Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit infection


  • This topic is locked This topic is locked
27 replies to this topic

#1 beepdip

beepdip

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 02 January 2010 - 06:17 PM

rigel:
I have some good and bad news. You have a rootkit on your computer.
The good news is, that this rootkit should be easily removed in our HJT forum.
They have the tools there to eradicate this bug.

background here:
http://www.bleepingcomputer.com/forums/ind...p;#entry1561584

Thank You!

Happy New Year!


DDS:

Run by RA at 19:28:32.45 on Fri 01/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2048.1663 [GMT -8:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\RA\Desktop\dds.scr

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\ra\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ra\applic~1\mozilla\firefox\profiles\ozvtlwai.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-2 64160]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-11-9 12672]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
S2 gupdate1ca308e2452298;Google Update Service (gupdate1ca308e2452298);c:\program files\google\update\GoogleUpdate.exe [2009-9-8 133104]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-4-7 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]

=============== Created Last 30 ================

2010-01-01 06:18:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 06:18:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 06:18:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 04:17:21 0 d-----w- c:\documents and settings\ra\DoctorWeb
2009-12-30 15:24:46 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-30 00:44:09 0 d-----w- c:\program files\Trend Micro
2009-12-29 10:52:19 0 d-----w- c:\docume~1\ra\applic~1\AVG8
2009-12-25 20:36:08 199 ----a-w- c:\windows\system32\srcr.dat
2009-12-05 20:19:55 0 d-----w- C:\$AVG
2009-12-05 20:18:58 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

==================== Find3M ====================

2009-11-03 20:16:01 737280 ----a-w- c:\windows\iun6002.exe
2009-10-06 17:44:57 166 ---ha-w- c:\documents and settings\all users\hpothb07.dat

============= FINISH: 19:28:53.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:11 AM

Posted 11 January 2010 - 12:24 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log
Thanks

unite.jpg


#3 beepdip

beepdip
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 12 January 2010 - 11:37 PM

Hello Syler,

I still need same help regarding same issue.
I have don't nothing on that system since bleepingcomputer told me to patiently wait until contacted.

I will endeavor to follow your instructions asap.

Thank you for helping!

;-)

#4 beepdip

beepdip
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 13 January 2010 - 05:28 PM

Dear Syler,

I am hereby copy/pasting gmer log, as requested,
and posting/UPLOADing the RSIT log.txt & info.txt
(I also UPLOADed the gmer log, just in case such helps)

Thank You

;-) Beep




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-13 14:16:54
Windows 5.1.2600 Service Pack 3
Running: hm8dugnp.exe; Driver: C:\DOCUME~1\RA\LOCALS~1\Temp\uxriafoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT sptd.sys ZwEnumerateKey [0xF74F4E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xF74F51BA]
SSDT sptd.sys ZwOpenKey [0xF74EF0B0]
SSDT sptd.sys ZwQueryKey [0xF74F5292]
SSDT sptd.sys ZwQueryValueKey [0xF74F5112]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AAE01E8
Device \FileSystem\Fastfat \FatCdrom 8A6B97A0
Device \Driver\usbuhci \Device\USBPDO-0 8A8837A0
Device \Driver\usbuhci \Device\USBPDO-1 8A8837A0
Device \Driver\PCI_NTPNP8462 \Device\00000045 sptd.sys
Device \Driver\PCI_NTPNP8462 \Device\00000045 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-2 8A8837A0
Device \Driver\usbehci \Device\USBPDO-3 8A8CF7A0

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8AB4C1E8
Device \Driver\Cdrom \Device\CdRom0 8A7B77A0
Device \Driver\Cdrom \Device\CdRom1 8A7B77A0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom2 8A7B77A0
Device \Driver\Cdrom \Device\CdRom3 8A7B77A0
Device \Driver\Cdrom \Device\CdRom4 8A7B77A0
Device \Driver\Cdrom \Device\CdRom5 8A7B77A0
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A79A430
Device \Driver\USBSTOR \Device\00000078 8A7887A0
Device \Driver\USBSTOR \Device\00000079 8A7887A0
Device \Driver\NetBT \Device\NetbiosSmb 8A79A430
Device \Driver\NetBT \Device\NetBT_Tcpip_{D13C65CE-B55B-45AD-A9B8-C72060C1C225} 8A79A430
Device \Driver\usbuhci \Device\USBFDO-0 8A8837A0
Device \Driver\usbuhci \Device\USBFDO-1 8A8837A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A72E7A0
Device \Driver\usbuhci \Device\USBFDO-2 8A8837A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A72E7A0
Device \Driver\usbehci \Device\USBFDO-3 8A8CF7A0
Device \Driver\Ftdisk \Device\FtControl 8AB4C1E8
Device \Driver\a0a1idk5 \Device\Scsi\a0a1idk51 8A80E1E8
Device \Driver\a0a1idk5 \Device\Scsi\a0a1idk51Port3Path0Target0Lun0 8A80E1E8
Device \Driver\a0a1idk5 \Device\Scsi\a0a1idk51Port3Path0Target1Lun0 8A80E1E8
Device \FileSystem\Fastfat \Fat 8A6B97A0

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8A5D37A0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB9 0xF9 0xB6 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xED 0x12 0x39 0x23 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x60 0xD6 0xA1 0x9E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x41 0xEF 0x4D 0xE0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x05 0x50 0x26 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xED 0x12 0x39 0x23 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA2 0xA2 0x11 0x12 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x41 0xEF 0x4D 0xE0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x49 0x05 0x50 0x26 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xED 0x12 0x39 0x23 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA2 0xA2 0x11 0x12 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x41 0xEF 0x4D 0xE0 ...

---- EOF - GMER 1.0.15 ----

Attached Files



#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:11 AM

Posted 13 January 2010 - 09:40 PM

Hello Beep,

I don't see any problems in your logs however I dont see any AV installed.

Please install an AntiVirus then run a full scan, then post back here with a new Rsit log and let me know if you are still having any problems.

  • Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

unite.jpg


#6 beepdip

beepdip
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 15 January 2010 - 02:39 AM

Dear Syler,

firstly,
regarding original subject issue:
re-tried installing 'AVG Free 9.0 build 716 (12/8/2009)

after Almost complete 'checking computer status',
AVG stopped and reported:

'Potentially incompatible software'

and named:

'Malware Defense'

===

told me to Uninstall, & provided link to 'Add or Remove Programs'

which I clicked on went there, but could not find 'Malware Defense' anywhere

########

anyways,
so then I proceeded to install & run the 2 anti-virus programs you told me to

-

Avast initial run reported the following:

dameon 4091-x86.exe
is infected with the following:
win32:Agent-AIIU [Trj]
===
which I chose Avast to dispose of
--
then Avast proceeded to scan further

(I have included 3 logs from Avast, just in case the 2, 'perhaps superfluous', Might present Useful)

====== &



I am pasting the Antivir log here:



Avira AntiVir Personal
Report file date: Thursday, January 14, 2010 21:07

Scanning for 1531014 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : 2009APRIL07

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 19:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 05:06:05
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 05:06:05
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 05:06:06
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 05:06:06
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 05:06:06
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 05:06:06
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 05:06:06
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 05:06:06
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 05:06:07
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 05:06:07
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 05:06:07
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 05:06:07
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 05:06:08
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 05:06:09
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 05:06:10
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 05:06:10
VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 05:06:11
VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 05:06:12
VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 05:06:12
VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 05:06:13
VBASE021.VDF : 7.10.2.131 201216 Bytes 1/7/2010 05:06:14
VBASE022.VDF : 7.10.2.158 192000 Bytes 1/11/2010 05:06:15
VBASE023.VDF : 7.10.2.186 200704 Bytes 1/14/2010 05:06:15
VBASE024.VDF : 7.10.2.187 2048 Bytes 1/14/2010 05:06:16
VBASE025.VDF : 7.10.2.188 2048 Bytes 1/14/2010 05:06:16
VBASE026.VDF : 7.10.2.189 2048 Bytes 1/14/2010 05:06:16
VBASE027.VDF : 7.10.2.190 2048 Bytes 1/14/2010 05:06:16
VBASE028.VDF : 7.10.2.191 2048 Bytes 1/14/2010 05:06:16
VBASE029.VDF : 7.10.2.192 2048 Bytes 1/14/2010 05:06:17
VBASE030.VDF : 7.10.2.193 2048 Bytes 1/14/2010 05:06:17
VBASE031.VDF : 7.10.2.195 30720 Bytes 1/14/2010 05:06:17
Engineversion : 8.2.1.142
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 15:38:52
AESCRIPT.DLL : 8.1.3.7 594296 Bytes 1/15/2010 05:06:25
AESCN.DLL : 8.1.3.1 127348 Bytes 1/15/2010 05:06:24
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 15:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 1/15/2010 05:06:24
AEPACK.DLL : 8.2.0.5 422262 Bytes 1/15/2010 05:06:23
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 15:38:38
AEHEUR.DLL : 8.1.0.195 2232695 Bytes 1/15/2010 05:06:22
AEHELP.DLL : 8.1.10.0 237942 Bytes 1/15/2010 05:06:19
AEGEN.DLL : 8.1.1.83 369014 Bytes 1/15/2010 05:06:18
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 15:38:26
AECORE.DLL : 8.1.9.5 184693 Bytes 1/15/2010 05:06:18
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 15:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 23:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 20:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +PFS,

Start of the scan: Thursday, January 14, 2010 21:07

Starting search for hidden objects.
'105248' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
Scan process 'hpotdd01.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'CtHelper.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CTAudSvc.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
36 processes with 36 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '53' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\9MBM1YN3\2[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\9MBM1YN3\2[2].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[2].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[3].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[4].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[5].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[6].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\RGFF4W52\2[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\VXD97NZW\2[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\System Volume Information\_restore{E7CB3BE0-EA2F-4362-9DFC-8F5926E28666}\RP242\A0031247.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!

Beginning disinfection:
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\9MBM1YN3\2[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4b810bb9.qua'!
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\9MBM1YN3\2[2].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4b820bb9.qua'!
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '487d6852.qua'!
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[2].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '487c78c2.qua'!
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[3].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4b830bb9.qua'!
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[4].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4b840bb9.qua'!
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[5].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4b850bb9.qua'!
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\NTM0J4YB\2[6].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4b860bb9.qua'!
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\RGFF4W52\2[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4e783722.qua'!
C:\Documents and Settings\RA\Local Settings\Temporary Internet Files\Content.IE5\VXD97NZW\2[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4e7b4fda.qua'!
C:\System Volume Information\_restore{E7CB3BE0-EA2F-4362-9DFC-8F5926E28666}\RP242\A0031247.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4b800b8e.qua'!


End of the scan: Thursday, January 14, 2010 22:29
Used time: 1:09:05 Hour(s)

The scan has been done completely.

9028 Scanned directories
292779 Files were scanned
11 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
11 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
292765 Files not concerned
6238 Archives were scanned
3 Warnings
13 Notes
105248 Objects were scanned with rootkit scan
0 Hidden objects were found

Attached Files



#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:11 AM

Posted 16 January 2010 - 03:53 AM

Hi,

I only said to install one AV you shouldn't have two installed because this can cause problems. please uninstall one of them and post a new Rsit log.

Thanks

unite.jpg


#8 beepdip

beepdip
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 16 January 2010 - 04:02 AM

dear Syler,

I listened and obeyed

I did them one at a time.

never were there any two installed together at any time.

Thanks

have a wonderful weekend

;-) beeb

#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:11 AM

Posted 16 January 2010 - 04:08 AM

Ah ok, can you post a new Rsit log please.

unite.jpg


#10 beepdip

beepdip
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 16 January 2010 - 04:37 AM

dear Syler,

Thanks!

;-)

Attached Files

  • Attached File  log.txt   21.15KB   2 downloads


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:11 AM

Posted 17 January 2010 - 07:52 AM

Hi,

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    [-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    :Files
    C:\Documents and Settings\RA\Application Data\AVG8
    C:\Documents and Settings\All Users\Application Data\avg9
    C:\$AVG
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Go to Start >> Run, type Services.msc

From the list of services find Windows Management Instrumentation
Right click it, then select Stop. A message will pop up click yes.

Now navigate to this folder and delete it.

C:\WINDOWS\system32\wbem\Repository <-- This folder

Now go back to Windows Management Instrumentation in the services list.
Right click it, then select Start. Exit services list, then restart your computer.


Then please post back here with the following logs:
  • OTM results
  • New DDS log
Thanks

unite.jpg


#12 beepdip

beepdip
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 20 January 2010 - 03:09 AM

Syler,

Ok, just got message, will do tomorrow, after I get some rest, and fresh head, so to better make sure I execute securely ;-)

Thanks!

#13 beepdip

beepdip
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 21 January 2010 - 03:22 AM

Hello Syler ;-)

first the
* OTM results
then the
* New DDS log

==============================\ * OTM results


All processes killed
Error: Unable to interpret <Reg> in the current context!
Error: Unable to interpret <[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]> in the current context!
Error: Unable to interpret <[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]> in the current context!
Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]> in the current context!
Error: Unable to interpret <"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=-> in the current context!
Error: Unable to interpret <[-HKEY_CLASSES_ROOT\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]> in the current context!
Error: Unable to interpret <[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]> in the current context!
========== FILES ==========
C:\Documents and Settings\RA\Application Data\AVG8 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Log folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Chjw folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9 folder moved successfully.
C:\$AVG\$CHJW folder moved successfully.
C:\$AVG folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 255002 bytes
->Temporary Internet Files folder emptied: 70726 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 40339126 bytes

User: RA
->Temp folder emptied: 899815194 bytes
->Temporary Internet Files folder emptied: 347578009 bytes
->Java cache emptied: 26791874 bytes
->FireFox cache emptied: 92803765 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2675729 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 176438 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 500664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 997048 bytes

Total Files Cleaned = 1,347.00 mb


OTM by OldTimer - Version 3.1.6.0 log created on 01202010_233044

Files moved on Reboot...

Registry entries deleted on Reboot...




===========================================\ * New DDS log



DDS (Ver_09-12-01.01) - NTFSx86
Run by RA at 0:10:02.79 on Thu 01/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2048.1663 [GMT -8:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\RA\Desktop\dds.scr

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\ra\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\ra\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ra\applic~1\mozilla\firefox\profiles\ozvtlwai.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-2 64160]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-11-9 12672]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
S2 gupdate1ca308e2452298;Google Update Service (gupdate1ca308e2452298);c:\program files\google\update\GoogleUpdate.exe [2009-9-8 133104]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-4-7 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]

=============== Created Last 30 ================

2010-01-21 07:30:44 0 d-----w- C:\_OTM
2010-01-15 05:02:40 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-14 04:10:15 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-01-01 06:18:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 06:18:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 06:18:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 04:17:21 0 d-----w- c:\documents and settings\ra\DoctorWeb
2009-12-30 15:24:46 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-30 00:44:09 0 d-----w- c:\program files\Trend Micro
2009-12-25 20:36:08 199 ----a-w- c:\windows\system32\srcr.dat

==================== Find3M ====================

2009-11-03 20:16:01 737280 ----a-w- c:\windows\iun6002.exe

============= FINISH: 0:10:23.68 ===============

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:11 AM

Posted 21 January 2010 - 03:26 AM

Hi Beep,

You didn't copy the OTM code properly, you missed the : at the beginning, before reg, please run the code again the post the
results and a new DDS log.

Thanks

unite.jpg


#15 beepdip

beepdip
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 21 January 2010 - 04:17 AM

Hello Syler, hope I got it right ;-)

first the
* OTM results
then the
* New DDS log

==============================\ * OTM results





All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent\ deleted successfully.
========== FILES ==========
File/Folder C:\Documents and Settings\RA\Application Data\AVG8 not found.
File/Folder C:\Documents and Settings\All Users\Application Data\avg9 not found.
File/Folder C:\$AVG not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: RA
->Temp folder emptied: 18822 bytes
->Temporary Internet Files folder emptied: 38766 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTM by OldTimer - Version 3.1.6.0 log created on 01212010_005528

Files moved on Reboot...

Registry entries deleted on Reboot...






=================================================\ * New DDS log






DDS (Ver_09-12-01.01) - NTFSx86
Run by RA at 1:06:43.06 on Thu 01/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2048.1679 [GMT -8:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\RA\Desktop\dds.scr

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\ra\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\ra\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ra\applic~1\mozilla\firefox\profiles\ozvtlwai.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-2 64160]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-11-9 12672]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
S2 gupdate1ca308e2452298;Google Update Service (gupdate1ca308e2452298);c:\program files\google\update\GoogleUpdate.exe [2009-9-8 133104]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-4-7 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]

=============== Created Last 30 ================

2010-01-21 07:30:44 0 d-----w- C:\_OTM
2010-01-15 05:02:40 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-14 04:10:15 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-01-01 06:18:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 06:18:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 06:18:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 04:17:21 0 d-----w- c:\documents and settings\ra\DoctorWeb
2009-12-30 15:24:46 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-30 00:44:09 0 d-----w- c:\program files\Trend Micro
2009-12-25 20:36:08 199 ----a-w- c:\windows\system32\srcr.dat

==================== Find3M ====================

2009-11-03 20:16:01 737280 ----a-w- c:\windows\iun6002.exe

============= FINISH: 1:07:03.46 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users