Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Two infections: Trojan and not sure what the second is


  • This topic is locked This topic is locked
20 replies to this topic

#1 alonros

alonros

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 15 March 2010 - 03:13 AM

My AVG anti virus constantly pops up alerts saying: Multiple threat detection: Trojan horse dropper agent RBW or QXY---infected. I constantly move to vault but how do I get rid of this.

The second problem infection causes alerts which pop up at different times saying: the application or dll c:/documents and settings/network services/local settings/application data/windows server/mlthnj.dll is not a valid windows image
How do I remove this?

As instructed I am pasting DDS.txt and attaching Attach.txt and Ark.txt

Thanks so much for all or any help

DDS.txt:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Alon at 20:50:42.95 on Sat 03/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.286 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Alon\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Documents and Settings\Alon\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Alon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Alon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
svchost.exe -m
C:\Documents and Settings\Alon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
G:\My Documents\Downloads\dds.scr
G:\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\family toolbar\tbhelper.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\family toolbar\tbcore3.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: {ac5c9d61-4e55-4261-a6dd-368d89ae92e4} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Family Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\family toolbar\tbcore3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\alon\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MoeMonitor.exe] "c:\documents and settings\alon\local settings\application data\microsoft\live mesh\bin\servicing\0.9.4014.7\MoeMonitor.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [EPSON Stylus CX4200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Search - ?p=ZJxdm375YEUS
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} - c:\program files\soundtaxi\YouTubeRipper.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} - hxxp://www.nero.com/doc/NeroVersionCheckerControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241663325292
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: wlcrdplauncher - c:\program files\live mesh\remote desktop\wlcrdplauncher.dll
AppInit_DLLs: app_dll.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SwUpdate - {003541A1-3BC0-1B1C-AAF3-040114001C01} - c:\documents and settings\all users\application data\macromedia\swupdate\swupdate.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 96.168.178.115 secure.antimalwaredefender.com
Hosts: 96.168.178.115 support.antimalwaredefender.com
Hosts: 95.168.173.24 secure.antimalware-defender.com
Hosts: 95.168.173.24 support.antimalware-defender.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alon\applic~1\mozilla\firefox\profiles\m9joj11s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\alon\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-5-12 97408]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-5 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-5 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-5 242696]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-5 353672]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-7 308064]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\live mesh\remote desktop\wlcrasvc.exe [2010-3-13 44880]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2010-3-13 9040]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2010-3-13 19408]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-12-17 23096]
S0 nfghibfp;nfghibfp;c:\windows\system32\drivers\nfghibfp.sys [2010-3-7 0]
S2 gupdate1c95c34c9732810;Google Update Service (gupdate1c95c34c9732810);c:\program files\google\update\GoogleUpdate.exe [2008-12-12 133104]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-12-17 249856]
S3 STSService;STSService;c:\program files\soundtaxi media suite\STSService.exe [2009-10-30 335872]
S3 tdisnap;tdisnap;c:\windows\system32\tdisnap.sys [2004-8-4 2304]

=============== Created Last 30 ================

2010-03-14 00:49:56 0 ----a-w- c:\documents and settings\alon\defogger_reenable
2010-03-14 00:09:39 9040 ----a-w- c:\windows\system32\drivers\rdpdispm.sys
2010-03-14 00:09:39 19408 ----a-w- c:\windows\system32\drivers\rdpvmp.sys
2010-03-14 00:09:39 15696 ----a-w- c:\windows\system32\rdpvdd.dll
2010-03-14 00:09:39 118736 ----a-w- c:\windows\system32\rdpdispd.dll
2010-03-14 00:09:29 0 d-----w- c:\program files\Live Mesh
2010-03-13 10:40:08 4 ----a-w- c:\program files\28633042.dat
2010-03-10 06:05:21 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 04:10:08 331 ----a-w- c:\windows\wininit.ini
2010-03-08 04:04:55 0 d--h--w- C:\$AVG
2010-03-08 04:03:27 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-08 03:12:10 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-08 03:12:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-08 02:15:14 94208 ----a-w- c:\windows\system32\app_dll.dll.639569.old
2010-03-08 02:15:14 94208 ----a-w- c:\windows\system32\app_dll.dll.55460618.old
2010-03-08 02:15:14 94208 ----a-w- c:\windows\system32\app_dll.dll.44603446.old
2010-03-08 02:15:14 94208 ----a-w- c:\windows\system32\app_dll.dll.376220.old
2010-03-08 02:15:14 94208 ----a-w- c:\windows\system32\app_dll.dll.371624.old
2010-03-08 02:15:14 94208 ----a-w- c:\windows\system32\app_dll.dll.310626.old
2010-03-08 02:15:14 94208 ----a-w- c:\windows\system32\app_dll.dll.16097226.old
2010-03-08 02:15:14 94208 ----a-w- c:\windows\system32\app_dll.dll.1607491.old
2010-03-08 02:15:14 94208 ----a-w- c:\windows\system32\app_dll.dll.10354519.old
2010-03-08 02:15:14 94208 ----a-w- c:\windows\system32\app_dll.dll
2010-03-08 02:14:45 0 ----a-w- c:\windows\system32\drivers\nfghibfp.sys
2010-02-24 08:58:19 0 d-----w- c:\docume~1\alon\applic~1\OpenOffice.org
2010-02-24 08:56:16 0 d-----w- c:\program files\JRE
2010-02-24 08:55:57 0 d-----w- c:\program files\OpenOffice.org 3
2010-02-24 08:55:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-16 07:18:10 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-02-16 07:16:34 0 d-----w- c:\program files\HP
2010-02-16 06:55:25 17176 ------w- c:\windows\hpomdl04.dat
2010-02-16 06:55:25 103535 ----a-w- c:\windows\hpoins04.dat
2010-02-16 06:55:23 51088 ----a-w- c:\windows\system32\drivers\hpzid412.sys
2010-02-16 06:55:23 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-02-16 06:55:18 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-02-16 06:55:18 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-02-16 06:55:18 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-02-16 06:55:15 180315 ----a-w- c:\windows\system32\hpzsnt10.dll
2010-02-16 06:55:14 344064 ----a-w- c:\windows\system32\hpzcon10.dll
2010-02-16 06:55:14 196608 ----a-w- c:\windows\system32\hpzcoi10.dll
2010-02-15 23:50:20 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-02-15 23:50:20 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-02-13 03:20:27 0 d-----w- c:\program files\NCH Software
2010-02-13 03:19:54 0 d-----w- c:\program files\NCH Swift Sound

==================== Find3M ====================

2010-03-08 04:04:37 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-08 04:04:37 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-08 04:03:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-24 08:55:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2008-09-30 15:18:26 270336 ------w- c:\program files\TemplateInstaller.dll
2008-09-30 01:27:00 34975232 ----a-w- c:\program files\Adobe Premiere Elements 7.0.msi
2008-09-30 01:27:00 136576 ----a-w- c:\program files\OEM.exe
2008-09-30 01:26:00 48640 ----a-w- c:\program files\1033.mst
2008-09-30 01:26:00 324992 ----a-w- c:\program files\setup.exe
2008-09-30 01:26:00 2240 ----a-w- c:\program files\Setup.ini
2008-09-30 01:26:00 116736 ----a-w- c:\program files\1036.mst
2008-09-30 01:26:00 116224 ----a-w- c:\program files\1031.mst
2008-09-30 01:26:00 110592 ----a-w- c:\program files\1041.mst
2008-09-30 01:25:00 586048625 ----a-w- c:\program files\Data1.cab
2008-09-29 19:20:00 822 ----a-w- c:\program files\ols_config.xml
2008-09-29 19:15:00 720630 ----a-w- c:\program files\Dictionary.xml
2008-09-29 19:13:00 810 ----a-w- c:\program files\Config.Xml
2008-09-29 19:13:00 685 ----a-w- c:\program files\Abcpy.ini
2007-06-11 16:37:00 23510720 ----a-w- c:\program files\dotnetfx20.exe
2006-05-17 05:44:00 340912 ----a-w- c:\program files\dotnetfx.exe
2006-05-16 06:32:00 7242 ----a-w- c:\program files\0x040c.ini
2006-05-16 06:32:00 7094 ----a-w- c:\program files\0x0407.ini
2006-05-16 06:32:00 6623 ----a-w- c:\program files\0x0411.ini
2006-05-16 06:32:00 6129 ----a-w- c:\program files\0x0409.ini
2006-05-16 06:28:00 2584848 ----a-w- c:\program files\WindowsInstaller-KB893803-x86.exe
2009-05-07 03:02:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050620090507\index.dat

============= FINISH: 20:51:57.72 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:25 AM

Posted 19 March 2010 - 12:41 AM


Hello alonros smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.














Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 alonros

alonros
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 19 March 2010 - 01:36 AM

Hi

Thanks very much for responding.

Before running combofix, I wanted to ask if I should disable my zonealarm firewall as well.

Thanks again
Alonros clapping.gif

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:25 AM

Posted 19 March 2010 - 10:36 AM

Yes, you can do that too. Most of the time it will run without doing so but it would be better if you did.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 alonros

alonros
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 22 March 2010 - 03:20 AM

Hi

The warnings and popups about a trojan have stopped so perhaps AVG has cured this?

Below is the combofix it log:


ComboFix 10-03-21.02 - Alon 03/22/2010 3:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.475 [GMT -5:00]
Running from: g:\my documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Local.dtd
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\Alon\Local Settings\Application Data\Windows Server
c:\documents and settings\Alon\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Alon\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\program files\\setup.exe
c:\program files\Adobe\10357232.old
c:\program files\Adobe\16100671.old
c:\program files\Adobe\1614321.old
c:\program files\Adobe\185156.old
c:\program files\Adobe\185987.old
c:\program files\Adobe\331446.old
c:\program files\Adobe\3397956.old
c:\program files\Adobe\374498.old
c:\program files\Adobe\383441.old
c:\program files\Adobe\44605859.old
c:\program files\Adobe\4576710.old
c:\program files\Adobe\55463061.old
c:\program files\Adobe\615244.old
c:\program files\Adobe\642223.old
c:\program files\Internet Explorer\js.mui
c:\windows\eSellerateEngine.dll
c:\windows\system32\certstore.dat
c:\windows\system32\ctfmon .exe
c:\windows\system32\driVERs\nfghibfp.sys
c:\windows\system32\rundll32 .exe
c:\windows\system32\sstray.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_nfghibfp
-------\Service_nfghibfp


((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-20 03:27 . 2010-03-20 03:27 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-20 03:27 . 2010-03-20 03:27 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-20 03:27 . 2010-03-20 03:27 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-20 03:26 . 2010-03-20 03:26 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-20 03:26 . 2010-03-20 03:26 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-20 03:26 . 2010-03-20 03:26 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-17 05:13 . 2010-03-17 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\moosoft
2010-03-17 03:12 . 2010-03-17 03:12 -------- d-----w- c:\documents and settings\Alon\Application Data\thecleaner
2010-03-17 03:12 . 2010-03-17 03:13 -------- d-----w- c:\program files\The Cleaner
2010-03-14 00:10 . 2010-03-14 00:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-14 00:09 . 2010-03-14 00:08 9040 ----a-w- c:\windows\system32\drivers\rdpdispm.sys
2010-03-14 00:09 . 2010-03-14 00:08 19408 ----a-w- c:\windows\system32\drivers\rdpvmp.sys
2010-03-14 00:09 . 2010-03-14 00:08 15696 ----a-w- c:\windows\system32\rdpvdd.dll
2010-03-14 00:09 . 2010-03-14 00:08 118736 ----a-w- c:\windows\system32\rdpdispd.dll
2010-03-14 00:09 . 2010-03-14 00:09 -------- d-----w- c:\program files\Live Mesh
2010-03-02 09:13 . 2010-03-18 18:55 -------- d-----w- c:\program files\QuickTime
2010-03-02 09:13 . 2010-03-02 09:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-02 09:13 . 2010-03-02 09:13 -------- d-----w- c:\program files\Common Files\Apple
2010-03-02 09:12 . 2010-03-02 09:13 -------- d-----w- c:\program files\Apple Software Update
2010-03-02 09:12 . 2010-03-02 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-02 09:12 . 2010-03-02 09:12 -------- d-----w- c:\documents and settings\Alon\Local Settings\Application Data\Apple
2010-02-27 08:05 . 2010-02-27 08:05 82 ----a-w- c:\documents and settings\Alon\Application Data\Pitney Bowes\PBShip\daztrace.bat
2010-02-25 06:51 . 2010-02-25 06:51 503808 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a9d8b3f-n\msvcp71.dll
2010-02-25 06:51 . 2010-02-25 06:51 499712 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a9d8b3f-n\jmc.dll
2010-02-25 06:51 . 2010-02-25 06:51 348160 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a9d8b3f-n\msvcr71.dll
2010-02-25 06:51 . 2010-02-25 06:51 61440 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f76f6d8-n\decora-sse.dll
2010-02-25 06:51 . 2010-02-25 06:51 12800 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f76f6d8-n\decora-d3d.dll
2010-02-24 08:58 . 2010-03-01 08:04 1 ----a-w- c:\documents and settings\Alon\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-24 08:58 . 2010-02-24 08:58 -------- d-----w- c:\documents and settings\Alon\Application Data\OpenOffice.org
2010-02-24 08:56 . 2010-02-24 08:56 -------- d-----w- c:\program files\JRE
2010-02-24 08:55 . 2010-02-24 08:56 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-24 08:55 . 2010-02-24 08:55 -------- d-----w- c:\program files\Common Files\Java
2010-02-24 08:55 . 2010-02-24 08:55 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-22 08:22 . 2008-11-20 05:03 -------- d-----w- c:\documents and settings\Alon\Application Data\Skype
2010-03-22 05:08 . 2008-11-20 05:04 -------- d-----w- c:\documents and settings\Alon\Application Data\skypePM
2010-03-22 04:41 . 2009-07-02 05:21 0 ----a-w- c:\documents and settings\Alon\Local Settings\Application Data\prvlcl.dat
2010-03-21 20:53 . 2008-12-12 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-20 03:26 . 2009-12-17 12:10 -------- d-----w- c:\program files\Common Files\Real
2010-03-20 03:26 . 2009-11-07 05:50 -------- d-----w- c:\program files\Real
2010-03-19 02:27 . 2010-03-19 02:29 3024384 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-03-19 02:27 . 2010-03-19 02:29 2509312 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-03-19 02:20 . 2010-03-08 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-17 03:12 . 2008-11-19 07:35 71472 ----a-w- c:\documents and settings\Alon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 00:52 . 2010-03-08 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-13 20:32 . 2010-03-08 03:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-13 10:40 . 2010-03-13 10:40 4 ----a-w- c:\program files\28633042.dat
2010-03-11 17:52 . 2009-06-22 05:55 17579368 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-08 04:04 . 2009-06-05 07:54 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-08 04:04 . 2009-06-05 07:54 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-08 04:04 . 2009-06-05 07:54 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-08 04:03 . 2009-06-05 07:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-08 04:03 . 2009-06-05 07:54 -------- d-----w- c:\program files\AVG
2010-03-08 03:01 . 2009-06-05 08:08 -------- d-----w- c:\program files\Lavasoft
2010-03-08 03:01 . 2009-06-05 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-24 08:55 . 2009-03-19 04:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-17 07:29 . 2010-02-17 07:32 2354688 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-02-16 07:18 . 2010-02-16 06:55 103535 ----a-w- c:\windows\hpoins04.dat
2010-02-16 07:18 . 2010-02-16 07:18 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-02-16 07:16 . 2010-02-16 07:16 -------- d-----w- c:\program files\HP
2010-02-16 07:08 . 2010-02-13 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-16 07:08 . 2010-02-13 03:19 -------- d-----w- c:\program files\NCH Swift Sound
2010-02-13 03:20 . 2010-02-13 03:20 -------- d-----w- c:\program files\NCH Software
2010-02-13 03:19 . 2010-02-13 03:19 -------- d-----w- c:\documents and settings\Alon\Application Data\NCH Swift Sound
2010-02-08 04:46 . 2008-12-12 08:36 -------- d-----w- c:\program files\Google
2010-02-01 16:43 . 2010-02-01 16:43 135243 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2010_02_01_11_38_16_small.dmp.zip
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 02:39 . 2009-12-31 02:39 6327254 ----a-w- c:\documents and settings\Alon\Application Data\Endicia\DAZzle\setup.exe
2009-12-30 09:16 . 2009-12-30 09:37 2214912 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-12-27 05:36 . 2009-12-27 06:30 2204672 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-12-27 01:39 . 2009-12-27 01:41 2204160 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2008-09-30 15:18 . 2009-06-17 07:13 270336 ------w- c:\program files\TemplateInstaller.dll
2008-09-30 01:27 . 2009-06-17 07:13 136576 ----a-w- c:\program files\OEM.exe
2008-09-30 01:27 . 2009-06-17 07:12 34975232 ----a-w- c:\program files\Adobe Premiere Elements 7.0.msi
2008-09-30 01:26 . 2009-06-17 07:12 48640 ----a-w- c:\program files\1033.mst
2008-09-30 01:26 . 2009-06-17 07:12 2240 ----a-w- c:\program files\Setup.ini
2008-09-30 01:26 . 2009-06-17 07:12 116736 ----a-w- c:\program files\1036.mst
2008-09-30 01:26 . 2009-06-17 07:12 116224 ----a-w- c:\program files\1031.mst
2008-09-30 01:26 . 2009-06-17 07:12 110592 ----a-w- c:\program files\1041.mst
2008-09-30 01:25 . 2009-06-17 07:11 586048625 ----a-w- c:\program files\Data1.cab
2008-09-29 19:20 . 2009-06-17 07:12 822 ----a-w- c:\program files\ols_config.xml
2008-09-29 19:15 . 2009-06-17 07:12 720630 ----a-w- c:\program files\Dictionary.xml
2008-09-29 19:13 . 2009-06-17 07:12 685 ----a-w- c:\program files\Abcpy.ini
2008-09-29 19:13 . 2009-06-17 07:12 810 ----a-w- c:\program files\Config.Xml
2007-06-11 16:37 . 2009-06-17 07:13 23510720 ----a-w- c:\program files\dotnetfx20.exe
2006-05-17 05:44 . 2009-06-17 07:13 340912 ----a-w- c:\program files\dotnetfx.exe
2006-05-16 06:32 . 2009-06-17 07:12 7242 ----a-w- c:\program files\0x040c.ini
2006-05-16 06:32 . 2009-06-17 07:12 7094 ----a-w- c:\program files\0x0407.ini
2006-05-16 06:32 . 2009-06-17 07:12 6623 ----a-w- c:\program files\0x0411.ini
2006-05-16 06:32 . 2009-06-17 07:12 6129 ----a-w- c:\program files\0x0409.ini
2006-05-16 06:28 . 2009-06-17 07:13 2584848 ----a-w- c:\program files\WindowsInstaller-KB893803-x86.exe
.
CODE
<pre>
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"Google Update"="c:\documents and settings\Alon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [N/A]
"MoeMonitor.exe"="c:\documents and settings\Alon\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2010-03-14 1315152]
"tcactive"="c:\program files\The Cleaner\tcap.exe" [2010-03-16 2810368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-01 122880]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-20 202256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-9-21 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-22 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-08 04:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2010-03-14 00:06 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Alon^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Alon\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2009-07-25 07:33 2968512 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
c:\program files\DNA\btdna.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2009-12-01 23:32 122880 ----a-w- c:\program files\Google\Quick Search Box\googlequicksearchbox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 20:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2003-07-13 08:49 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
sstray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Alon\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [5/12/2004 2:01 PM 97408]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/5/2009 2:54 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/5/2009 2:54 AM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/7/2010 11:03 PM 308064]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [3/13/2010 7:09 PM 44880]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [3/13/2010 7:09 PM 9040]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [3/13/2010 7:09 PM 19408]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [12/17/2009 6:56 AM 23096]
S2 gupdate1c95c34c9732810;Google Update Service (gupdate1c95c34c9732810);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 3:36 AM 133104]
S2 moohelp;The Cleaner 2011 Helper Service;c:\program files\The Cleaner\mhelper.exe [3/16/2010 10:12 PM 813056]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [12/17/2009 6:56 AM 249856]
S3 STSService;STSService;c:\program files\SoundTaxi Media Suite\STSService.exe [10/30/2009 3:53 AM 335872]
S3 tdisnap;tdisnap;\??\c:\windows\system32\tdisnap.sys --> c:\windows\system32\tdisnap.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-22 c:\windows\Tasks\goldenShakeIcon.job
- c:\program files\NCH Swift Sound\Golden\golden.exe [2010-02-13 03:19]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 09:18]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 09:18]

2009-10-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-03-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1715567821-1202660629-1343024091-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-03-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1715567821-1202660629-1343024091-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-03-22 c:\windows\Tasks\User_Feed_Synchronization-{7A8BEA52-44B9-4F52-AD9A-C607CAEBEA58}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2009-04-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
FF - ProfilePath - c:\documents and settings\Alon\Application Data\Mozilla\Firefox\Profiles\m9joj11s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Alon\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - c:\program files\Family Toolbar\tbhelper.dll
BHO-{0C37B053-FD68-456a-82E1-D788EE342E6F} - c:\program files\Family Toolbar\tbcore3.dll
BHO-{ac5c9d61-4e55-4261-a6dd-368d89ae92e4} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\Family Toolbar\tbcore3.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\Family Toolbar\tbcore3.dll
AddRemove-Adobe Digital Editions - c:\documents and settings\alon\application data\macromedia\flash player\www.macromedia.com\bin\digitaleditions1x5\digitaleditions1x5.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 04:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,16,6f,9b,b3,31,cd,4b,a3,0f,81,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,16,6f,9b,b3,31,cd,4b,a3,0f,81,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3408)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\documents and settings\Alon\Local Settings\Application Data\Microsoft\Live Mesh\Bin\WLCShell.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\documents and settings\Alon\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\MoeHostPS.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\documents and settings\Alon\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe
.
**************************************************************************
.
Completion time: 2010-03-22 04:09:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-22 09:09

Pre-Run: 22,954,414,080 bytes free
Post-Run: 22,828,105,728 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=2 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 98B34A131C92206683B6B562BB1E954D


Thanks so much for your help

Hope there is no major trouble

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:25 AM

Posted 22 March 2010 - 10:39 AM

You're welcome.

We still have some work to do although ComboFix found quite a few things and removed them. I need for you to try and upload the following file so I can have it checked and then we will go from there.


  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/index.php?showtopic=302657&view=findpost&p=1683174
  • Click Browse and select the c:\windows\system32\tdisnap.sys
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 alonros

alonros
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 24 March 2010 - 02:47 AM

HI

I followed instructions but couldn't find the file tdisnap.sys in c:\windows\system32
Google desktop found it in:

My Documents\security\combofix.txt
C:\ComboFix.txt
C:\Program Files\The Cleaner\quarantine.zip
My Documents\security\trojan1.txt
My Documents\security\DDS.txt

But I think that in these locations the file name must be listed but it it not the actual file itself.

I used both google desktop and the windows file search function to look for it.
What should I do now?

Thanks
Alonros


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:25 AM

Posted 24 March 2010 - 11:53 AM

Let's see if this will help:

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.


After doing this see if you can locate the file and then do the following to change back what we did:



Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.







If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 alonros

alonros
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 26 March 2010 - 04:24 AM

Hi

Did as told but file still doesn't show up (only in the same places as before). Here is the list that I get from google desktop when searching for it, perhaps I am missing something:

combofix.txt
files\SoundTaxi Media Suite\STSService.exe [10/30/2009 3:53 AM 335872] S3 tdisnap;tdisnap;c:windows\system32\tdisnap.sys -c:windows\system32\tdisnap.sys [Contents of the 'Scheduled
Preview My Documents\security\combofix.txt - Open folder - 1 cached - Mar 22

ComboFix.txt
files\SoundTaxi Media Suite\STSService.exe [10/30/2009 3:53 AM 335872] S3 tdisnap;tdisnap;c:windows\system32\tdisnap.sys -c:windows\system32\tdisnap.sys [Contents of the 'Scheduled
Preview C:\ComboFix.txt - Open folder - 1 cached - Mar 22

quarantine.zip
Temporary Internet Files/Content.IE5/VDJVBI5S/navcancl[2] C:WINDOWS/system32/tdisnap.sys C:WINDOWS/system32/config/systemprofile/Local Settings/Temporary Internet Files/Content
Preview C:\Program Files\The Cleaner\quarantine.zip - Open folder - 1 cached - Mar 17

trojan1.txt
Content.IE5\VDJVBI5S\navcancl[2] Trojan.Win32.Vundo.h C:WINDOWS\system32\tdisnap.sys: Rootkit.Win32.Agent.hge C:WINDOWS\system32\config\systemprofile\Local Settings
Preview My Documents\security\trojan1.txt - Open folder - 1 cached - Mar 17

DDS.txt
STSService;c:program files\soundtaxi media suite\STSService.exe [2009-10-30 335872] S3 tdisnap;tdisnap;c:windows\system32\tdisnap.sys [2004-8-4 2304] Created Last 30 =2010
Preview My Documents\security\DDS.txt - Open folder - 1 cached - Mar 13

Thanks
Alonros

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:25 AM

Posted 26 March 2010 - 10:53 AM

That's alright I have enough info on it I believe we can go ahead.


Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\tdisnap.sys
RenV::
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\QuickTime\qttask.exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
Driver::
tdisnap


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 alonros

alonros
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 27 March 2010 - 02:22 AM

Hi
Below is the C:\ComboFix.txt log as requested:


ComboFix 10-03-26.02 - Alon 03/27/2010 2:55.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.456 [GMT -5:00]
Running from: g:\my documents\Downloads\ComboFix.exe
Command switches used :: g:\my documents\Downloads\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDISNAP
-------\Service_tdisnap


((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-20 03:27 . 2010-03-20 03:27 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-20 03:27 . 2010-03-20 03:27 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-20 03:27 . 2010-03-20 03:27 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-20 03:26 . 2010-03-20 03:26 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-20 03:26 . 2010-03-20 03:26 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-20 03:26 . 2010-03-20 03:26 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-17 05:13 . 2010-03-17 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\moosoft
2010-03-17 03:12 . 2010-03-17 03:12 -------- d-----w- c:\documents and settings\Alon\Application Data\thecleaner
2010-03-17 03:12 . 2010-03-17 03:13 -------- d-----w- c:\program files\The Cleaner
2010-03-14 00:10 . 2010-03-14 00:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-14 00:09 . 2010-03-14 00:08 9040 ----a-w- c:\windows\system32\drivers\rdpdispm.sys
2010-03-14 00:09 . 2010-03-14 00:08 19408 ----a-w- c:\windows\system32\drivers\rdpvmp.sys
2010-03-14 00:09 . 2010-03-14 00:08 15696 ----a-w- c:\windows\system32\rdpvdd.dll
2010-03-14 00:09 . 2010-03-14 00:08 118736 ----a-w- c:\windows\system32\rdpdispd.dll
2010-03-14 00:09 . 2010-03-14 00:09 -------- d-----w- c:\program files\Live Mesh
2010-03-02 09:13 . 2010-03-18 18:55 -------- d-----w- c:\program files\QuickTime
2010-03-02 09:13 . 2010-03-02 09:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-02 09:13 . 2010-03-02 09:13 -------- d-----w- c:\program files\Common Files\Apple
2010-03-02 09:12 . 2010-03-02 09:13 -------- d-----w- c:\program files\Apple Software Update
2010-03-02 09:12 . 2010-03-02 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-02 09:12 . 2010-03-02 09:12 -------- d-----w- c:\documents and settings\Alon\Local Settings\Application Data\Apple
2010-02-27 08:05 . 2010-02-27 08:05 82 ----a-w- c:\documents and settings\Alon\Application Data\Pitney Bowes\PBShip\daztrace.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 08:09 . 2010-03-08 03:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-27 07:52 . 2008-11-20 05:03 -------- d-----w- c:\documents and settings\Alon\Application Data\Skype
2010-03-27 05:49 . 2008-12-12 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-27 05:03 . 2008-11-20 05:04 -------- d-----w- c:\documents and settings\Alon\Application Data\skypePM
2010-03-26 10:27 . 2008-11-19 07:59 -------- d-----w- c:\program files\CCleaner
2010-03-26 02:41 . 2009-07-02 05:21 0 ----a-w- c:\documents and settings\Alon\Local Settings\Application Data\prvlcl.dat
2010-03-23 16:25 . 2010-03-23 16:27 878080 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-03-22 18:44 . 2008-12-12 08:36 -------- d-----w- c:\program files\Google
2010-03-20 03:26 . 2009-12-17 12:10 -------- d-----w- c:\program files\Common Files\Real
2010-03-20 03:26 . 2009-11-07 05:50 -------- d-----w- c:\program files\Real
2010-03-19 02:27 . 2010-03-19 02:29 3024384 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-03-19 02:27 . 2010-03-19 02:29 2509312 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-03-19 02:20 . 2010-03-08 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-17 03:12 . 2008-11-19 07:35 71472 ----a-w- c:\documents and settings\Alon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 00:52 . 2010-03-08 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-13 10:40 . 2010-03-13 10:40 4 ----a-w- c:\program files\28633042.dat
2010-03-11 17:52 . 2009-06-22 05:55 17579368 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-08 04:04 . 2009-06-05 07:54 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-08 04:04 . 2009-06-05 07:54 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-08 04:04 . 2009-06-05 07:54 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-08 04:03 . 2009-06-05 07:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-08 04:03 . 2009-06-05 07:54 -------- d-----w- c:\program files\AVG
2010-03-08 03:01 . 2009-06-05 08:08 -------- d-----w- c:\program files\Lavasoft
2010-03-08 03:01 . 2009-06-05 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-01 08:04 . 2010-02-24 08:58 1 ----a-w- c:\documents and settings\Alon\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-25 06:51 . 2010-02-25 06:51 503808 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a9d8b3f-n\msvcp71.dll
2010-02-25 06:51 . 2010-02-25 06:51 499712 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a9d8b3f-n\jmc.dll
2010-02-25 06:51 . 2010-02-25 06:51 348160 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a9d8b3f-n\msvcr71.dll
2010-02-25 06:51 . 2010-02-25 06:51 61440 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f76f6d8-n\decora-sse.dll
2010-02-25 06:51 . 2010-02-25 06:51 12800 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f76f6d8-n\decora-d3d.dll
2010-02-24 08:58 . 2010-02-24 08:58 -------- d-----w- c:\documents and settings\Alon\Application Data\OpenOffice.org
2010-02-24 08:56 . 2010-02-24 08:56 -------- d-----w- c:\program files\JRE
2010-02-24 08:56 . 2010-02-24 08:55 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-24 08:55 . 2010-02-24 08:55 -------- d-----w- c:\program files\Common Files\Java
2010-02-24 08:55 . 2009-03-19 04:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 08:55 . 2010-02-24 08:55 -------- d-----w- c:\program files\Java
2010-02-17 07:29 . 2010-02-17 07:32 2354688 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-02-16 07:18 . 2010-02-16 06:55 103535 ----a-w- c:\windows\hpoins04.dat
2010-02-16 07:18 . 2010-02-16 07:18 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-02-16 07:16 . 2010-02-16 07:16 -------- d-----w- c:\program files\HP
2010-02-16 07:08 . 2010-02-13 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-16 07:08 . 2010-02-13 03:19 -------- d-----w- c:\program files\NCH Swift Sound
2010-02-13 03:20 . 2010-02-13 03:20 -------- d-----w- c:\program files\NCH Software
2010-02-13 03:19 . 2010-02-13 03:19 -------- d-----w- c:\documents and settings\Alon\Application Data\NCH Swift Sound
2010-02-01 16:43 . 2010-02-01 16:43 135243 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2010_02_01_11_38_16_small.dmp.zip
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 02:39 . 2009-12-31 02:39 6327254 ----a-w- c:\documents and settings\Alon\Application Data\Endicia\DAZzle\setup.exe
2009-12-30 09:16 . 2009-12-30 09:37 2214912 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2008-09-30 15:18 . 2009-06-17 07:13 270336 ------w- c:\program files\TemplateInstaller.dll
2008-09-30 01:27 . 2009-06-17 07:13 136576 ----a-w- c:\program files\OEM.exe
2008-09-30 01:27 . 2009-06-17 07:12 34975232 ----a-w- c:\program files\Adobe Premiere Elements 7.0.msi
2008-09-30 01:26 . 2009-06-17 07:12 48640 ----a-w- c:\program files\1033.mst
2008-09-30 01:26 . 2009-06-17 07:12 2240 ----a-w- c:\program files\Setup.ini
2008-09-30 01:26 . 2009-06-17 07:12 116736 ----a-w- c:\program files\1036.mst
2008-09-30 01:26 . 2009-06-17 07:12 116224 ----a-w- c:\program files\1031.mst
2008-09-30 01:26 . 2009-06-17 07:12 110592 ----a-w- c:\program files\1041.mst
2008-09-30 01:25 . 2009-06-17 07:11 586048625 ----a-w- c:\program files\Data1.cab
2008-09-29 19:20 . 2009-06-17 07:12 822 ----a-w- c:\program files\ols_config.xml
2008-09-29 19:15 . 2009-06-17 07:12 720630 ----a-w- c:\program files\Dictionary.xml
2008-09-29 19:13 . 2009-06-17 07:12 685 ----a-w- c:\program files\Abcpy.ini
2008-09-29 19:13 . 2009-06-17 07:12 810 ----a-w- c:\program files\Config.Xml
2007-06-11 16:37 . 2009-06-17 07:13 23510720 ----a-w- c:\program files\dotnetfx20.exe
2006-05-17 05:44 . 2009-06-17 07:13 340912 ----a-w- c:\program files\dotnetfx.exe
2006-05-16 06:32 . 2009-06-17 07:12 7242 ----a-w- c:\program files\0x040c.ini
2006-05-16 06:32 . 2009-06-17 07:12 7094 ----a-w- c:\program files\0x0407.ini
2006-05-16 06:32 . 2009-06-17 07:12 6623 ----a-w- c:\program files\0x0411.ini
2006-05-16 06:32 . 2009-06-17 07:12 6129 ----a-w- c:\program files\0x0409.ini
2006-05-16 06:28 . 2009-06-17 07:13 2584848 ----a-w- c:\program files\WindowsInstaller-KB893803-x86.exe
2010-03-22 18:44 . 2010-03-22 18:44 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
CODE
<pre>
c:\program files\QuickTime\qttask            .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-12 39408]
"Google Update"="c:\documents and settings\Alon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MoeMonitor.exe"="c:\documents and settings\Alon\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2010-03-14 1315152]
"tcactive"="c:\program files\The Cleaner\tcap.exe" [2010-03-16 2810368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-01 122880]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-20 202256]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-03-22 30192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-9-21 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-22 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-08 04:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2010-03-14 00:06 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Alon^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Alon\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2009-07-25 07:33 2968512 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
c:\program files\DNA\btdna.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-03-22 18:44 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2009-12-01 23:32 122880 ----a-w- c:\program files\Google\Quick Search Box\googlequicksearchbox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 20:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2003-07-13 08:49 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
sstray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-12 08:36 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Alon\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [5/12/2004 2:01 PM 97408]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/5/2009 2:54 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/5/2009 2:54 AM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/7/2010 11:03 PM 308064]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [3/13/2010 7:09 PM 44880]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [3/13/2010 7:09 PM 9040]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [3/13/2010 7:09 PM 19408]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [12/17/2009 6:56 AM 23096]
S2 gupdate1c95c34c9732810;Google Update Service (gupdate1c95c34c9732810);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 3:36 AM 133104]
S2 moohelp;The Cleaner 2011 Helper Service;c:\program files\The Cleaner\mhelper.exe [3/16/2010 10:12 PM 813056]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/22/2010 1:44 PM 30192]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [12/17/2009 6:56 AM 249856]
S3 STSService;STSService;c:\program files\SoundTaxi Media Suite\STSService.exe [10/30/2009 3:53 AM 335872]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-22 c:\windows\Tasks\goldenShakeIcon.job
- c:\program files\NCH Swift Sound\Golden\golden.exe [2010-02-13 03:19]

2010-03-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-12 01:15]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 09:18]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 09:18]

2010-03-27 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-03-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1715567821-1202660629-1343024091-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-03-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1715567821-1202660629-1343024091-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-03-26 c:\windows\Tasks\User_Feed_Synchronization-{7A8BEA52-44B9-4F52-AD9A-C607CAEBEA58}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2010-03-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
FF - ProfilePath - c:\documents and settings\Alon\Application Data\Mozilla\Firefox\Profiles\m9joj11s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C37B053-FD68-456a-82E1-D788EE342E6F} - (no file)
BHO-{ac5c9d61-4e55-4261-a6dd-368d89ae92e4} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 03:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,16,6f,9b,b3,31,cd,4b,a3,0f,81,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,16,6f,9b,b3,31,cd,4b,a3,0f,81,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3480)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\documents and settings\Alon\Local Settings\Application Data\Microsoft\Live Mesh\Bin\WLCShell.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-03-27 03:15:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-27 08:15
ComboFix2.txt 2010-03-22 09:09

Pre-Run: 23,361,765,376 bytes free
Post-Run: 23,318,487,040 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 7CC1D23BD77DE381B090B1C9F9CE9403


Thanks very much
Alonros

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:25 AM

Posted 27 March 2010 - 09:44 AM

You're welcome.

We are going to have to run a script one more time. One of the files still needs taken care of.



Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\QuickTime\qttask            .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 alonros

alonros
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 28 March 2010 - 04:46 AM

Here is the the log requested:
Thanks
Alonros

Is there more work to do?

ComboFix 10-03-27.03 - Alon 03/28/2010 5:32.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.392 [GMT -5:00]
Running from: g:\my documents\Downloads\ComboFix.exe
Command switches used :: g:\my documents\Downloads\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-20 03:27 . 2010-03-20 03:27 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-20 03:27 . 2010-03-20 03:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-20 03:27 . 2010-03-20 03:27 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-20 03:27 . 2010-03-20 03:27 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-20 03:26 . 2010-03-20 03:26 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-20 03:26 . 2010-03-20 03:26 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-20 03:26 . 2010-03-20 03:26 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-17 05:13 . 2010-03-17 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\moosoft
2010-03-17 03:12 . 2010-03-17 03:12 -------- d-----w- c:\documents and settings\Alon\Application Data\thecleaner
2010-03-17 03:12 . 2010-03-17 03:13 -------- d-----w- c:\program files\The Cleaner
2010-03-14 00:10 . 2010-03-14 00:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-14 00:09 . 2010-03-14 00:08 9040 ----a-w- c:\windows\system32\drivers\rdpdispm.sys
2010-03-14 00:09 . 2010-03-14 00:08 19408 ----a-w- c:\windows\system32\drivers\rdpvmp.sys
2010-03-14 00:09 . 2010-03-14 00:08 15696 ----a-w- c:\windows\system32\rdpvdd.dll
2010-03-14 00:09 . 2010-03-14 00:08 118736 ----a-w- c:\windows\system32\rdpdispd.dll
2010-03-14 00:09 . 2010-03-14 00:09 -------- d-----w- c:\program files\Live Mesh
2010-03-02 09:13 . 2010-03-28 10:32 -------- d-----w- c:\program files\QuickTime
2010-03-02 09:13 . 2010-03-02 09:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-02 09:13 . 2010-03-02 09:13 -------- d-----w- c:\program files\Common Files\Apple
2010-03-02 09:12 . 2010-03-02 09:13 -------- d-----w- c:\program files\Apple Software Update
2010-03-02 09:12 . 2010-03-02 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-02 09:12 . 2010-03-02 09:12 -------- d-----w- c:\documents and settings\Alon\Local Settings\Application Data\Apple
2010-02-27 08:05 . 2010-02-27 08:05 82 ----a-w- c:\documents and settings\Alon\Application Data\Pitney Bowes\PBShip\daztrace.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 10:09 . 2008-11-20 05:03 -------- d-----w- c:\documents and settings\Alon\Application Data\Skype
2010-03-28 07:09 . 2008-11-20 05:04 -------- d-----w- c:\documents and settings\Alon\Application Data\skypePM
2010-03-28 06:50 . 2008-12-12 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-27 22:41 . 2009-07-02 05:21 0 ----a-w- c:\documents and settings\Alon\Local Settings\Application Data\prvlcl.dat
2010-03-27 08:09 . 2010-03-08 03:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-26 10:27 . 2008-11-19 07:59 -------- d-----w- c:\program files\CCleaner
2010-03-23 16:25 . 2010-03-23 16:27 878080 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-03-22 18:44 . 2008-12-12 08:36 -------- d-----w- c:\program files\Google
2010-03-20 03:26 . 2009-12-17 12:10 -------- d-----w- c:\program files\Common Files\Real
2010-03-20 03:26 . 2009-11-07 05:50 -------- d-----w- c:\program files\Real
2010-03-19 02:27 . 2010-03-19 02:29 3024384 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-03-19 02:27 . 2010-03-19 02:29 2509312 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-03-19 02:20 . 2010-03-08 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-17 03:12 . 2008-11-19 07:35 71472 ----a-w- c:\documents and settings\Alon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 00:52 . 2010-03-08 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-13 10:40 . 2010-03-13 10:40 4 ----a-w- c:\program files\28633042.dat
2010-03-11 17:52 . 2009-06-22 05:55 17579368 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-08 04:04 . 2009-06-05 07:54 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-08 04:04 . 2009-06-05 07:54 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-08 04:04 . 2009-06-05 07:54 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-08 04:03 . 2009-06-05 07:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-08 04:03 . 2009-06-05 07:54 -------- d-----w- c:\program files\AVG
2010-03-08 03:01 . 2009-06-05 08:08 -------- d-----w- c:\program files\Lavasoft
2010-03-08 03:01 . 2009-06-05 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-01 08:04 . 2010-02-24 08:58 1 ----a-w- c:\documents and settings\Alon\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-25 06:51 . 2010-02-25 06:51 503808 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a9d8b3f-n\msvcp71.dll
2010-02-25 06:51 . 2010-02-25 06:51 499712 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a9d8b3f-n\jmc.dll
2010-02-25 06:51 . 2010-02-25 06:51 348160 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a9d8b3f-n\msvcr71.dll
2010-02-25 06:51 . 2010-02-25 06:51 61440 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f76f6d8-n\decora-sse.dll
2010-02-25 06:51 . 2010-02-25 06:51 12800 ----a-w- c:\documents and settings\Alon\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f76f6d8-n\decora-d3d.dll
2010-02-24 08:58 . 2010-02-24 08:58 -------- d-----w- c:\documents and settings\Alon\Application Data\OpenOffice.org
2010-02-24 08:56 . 2010-02-24 08:56 -------- d-----w- c:\program files\JRE
2010-02-24 08:56 . 2010-02-24 08:55 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-24 08:55 . 2010-02-24 08:55 -------- d-----w- c:\program files\Common Files\Java
2010-02-24 08:55 . 2009-03-19 04:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 08:55 . 2010-02-24 08:55 -------- d-----w- c:\program files\Java
2010-02-17 07:29 . 2010-02-17 07:32 2354688 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-02-16 07:18 . 2010-02-16 06:55 103535 ----a-w- c:\windows\hpoins04.dat
2010-02-16 07:18 . 2010-02-16 07:18 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-02-16 07:16 . 2010-02-16 07:16 -------- d-----w- c:\program files\HP
2010-02-16 07:08 . 2010-02-13 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-16 07:08 . 2010-02-13 03:19 -------- d-----w- c:\program files\NCH Swift Sound
2010-02-13 03:20 . 2010-02-13 03:20 -------- d-----w- c:\program files\NCH Software
2010-02-13 03:19 . 2010-02-13 03:19 -------- d-----w- c:\documents and settings\Alon\Application Data\NCH Swift Sound
2010-02-01 16:43 . 2010-02-01 16:43 135243 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2010_02_01_11_38_16_small.dmp.zip
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 02:39 . 2009-12-31 02:39 6327254 ----a-w- c:\documents and settings\Alon\Application Data\Endicia\DAZzle\setup.exe
2009-12-30 09:16 . 2009-12-30 09:37 2214912 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2008-09-30 15:18 . 2009-06-17 07:13 270336 ------w- c:\program files\TemplateInstaller.dll
2008-09-30 01:27 . 2009-06-17 07:13 136576 ----a-w- c:\program files\OEM.exe
2008-09-30 01:27 . 2009-06-17 07:12 34975232 ----a-w- c:\program files\Adobe Premiere Elements 7.0.msi
2008-09-30 01:26 . 2009-06-17 07:12 48640 ----a-w- c:\program files\1033.mst
2008-09-30 01:26 . 2009-06-17 07:12 2240 ----a-w- c:\program files\Setup.ini
2008-09-30 01:26 . 2009-06-17 07:12 116736 ----a-w- c:\program files\1036.mst
2008-09-30 01:26 . 2009-06-17 07:12 116224 ----a-w- c:\program files\1031.mst
2008-09-30 01:26 . 2009-06-17 07:12 110592 ----a-w- c:\program files\1041.mst
2008-09-30 01:25 . 2009-06-17 07:11 586048625 ----a-w- c:\program files\Data1.cab
2008-09-29 19:20 . 2009-06-17 07:12 822 ----a-w- c:\program files\ols_config.xml
2008-09-29 19:15 . 2009-06-17 07:12 720630 ----a-w- c:\program files\Dictionary.xml
2008-09-29 19:13 . 2009-06-17 07:12 685 ----a-w- c:\program files\Abcpy.ini
2008-09-29 19:13 . 2009-06-17 07:12 810 ----a-w- c:\program files\Config.Xml
2007-06-11 16:37 . 2009-06-17 07:13 23510720 ----a-w- c:\program files\dotnetfx20.exe
2006-05-17 05:44 . 2009-06-17 07:13 340912 ----a-w- c:\program files\dotnetfx.exe
2006-05-16 06:32 . 2009-06-17 07:12 7242 ----a-w- c:\program files\0x040c.ini
2006-05-16 06:32 . 2009-06-17 07:12 7094 ----a-w- c:\program files\0x0407.ini
2006-05-16 06:32 . 2009-06-17 07:12 6623 ----a-w- c:\program files\0x0411.ini
2006-05-16 06:32 . 2009-06-17 07:12 6129 ----a-w- c:\program files\0x0409.ini
2006-05-16 06:28 . 2009-06-17 07:13 2584848 ----a-w- c:\program files\WindowsInstaller-KB893803-x86.exe
2010-03-22 18:44 . 2010-03-22 18:44 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-27_08.10.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-28 02:10 . 2010-03-28 02:10 16384 c:\windows\Temp\Perflib_Perfdata_7f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-12 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MoeMonitor.exe"="c:\documents and settings\Alon\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2010-03-14 1315152]
"tcactive"="c:\program files\The Cleaner\tcap.exe" [2010-03-16 2810368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-01 122880]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-20 202256]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-03-22 30192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-9-21 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-22 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-08 04:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2010-03-14 00:06 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Alon^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Alon\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2009-07-25 07:33 2968512 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-03-22 18:44 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2009-12-01 23:32 122880 ----a-w- c:\program files\Google\Quick Search Box\googlequicksearchbox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 20:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2003-07-13 08:49 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-12 08:36 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Alon\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [5/12/2004 2:01 PM 97408]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/5/2009 2:54 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/5/2009 2:54 AM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/7/2010 11:03 PM 308064]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [3/13/2010 7:09 PM 44880]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [3/13/2010 7:09 PM 9040]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [3/13/2010 7:09 PM 19408]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [12/17/2009 6:56 AM 23096]
S2 gupdate1c95c34c9732810;Google Update Service (gupdate1c95c34c9732810);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 3:36 AM 133104]
S2 moohelp;The Cleaner 2011 Helper Service;c:\program files\The Cleaner\mhelper.exe [3/16/2010 10:12 PM 813056]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/22/2010 1:44 PM 30192]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [12/17/2009 6:56 AM 249856]
S3 STSService;STSService;c:\program files\SoundTaxi Media Suite\STSService.exe [10/30/2009 3:53 AM 335872]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-22 c:\windows\Tasks\goldenShakeIcon.job
- c:\program files\NCH Swift Sound\Golden\golden.exe [2010-02-13 03:19]

2010-03-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-12 01:15]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 09:18]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 09:18]

2010-03-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-03-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1715567821-1202660629-1343024091-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-03-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1715567821-1202660629-1343024091-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-03-27 c:\windows\Tasks\User_Feed_Synchronization-{7A8BEA52-44B9-4F52-AD9A-C607CAEBEA58}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2010-03-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
FF - ProfilePath - c:\documents and settings\Alon\Application Data\Mozilla\Firefox\Profiles\m9joj11s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C37B053-FD68-456a-82E1-D788EE342E6F} - (no file)
BHO-{ac5c9d61-4e55-4261-a6dd-368d89ae92e4} - (no file)
HKCU-Run-Google Update - c:\documents and settings\Alon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
MSConfigStartUp-nForce Tray Options - sstray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 05:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,16,6f,9b,b3,31,cd,4b,a3,0f,81,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,16,6f,9b,b3,31,cd,4b,a3,0f,81,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(388)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\ieframe.dll
c:\documents and settings\Alon\Local Settings\Application Data\Microsoft\Live Mesh\Bin\WLCShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-28 05:39:13
ComboFix-quarantined-files.txt 2010-03-28 10:39
ComboFix2.txt 2010-03-27 08:15
ComboFix3.txt 2010-03-22 09:09

Pre-Run: 23,241,920,512 bytes free
Post-Run: 23,200,141,312 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 1DE9378D0ED96D4D5015AB9241FAAFE1


#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:25 AM

Posted 28 March 2010 - 10:47 AM

Let's run this scan and if it comes back clean we should be able to finish up.




It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 alonros

alonros
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 29 March 2010 - 02:30 PM

The Kaperski report:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, March 29, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, March 29, 2010 05:26:49
Records in database: 3894786
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 114878
Threats found: 4
Infected objects found: 73
Suspicious objects found: 0
Scan duration: 03:54:27


File name / Threat / Threats count
C:\Documents and Settings\Alon\Local Settings\Application Data\Google\Update\googleupdate.exe.delme206 Infected: Trojan-Dropper.Win32.Agent.bsmw 1
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe.delme196 Infected: Trojan-Dropper.Win32.Agent.bsmw 1
C:\Program Files\Spybot - Search & Destroy\teatimer.exe.delme209 Infected: Trojan-Dropper.Win32.Agent.bsmw 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\10357232.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\10357232.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\16100671.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\16100671.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\1614321.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\1614321.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\185156.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\185156.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\185987.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\185987.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\331446.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\331446.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\3397956.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\3397956.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\374498.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\374498.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\383441.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\383441.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\44605859.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\44605859.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\4576710.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\4576710.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\55463061.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\55463061.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\615244.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\615244.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\642223.old.vir Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\642223.old.vir Infected: Packed.Win32.Krap.ao 1
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\js.mui.vir Infected: Trojan-Dropper.Win32.Agent.bsmw 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP6\A0009650.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP7\A0010760.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP7\A0010909.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013232.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013232.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013233.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013233.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013234.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013234.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013235.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013235.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013236.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013236.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013237.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013237.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013238.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013238.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013239.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013239.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013240.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013240.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013241.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013241.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013242.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013242.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013243.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013243.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013244.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013244.old Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013245.old Infected: Trojan-Dropper.Win32.Agent.bquv 1
C:\System Volume Information\_restore{06B29894-DD46-43D8-8FDF-18E53DCBE686}\RP8\A0013245.old Infected: Packed.Win32.Krap.ao 1
C:\WINDOWS\system32\app_dll.dll.10354519.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\WINDOWS\system32\app_dll.dll.1607491.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\WINDOWS\system32\app_dll.dll.16097226.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\WINDOWS\system32\app_dll.dll.183243.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\WINDOWS\system32\app_dll.dll.310626.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\WINDOWS\system32\app_dll.dll.371624.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\WINDOWS\system32\app_dll.dll.376220.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\WINDOWS\system32\app_dll.dll.44603446.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\WINDOWS\system32\app_dll.dll.55460618.old Infected: Trojan-Dropper.Win32.Agent.bquw 1
C:\WINDOWS\system32\app_dll.dll.639569.old Infected: Trojan-Dropper.Win32.Agent.bquw 1

Selected area has been scanned.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users