\lofd32.dll
2009-10-28 09:11 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 09:11 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 01:55 . 2009-10-26 01:55 4096 d-----w- c:\program files\CDRWIN 6
2009-10-26 01:55 . 2009-10-26 01:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-24 00:18 . 2009-06-17 12:12 6756 ----a-w- c:\users\Admin\AppData\Local\d3d9caps.dat
2009-11-23 06:55 . 2009-10-06 16:10 4096 d-----w- c:\users\Admin\AppData\Roaming\vlc
2009-11-22 00:11 . 2009-09-24 10:18 13394791 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-21 02:15 . 2009-10-21 00:18 4096 d-----w- c:\users\Admin\AppData\Roaming\Skype
2009-11-21 01:42 . 2009-10-21 00:21 4096 d-----w- c:\users\Admin\AppData\Roaming\skypePM
2009-11-11 08:42 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 08:32 . 2009-03-08 08:03 8192 d-----w- c:\programdata\Microsoft Help
2009-11-02 09:42 . 2009-10-02 18:56 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 16:13 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 16:12 . 2009-10-31 16:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-30 04:48 . 2009-10-09 23:41 4096 d-----w- c:\programdata\Apple Computer
2009-10-23 11:59 . 2009-10-07 09:43 -------- d-----w- c:\program files\dl_Cats
2009-10-23 04:43 . 2009-10-23 04:43 1580116 ----a-w- c:\programdata\SPLD015.tmp
2009-10-21 16:39 . 2009-03-08 08:00 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-21 15:05 . 2009-10-21 14:35 4096 d-----w- c:\users\Admin\AppData\Roaming\LimeWire
2009-10-21 15:04 . 2009-10-21 15:03 889000 ----a-w- c:\windows\vgep4557.exe
2009-10-21 08:53 . 2009-03-08 08:15 -------- d-----w- c:\programdata\Sonic
2009-10-21 00:21 . 2009-10-21 00:21 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-10-21 00:17 . 2009-10-21 00:17 -------- d-----r- c:\program files\Skype
2009-10-21 00:17 . 2009-10-21 00:17 -------- d-----w- c:\program files\Common Files\Skype
2009-10-21 00:17 . 2009-10-21 00:17 -------- d-----w- c:\programdata\Skype
2009-10-19 19:43 . 2009-09-11 14:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-10 09:59 . 2009-10-10 09:59 -------- d-----w- c:\users\Admin\AppData\Roaming\NCH Software
2009-10-10 09:58 . 2009-10-10 09:58 -------- d-----w- c:\programdata\NCH Swift Sound
2009-10-10 09:58 . 2009-10-10 09:58 -------- d-----w- c:\users\Admin\AppData\Roaming\NCH Swift Sound
2009-10-10 09:58 . 2009-10-10 09:58 -------- d-----w- c:\program files\NCH Swift Sound
2009-10-10 09:31 . 2009-10-09 23:42 -------- d-----w- c:\users\Admin\AppData\Roaming\Apple Computer
2009-10-09 23:42 . 2009-10-09 23:42 4096 d-----w- c:\program files\iTunes
2009-10-09 23:42 . 2009-10-09 23:42 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-09 23:42 . 2009-10-09 23:42 -------- d-----w- c:\program files\iPod
2009-10-09 23:42 . 2009-10-09 23:40 -------- d-----w- c:\program files\Common Files\Apple
2009-10-09 23:41 . 2009-10-09 23:41 -------- d-----w- c:\program files\Bonjour
2009-10-09 23:41 . 2009-10-09 23:41 4096 d-----w- c:\program files\QuickTime
2009-10-09 23:40 . 2009-10-09 23:40 4096 d-----w- c:\program files\Apple Software Update
2009-10-09 23:40 . 2009-10-09 23:40 -------- d-----w- c:\programdata\Apple
2009-10-09 02:25 . 2009-10-09 02:25 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-08 08:36 . 2009-10-08 08:36 -------- d-----w- c:\program files\Mustek
2009-10-08 08:35 . 2009-03-08 07:55 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-10-08 01:21 . 2009-10-08 00:15 32768 d-----w- c:\program files\Dell AIO 810
2009-10-08 01:10 . 2009-10-08 01:10 1102896 ----a-w- c:\programdata\SPL90CE.tmp
2009-10-07 06:46 . 2009-10-07 06:46 49152 d-----w- c:\program files\GPLGS
2009-10-07 06:44 . 2009-10-07 06:44 -------- d-----w- c:\program files\Acro Software
2009-10-06 16:08 . 2009-10-06 16:08 -------- d-----w- c:\program files\VideoLAN
2009-09-25 02:10 . 2009-10-31 16:02 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-31 16:02 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-31 16:02 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-31 16:02 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-31 16:02 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-31 16:02 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-31 16:02 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-31 16:02 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-31 16:02 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-31 16:02 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-31 16:02 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-31 16:02 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-31 16:02 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-31 16:02 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-31 16:02 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-31 16:02 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-31 16:02 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-31 16:02 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-31 16:02 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-31 16:02 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-31 16:02 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-31 16:02 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-31 16:02 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-31 16:02 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-31 16:02 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-31 16:02 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-31 16:02 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-21 06:09 . 2009-09-21 06:09 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-14 09:29 . 2009-10-14 06:31 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-11 15:54 . 2009-06-17 12:12 100256 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-10 16:48 . 2009-10-14 06:33 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 16:10 . 2009-09-10 16:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-10 16:10 . 2009-09-10 16:10 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-10 16:10 . 2009-09-10 16:10 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-10 16:10 . 2009-09-10 16:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-04 11:41 . 2009-10-14 06:31 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27 . 2009-09-10 18:12 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-10 18:12 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-14 18:54 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 18:54 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 18:54 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 18:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-03-08 23:07 . 2009-03-08 23:03 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-11-20_04.00.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-11-24 06:12 53646 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-11-24 06:32 85290 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-02-03 15:16 . 2009-11-24 06:31 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-02-03 15:16 . 2009-11-20 03:53 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-02-03 15:16 . 2009-11-20 03:53 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-02-03 15:16 . 2009-11-24 06:31 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-03 15:16 . 2009-11-20 03:53 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-02-03 15:16 . 2009-11-24 06:31 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2009-11-24 02:39 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2009-11-20 03:51 51200 c:\windows\inf\infpub.dat
+ 2009-09-10 18:20 . 2009-11-21 15:29 3426 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-06-17 12:14 . 2009-11-24 06:32 8782 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3946519151-573142694-2756214966-1003_UserData.bin
+ 2009-11-24 06:11 . 2009-11-24 06:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-11-20 03:53 . 2009-11-20 03:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-11-20 03:53 . 2009-11-20 03:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-24 06:11 . 2009-11-24 06:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-08 16:46 . 2009-11-23 00:21 208916 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-06-18 11:01 . 2009-11-24 05:49 306520 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2009-11-24 06:38 600378 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-20 04:00 600378 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-11-24 06:38 105852 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-11-20 04:00 105852 c:\windows\System32\perfc009.dat
+ 2009-10-14 19:22 . 2009-11-24 06:31 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-10-14 19:22 . 2009-11-20 03:53 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2006-11-02 10:25 . 2009-11-20 03:51 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-11-24 02:39 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2009-11-20 03:51 143360 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-11-24 02:39 143360 c:\windows\inf\infstor.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 07:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5768708-806B-4ced-9AE8-7C855EB782F7}]
2009-10-29 08:14 12800 ----a-w- c:\windows\System32\lofd32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"dlcgmon.exe"="c:\program files\Dell AIO 810\dlcgmon.exe" [2007-01-12 431600]
"FATrayAlert"="c:\program files\Sensible Vision\Fast Access\FATrayMon.exe" [2008-11-10 95496]
"FAStartup"="" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
2008-11-10 06:16 140552 ----a-w- c:\program files\Sensible Vision\Fast Access\FALogNot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-08 08:09 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli FAPassSync

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:f0,1b,60,f3,9f,36,ca,01

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [11/09/2009 3:10 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [11/09/2009 3:10 AM 108552]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\AEstSrv.exe [9/03/2009 10:29 AM 81920]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [20/11/2009 3:07 PM 464264]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/09/2009 3:10 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/09/2009 3:10 AM 297752]
R2 FAService;FAService;c:\program files\Sensible Vision\Fast Access\FAService.exe [10/11/2008 5:16 PM 2344200]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [5/12/2008 3:25 AM 112640]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\k57nd60x.sys [9/03/2009 10:29 AM 212992]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [9/03/2009 10:29 AM 3663360]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\System32\drivers\OA008Ufd.sys [9/03/2009 10:29 AM 144672]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\System32\drivers\OA008Vid.sys [9/03/2009 10:29 AM 269536]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe --> c:\program files\Dell\DellDock\DockLogin.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/11/2009 12:25 AM 135664]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [8/03/2009 6:59 PM 29736]
S3 FACAP;facap, FastAccess Video Capture;c:\windows\System32\drivers\facap.sys [24/09/2008 10:36 PM 232832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [21/01/2008 1:23 PM 21504]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
*Deregistered* - pxldypoc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 13:24]

2009-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-15 13:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clxkyvc3.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 18:24
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x89D60F61]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(568)
c:\windows\system32\FAPassSync.dll
.
Completion time: 2009-11-24 18:27
ComboFix-quarantined-files.txt 2009-11-24 07:27
ComboFix2.txt 2009-11-20 04:03

Pre-Run: 196,733,075,456 bytes free
Post-Run: 196,778,160,128 bytes free

- - End Of File - - 3253A22DA0D6B467CE36BA922ED33901

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:14 PM

Posted 24 November 2009 - 02:32 AM

In that case, please delete old ComboFix.exe and download a fresh copy from one of the links here.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Interpulse20

Interpulse20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 24 November 2009 - 02:41 AM

Hi,
I have just done that and now I have an error message:

"You cannot rename ComboFix as ComboFix(2)

Please use another name preferrably made up of alphnumeric characters"


I pressed "OK" as there are no other options.

Now nothing is happening.

EDIT: I downloaded it fine, ran it and then got that message.

Edited by Interpulse20, 24 November 2009 - 02:41 AM.


#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:14 PM

Posted 24 November 2009 - 02:44 AM

Did you delete old ComboFix.exe first as instructed? Delete all ComboFix.exe instances (ComboFix.exe, ComboFix(2).exe and other possible ones) on your desktop. Then download a fresh version and run it.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Interpulse20

Interpulse20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 24 November 2009 - 02:46 AM

Yes I did...

It just occurred to me that maybe its referring to the log? C:/ComboFix.txt

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:14 PM

Posted 24 November 2009 - 02:52 AM

Logfile shouldn't cause the issue. Rename ComboFix.exe -> Admin.exe and see if it runs.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Interpulse20

Interpulse20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 24 November 2009 - 06:07 AM

Hi,
sorry for the slow reply,
I found out what was happening, it was downloading to another folder where there was another copy of combofix so i deleted all copies, re-downloaded, it up-dated and has been in scanning state for hours now... it must have frozen?
Cheers,
Rich

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:14 PM

Posted 24 November 2009 - 09:23 AM

Hi,

Reboot and see if ComboFix.txt gets generated. If not, run ComboFix again.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Interpulse20

Interpulse20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 24 November 2009 - 11:18 AM

Hi,
I restarted, combofix.txt was not generated.
I ran combofix again and once again it updated and then stayed in scanning mode for a very long time...
I repeated the steps and same again...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users