Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Win32.Agent2(ZASRAKOMONDOHUI31338.EXE)


  • This topic is locked This topic is locked
51 replies to this topic

#1 alltrips

alltrips

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:17 PM

Posted 24 March 2010 - 05:40 PM

Original Post

assisted to this point by boopme ( BP Moderator).

after final MBAM scan and reboot as instructed by boopme, my laptop was still displaying the following symptoms:


The Firewall is still turned off, CPU running at 100% if I manually check the Registry against the last MBAM Log, all entries that are reported as "Quarantined & Deleted Successfully" are still present in the registry. (Backdoor.Bot, Malware.Trace & Security.Hijack)

The entries shown listed in MBAM as "Security.Hijack" all have the same information in the right hand window as follows:

Name Debugger

Type REG_SZ

Data ZASRAKOMONDOHUI31338.EXE


LOGS:

DDS (Ver_10-03-17.01) - FAT32x86
Run by Keith Lewis at 21:48:48.85 on 24/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.129 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\Documents and Settings\Keith Lewis\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\msapdm32.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ALOT Toolbar Helper: {14ceeaff-96dd-4101-ae37-d5ecdc23c3f6} - c:\program files\alot\bin\alot.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [Creative MediaSource Go] "c:\program files\creative\mediasource\go\CTCMSGo.exe" /SCB
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /installquiet
mRun: [PmProxy] c:\program files\analog devices\soundmax\PmProxy.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Tpwrtray] TPWRTRAY.EXE
mRun: [TMESBS.EXE] c:\program files\toshiba\tme3\TMESBS32.EXE /Client
mRun: [TFncKy] TFncKy.exe /Type 28
mRun: [TFNF5] TFNF5.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTSysVol] "c:\program files\creative\sound blaster audigy 2\surround mixer\CTSysVol.exe" /r
mRun: [CTFeatureModeUtility] c:\program files\creative\sound blaster audigy 2\feature mode utility\CTModUtl.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: chrome.exe - ZASRAKOMONDOHUI31338.EXE
IFEO: firefox.exe - ZASRAKOMONDOHUI31338.EXE
IFEO: RapportMgmtService.exe - ZASRAKOMONDOHUI31338.EXE
IFEO: RapportService.exe - ZASRAKOMONDOHUI31338.EXE
IFEO: safari.exe - ZASRAKOMONDOHUI31338.EXE
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-23 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-23 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-23 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-23 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-23 308064]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 Tmesbs;Tmesbs32;c:\program files\toshiba\tme3\tmesbs32.exe [2003-1-17 57344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-3-23 369920]
S3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\CTMSFSYN.SYS [2005-1-31 159104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [2003-1-17 156672]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2010-2-17 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2010-2-17 5248]

=============== Created Last 30 ================

2010-03-24 21:42:11 54 ----a-w- c:\documents and settings\keith lewis\defogger_reenable
2010-03-24 04:22:28 4958588 ----a-w- c:\windows\{00000004-00000000-00000000-00001102-00000008-20011102}.BAK
2010-03-24 04:15:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-24 04:15:14 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 04:15:14 0 d-----w- c:\docume~1\keithl~1\applic~1\SUPERAntiSpyware.com
2010-03-24 04:14:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-23 22:47:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-23 22:47:23 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 22:47:15 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-23 22:47:10 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-23 22:47:06 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-03-23 22:42:46 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-23 22:34:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 22:34:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 22:34:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 14:36:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-20 00:53:44 0 d-----w- c:\windows\system32\LogFiles
2010-03-20 00:43:24 0 d-----w- c:\docume~1\keithl~1\applic~1\Malwarebytes
2010-03-20 00:43:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-18 21:12:46 0 d-----w- c:\docume~1\keithl~1\applic~1\Chief Architect X2
2010-03-18 21:01:36 694272 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-03-18 21:01:35 0 d-----w- c:\program files\common files\Aladdin Shared
2010-03-18 21:01:34 535807 ----a-w- c:\windows\system32\hasplms.exe
2010-03-18 21:01:34 535807 ----a-w- c:\windows\system32\aksllmtp.exe
2010-03-18 21:01:33 351744 ----a-w- c:\windows\system32\drivers\aksfridge.sys
2010-03-18 20:59:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Chief Architect X2
2010-03-17 17:01:06 0 d-----w- C:\Punch! Master Landscape

==================== Find3M ====================

2010-02-18 02:16:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-17 02:59:18 141357 ----a-w- c:\windows\hpoins15.dat
2010-02-16 23:34:30 81920 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-16 23:34:30 221184 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-14 12:09:54 0 --sha-r- c:\windows\system32\drivers\TOSHIBA_Satellite 2450_00737000-4B_PS245E-022MY.MRK
2010-02-02 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-05 15:30:28 3599360 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

============= FINISH: 21:50:55.71 ===============


Attached File  Attach.txt   8.87KB   9 downloads

Attached File  ark.log   5.25KB   13 downloads


TIA Keith


Good PC Techs are those that say they know everything, GREAT PC Techs are those that know WHERE to Find Everything.
So for GREAT PC Techs come to http://www.bleepingcomputer.com

BC AdBot (Login to Remove)

 


#2 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:12:17 PM

Posted 27 March 2010 - 07:01 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#3 alltrips

alltrips
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:17 PM

Posted 28 March 2010 - 08:12 PM

Hi Tokek

Thank you for your reply.

The symptoms, DDS Log and GMER Log attachment are all in my first post of this thread. There will have been no changes since that post as I have not nor will I be turning that laptop on until told to by the MRT that is advising me.

However, if you still require a fresh set of logs just to confirm no changes I will gladly do that.

Keith
Good PC Techs are those that say they know everything, GREAT PC Techs are those that know WHERE to Find Everything.
So for GREAT PC Techs come to http://www.bleepingcomputer.com

#4 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:12:17 PM

Posted 29 March 2010 - 10:31 PM

Hello alltrips,

Welcome to Bleeping Computer.

My name is Tokek and I will be helping you with your Malware problem.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

If I don't reply to your post in 3 days, please send me a PM as sometimes life gets hectic and I may inadvertently forgot.


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
If it asks you, please install the Windows Recovery Console (internet connection required).
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new DDS log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your next reply, please include the following:
  • ComboFix.txt

Edited by Tokek, 29 March 2010 - 10:38 PM.

If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#5 alltrips

alltrips
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:17 PM

Posted 30 March 2010 - 07:36 PM

Hi Tokek

Here are the combofix log and fresh DDS text files as requested.


ComboFix 10-03-29.04 - Keith Lewis 31/03/2010 0:40.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.119 [GMT 1:00]
Running from: c:\documents and settings\Keith Lewis\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Keith Lewis\Application Data\alot
c:\documents and settings\Keith Lewis\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Keith Lewis\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\Keith Lewis\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\Keith Lewis\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\Keith Lewis\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\Keith Lewis\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\Keith Lewis\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\Keith Lewis\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\configurator\configurator.xml
c:\documents and settings\Keith Lewis\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\Keith Lewis\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\Keith Lewis\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\products\products.xml
c:\documents and settings\Keith Lewis\Application Data\alot\products\products.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_image_search.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_image_search.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_news_search.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_news_search.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_shop_search.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_shop_search.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_videos_search.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_videos_search.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_web_search.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_1\images\alot_web_search.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_2\images\alot_configure.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_2\images\alot_configure.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_3\images\default_1610_alot_weather_search.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_3\images\default_1610_alot_weather_search.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\clear.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\cloudy.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\default_1007_alot_weather_widget.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\default_1007_alot_weather_widget.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\foggy.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\mcloud.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\nclear.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\nmcloud.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\nshower.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\pcloud.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\rain.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_4\images\shower.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_5\images\default_1606_alot_new_newsrss.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_5\images\default_1606_alot_new_newsrss.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_6\images\default_1609_alot_wea_radar.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_6\images\default_1609_alot_wea_radar.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_7\images\default_1524_alot_wea_info.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_7\images\default_1524_alot_wea_info.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_8\images\2939_icon.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Button_9\images\3277_icon.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\contextMenu\images\alot_icon.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\discover.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\intro_popup.png
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_btnconfig0.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_btnconfig1.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_btnrefresh0.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_btnrefresh1.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\Keith Lewis\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\Keith Lewis\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\toolbar.xml
c:\documents and settings\Keith Lewis\Application Data\alot\toolbar.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
c:\documents and settings\Keith Lewis\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
c:\documents and settings\Keith Lewis\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\Keith Lewis\Application Data\alot\Updater\Updater.xml
c:\documents and settings\Keith Lewis\Application Data\alot\Updater\Updater.xml.backup
c:\program files\alot
c:\program files\alot\alotUninst.exe
c:\program files\alot\bin\alot.dll
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-30 23:31 . 2010-03-30 23:31 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\AVG9
2010-03-24 03:16 . 2010-03-24 03:16 52224 ----a-w- c:\documents and settings\Keith Lewis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-24 03:16 . 2010-03-24 03:16 117760 ----a-w- c:\documents and settings\Keith Lewis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-24 03:15 . 2010-03-24 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-24 03:15 . 2010-03-24 03:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 03:15 . 2010-03-24 03:15 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\SUPERAntiSpyware.com
2010-03-24 03:14 . 2010-03-24 03:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-23 21:47 . 2010-03-23 21:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-23 21:47 . 2010-03-23 21:47 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 21:47 . 2010-03-23 21:47 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-23 21:47 . 2010-03-23 21:47 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-23 21:47 . 2010-03-23 21:47 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-23 21:47 . 2010-03-23 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-03-23 21:42 . 2010-03-23 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-23 21:34 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 21:34 . 2010-03-23 21:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 21:34 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 13:36 . 2010-03-23 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-20 14:04 . 2010-03-20 14:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-19 23:53 . 2010-03-19 23:53 -------- d-----w- c:\windows\system32\LogFiles
2010-03-19 23:43 . 2010-03-19 23:43 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\Malwarebytes
2010-03-19 23:43 . 2010-03-19 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-18 20:12 . 2010-03-18 20:12 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\Chief Architect X2
2010-03-18 20:01 . 2007-03-06 20:39 694272 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-03-18 20:01 . 2010-03-18 20:01 -------- d-----w- c:\program files\Common Files\Aladdin Shared
2010-03-18 20:01 . 2007-03-15 13:48 535807 ----a-w- c:\windows\system32\hasplms.exe
2010-03-18 20:01 . 2007-03-15 13:48 535807 ----a-w- c:\windows\system32\aksllmtp.exe
2010-03-18 20:01 . 2007-03-12 19:48 351744 ----a-w- c:\windows\system32\drivers\aksfridge.sys
2010-03-18 19:59 . 2010-03-18 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Chief Architect X2
2010-03-17 19:33 . 2010-03-17 19:33 -------- d-----w- c:\documents and settings\Keith Lewis\Local Settings\Application Data\Help
2010-03-17 16:01 . 2010-03-17 16:01 -------- d-----w- C:\Punch! Master Landscape
2010-03-10 19:15 . 2010-03-10 19:15 -------- d-----w- c:\documents and settings\Keith Lewis\Local Settings\Application Data\HP
2010-03-10 19:11 . 2010-03-10 19:11 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 17:32 . 2010-02-14 12:27 33760 ----a-w- c:\documents and settings\Keith Lewis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-18 01:17 . 2010-02-18 01:16 -------- d-----w- c:\program files\Common Files\Java
2010-02-18 01:16 . 2010-02-18 01:16 61440 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-68de2eb0-n\decora-sse.dll
2010-02-18 01:16 . 2010-02-18 01:16 503808 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa78885-n\msvcp71.dll
2010-02-18 01:16 . 2010-02-18 01:16 499712 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa78885-n\jmc.dll
2010-02-18 01:16 . 2010-02-18 01:16 348160 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa78885-n\msvcr71.dll
2010-02-18 01:16 . 2010-02-18 01:16 12800 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-68de2eb0-n\decora-d3d.dll
2010-02-18 01:16 . 2010-02-18 01:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-18 01:16 . 2010-02-18 01:16 -------- d-----w- c:\program files\Java
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\eBay
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WholeSecurity
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\eBay
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\program files\eBay
2010-02-17 03:09 . 2010-02-17 03:09 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\InstallShield
2010-02-17 02:31 . 2010-02-17 02:31 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-02-17 02:25 . 2010-02-17 02:25 -------- d-----w- c:\program files\PC Inspector File Recovery
2010-02-17 02:19 . 2010-02-17 02:19 -------- d-----w- c:\program files\7-Zip
2010-02-17 02:12 . 2010-02-17 02:12 -------- d-----w- c:\program files\Alcohol Soft
2010-02-17 02:10 . 2010-02-17 02:10 -------- d-----w- c:\program files\CCleaner
2010-02-17 01:59 . 2010-02-17 01:50 141357 ----a-w- c:\windows\hpoins15.dat
2010-02-17 01:59 . 2010-02-17 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-02-17 01:57 . 2010-02-17 01:57 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\HPAppData
2010-02-17 01:56 . 2010-02-17 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-02-17 01:56 . 2010-02-17 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-02-17 01:56 . 2010-02-17 01:55 -------- d-----w- c:\program files\Common Files\HP
2010-02-17 01:55 . 2010-02-17 01:55 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-17 01:55 . 2010-02-17 01:55 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-02-17 01:54 . 2010-02-17 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-02-17 01:53 . 2010-02-17 01:53 -------- d-----w- c:\program files\HP
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\AdobeUM
2010-02-17 01:13 . 2010-02-17 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-02-17 01:13 . 2010-02-17 01:13 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-02-17 01:11 . 2010-02-17 01:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-17 00:13 . 2010-02-17 00:13 -------- d-----w- c:\program files\MSBuild
2010-02-17 00:11 . 2010-02-17 00:11 -------- d-----w- c:\program files\Reference Assemblies
2010-02-16 23:29 . 2010-02-16 23:29 -------- d-----w- c:\program files\AVG
2010-02-16 22:34 . 2010-02-16 22:26 81920 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-16 22:34 . 2010-02-16 22:26 221184 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-16 22:31 . 2010-02-16 22:31 -------- d-----w- c:\program files\Creative
2010-02-16 22:26 . 2010-02-16 22:26 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\Creative
2010-02-14 12:24 . 2003-01-17 06:49 77155 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-14 11:09 . 2010-02-14 11:09 0 --sha-r- c:\windows\system32\drivers\TOSHIBA_Satellite 2450_00737000-4B_PS245E-022MY.MRK
2010-02-02 17:00 . 2010-02-17 02:31 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-05 09:00 . 1979-12-31 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:00 . 2010-02-14 12:22 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 09:00 . 1979-12-31 23:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 15:14 . 1979-12-31 23:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 13:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"Creative MediaSource Go"="c:\program files\Creative\MediaSource\Go\CTCMSGo.exe" [2004-11-30 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"nwiz"="nwiz.exe" [2002-12-12 438272]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2002-11-14 40960]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-01-14 249856]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"Tpwrtray"="TPWRTRAY.EXE" [2003-01-14 221184]
"TMESBS.EXE"="c:\program files\TOSHIBA\TME3\TMESBS32.EXE" [2003-01-08 57344]
"TFncKy"="TFncKy.exe" [BU]
"TFNF5"="TFNF5.exe" [2001-08-03 73728]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 49152]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-12-04 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-12-04 569344]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2002-08-09 122880]
"NDSTray.exe"="c:\program files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-17 458752]
"CTHelper"="CTHELPER.EXE" [2005-02-17 14848]
"CTSysVol"="c:\program files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTFeatureModeUtility"="c:\program files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe" [2005-01-10 81920]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-03-19 632048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-2-17 25214]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msapdm32.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-23 21:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8080:TCP"= 8080:TCP:i-Catcher
"8080:UDP"= 8080:UDP:i-Catcher

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/03/2010 22:47 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/03/2010 22:47 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 10:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 10:15 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [23/03/2010 22:45 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [23/03/2010 22:45 308064]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\tmesbs32.exe [17/01/2003 09:22 57344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [23/03/2010 22:47 369920]
S3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\CTMSFSYN.SYS [31/01/2005 06:31 159104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 10:15 12872]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [17/01/2003 09:15 156672]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [17/02/2010 03:12 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [17/02/2010 03:12 5248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-31 00:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\msapdm32.exe 229376 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\wininet.dll
.
Completion time: 2010-03-31 00:57:00
ComboFix-quarantined-files.txt 2010-03-30 23:56

Pre-Run: 150,998,253,568 bytes free
Post-Run: 150,960,111,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - BECAEF4732575D3C6F70588BDA71803E

______________________________________________________________________________________________



DDS (Ver_10-03-17.01) - FAT32x86
Run by Keith Lewis at 1:01:35.95 on 31/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.122 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Keith Lewis\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\msapdm32.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [Creative MediaSource Go] "c:\program files\creative\mediasource\go\CTCMSGo.exe" /SCB
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /installquiet
mRun: [PmProxy] c:\program files\analog devices\soundmax\PmProxy.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Tpwrtray] TPWRTRAY.EXE
mRun: [TMESBS.EXE] c:\program files\toshiba\tme3\TMESBS32.EXE /Client
mRun: [TFncKy] TFncKy.exe /Type 28
mRun: [TFNF5] TFNF5.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTSysVol] "c:\program files\creative\sound blaster audigy 2\surround mixer\CTSysVol.exe" /r
mRun: [CTFeatureModeUtility] c:\program files\creative\sound blaster audigy 2\feature mode utility\CTModUtl.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-23 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-23 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-23 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-23 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-23 308064]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 Tmesbs;Tmesbs32;c:\program files\toshiba\tme3\tmesbs32.exe [2003-1-17 57344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-3-23 369920]
S3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\CTMSFSYN.SYS [2005-1-31 159104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [2003-1-17 156672]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2010-2-17 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2010-2-17 5248]

=============== Created Last 30 ================

2010-03-30 23:38:17 0 d-sha-r- C:\cmdcons
2010-03-30 23:34:58 98816 ----a-w- c:\windows\sed.exe
2010-03-30 23:34:58 77312 ----a-w- c:\windows\MBR.exe
2010-03-30 23:34:58 261632 ----a-w- c:\windows\PEV.exe
2010-03-30 23:34:58 161792 ----a-w- c:\windows\SWREG.exe
2010-03-30 23:31:10 0 d-----w- c:\docume~1\keithl~1\applic~1\AVG9
2010-03-24 20:42:11 54 ----a-w- c:\documents and settings\keith lewis\defogger_reenable
2010-03-24 03:22:28 4958588 ----a-w- c:\windows\{00000004-00000000-00000000-00001102-00000008-20011102}.BAK
2010-03-24 03:15:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-24 03:15:14 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 03:15:14 0 d-----w- c:\docume~1\keithl~1\applic~1\SUPERAntiSpyware.com
2010-03-24 03:14:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-23 21:47:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-23 21:47:23 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 21:47:15 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-23 21:47:10 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-23 21:47:06 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-03-23 21:42:46 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-23 21:34:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 21:34:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 21:34:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 13:36:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-19 23:53:44 0 d-----w- c:\windows\system32\LogFiles
2010-03-19 23:43:24 0 d-----w- c:\docume~1\keithl~1\applic~1\Malwarebytes
2010-03-19 23:43:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-18 20:12:46 0 d-----w- c:\docume~1\keithl~1\applic~1\Chief Architect X2
2010-03-18 20:01:36 694272 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-03-18 20:01:35 0 d-----w- c:\program files\common files\Aladdin Shared
2010-03-18 20:01:34 535807 ----a-w- c:\windows\system32\hasplms.exe
2010-03-18 20:01:34 535807 ----a-w- c:\windows\system32\aksllmtp.exe
2010-03-18 20:01:33 351744 ----a-w- c:\windows\system32\drivers\aksfridge.sys
2010-03-18 19:59:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Chief Architect X2
2010-03-17 16:01:06 0 d-----w- C:\Punch! Master Landscape

==================== Find3M ====================

2010-02-18 01:16:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-17 01:59:18 141357 ----a-w- c:\windows\hpoins15.dat
2010-02-16 22:34:30 81920 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-16 22:34:30 221184 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-14 11:09:54 0 --sha-r- c:\windows\system32\drivers\TOSHIBA_Satellite 2450_00737000-4B_PS245E-022MY.MRK
2010-02-02 17:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-05 14:30:28 3599360 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-31 15:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 14:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 14:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

============= FINISH: 1:02:52.82 ===============

______________________________________________________________________________________________________


Attached File  Attach.txt   7.74KB   8 downloads


Good PC Techs are those that say they know everything, GREAT PC Techs are those that know WHERE to Find Everything.
So for GREAT PC Techs come to http://www.bleepingcomputer.com

#6 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:12:17 PM

Posted 02 April 2010 - 12:00 AM

Hello alltrips,

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\msapdm32.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

In your next reply, please include the following:
  • Jotti log
  • a new DDS log

If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#7 alltrips

alltrips
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:17 PM

Posted 02 April 2010 - 08:54 PM

Hi Tokek

I have the folder view options set to:

Checked - Display the contents of system folders.
Checked - show hidden files and folders.
Unchecked - Hide extensions for known file types.
Unchecked - Hide protected operating system files.

I Loaded the Jotti page and did a browse in in c:\windows\system32\
and could not find msapdm32.exe

I then ran a search of all files and folders and the only file with that name located was MSAPDM32.EXE-0330899F.pf in c:\windows\prefetch

So what next ?


Good PC Techs are those that say they know everything, GREAT PC Techs are those that know WHERE to Find Everything.
So for GREAT PC Techs come to http://www.bleepingcomputer.com

#8 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:12:17 PM

Posted 02 April 2010 - 11:18 PM

Hello alltrips,

Ok, let's try it this way instead:


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Collect::
c:\windows\system32\msapdm32.exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • Combofix

Edited by Tokek, 03 April 2010 - 12:13 AM.

If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#9 alltrips

alltrips
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:17 PM

Posted 03 April 2010 - 06:32 PM

Hi Tokek

Followed the instructions in your last post, here is the requested combofix log:


ComboFix 10-04-02.01 - Keith Lewis 03/04/2010 18:01:41.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.133 [GMT 1:00]
Running from: c:\documents and settings\Keith Lewis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Keith Lewis\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

file zipped: c:\windows\system32\msapdm32.exe
.
PEV Error: UserFile
PEV Error: UserFolder

((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
.

2010-04-03 01:25 . 2010-02-23 13:04 1664256 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-03-30 23:31 . 2010-03-30 23:31 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\AVG9
2010-03-24 03:16 . 2010-03-24 03:16 52224 ----a-w- c:\documents and settings\Keith Lewis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-24 03:16 . 2010-03-24 03:16 117760 ----a-w- c:\documents and settings\Keith Lewis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-24 03:15 . 2010-03-24 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-24 03:15 . 2010-03-24 03:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 03:15 . 2010-03-24 03:15 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\SUPERAntiSpyware.com
2010-03-24 03:14 . 2010-03-24 03:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-23 21:47 . 2010-03-23 21:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-23 21:47 . 2010-03-23 21:47 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 21:47 . 2010-03-23 21:47 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-23 21:47 . 2010-03-23 21:47 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-23 21:47 . 2010-03-23 21:47 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-23 21:47 . 2010-03-23 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-03-23 21:42 . 2010-03-23 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-23 21:34 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 21:34 . 2010-03-23 21:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 21:34 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 13:36 . 2010-03-23 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-20 14:04 . 2010-03-20 14:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-19 23:53 . 2010-03-19 23:53 -------- d-----w- c:\windows\system32\LogFiles
2010-03-19 23:43 . 2010-03-19 23:43 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\Malwarebytes
2010-03-19 23:43 . 2010-03-19 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-18 20:12 . 2010-03-18 20:12 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\Chief Architect X2
2010-03-18 20:01 . 2007-03-06 20:39 694272 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-03-18 20:01 . 2010-03-18 20:01 -------- d-----w- c:\program files\Common Files\Aladdin Shared
2010-03-18 20:01 . 2007-03-15 13:48 535807 ----a-w- c:\windows\system32\hasplms.exe
2010-03-18 20:01 . 2007-03-15 13:48 535807 ----a-w- c:\windows\system32\aksllmtp.exe
2010-03-18 20:01 . 2007-03-12 19:48 351744 ----a-w- c:\windows\system32\drivers\aksfridge.sys
2010-03-18 19:59 . 2010-03-18 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Chief Architect X2
2010-03-17 19:33 . 2010-03-17 19:33 -------- d-----w- c:\documents and settings\Keith Lewis\Local Settings\Application Data\Help
2010-03-17 16:01 . 2010-03-17 16:01 -------- d-----w- C:\Punch! Master Landscape
2010-03-10 19:15 . 2010-03-10 19:15 -------- d-----w- c:\documents and settings\Keith Lewis\Local Settings\Application Data\HP
2010-03-10 19:11 . 2010-03-10 19:11 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 17:32 . 2010-02-14 12:27 33760 ----a-w- c:\documents and settings\Keith Lewis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-18 01:17 . 2010-02-18 01:16 -------- d-----w- c:\program files\Common Files\Java
2010-02-18 01:16 . 2010-02-18 01:16 61440 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-68de2eb0-n\decora-sse.dll
2010-02-18 01:16 . 2010-02-18 01:16 503808 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa78885-n\msvcp71.dll
2010-02-18 01:16 . 2010-02-18 01:16 499712 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa78885-n\jmc.dll
2010-02-18 01:16 . 2010-02-18 01:16 348160 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa78885-n\msvcr71.dll
2010-02-18 01:16 . 2010-02-18 01:16 12800 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-68de2eb0-n\decora-d3d.dll
2010-02-18 01:16 . 2010-02-18 01:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-18 01:16 . 2010-02-18 01:16 -------- d-----w- c:\program files\Java
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\eBay
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WholeSecurity
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\eBay
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\program files\eBay
2010-02-17 03:09 . 2010-02-17 03:09 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\InstallShield
2010-02-17 02:31 . 2010-02-17 02:31 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-02-17 02:25 . 2010-02-17 02:25 -------- d-----w- c:\program files\PC Inspector File Recovery
2010-02-17 02:19 . 2010-02-17 02:19 -------- d-----w- c:\program files\7-Zip
2010-02-17 02:12 . 2010-02-17 02:12 -------- d-----w- c:\program files\Alcohol Soft
2010-02-17 02:10 . 2010-02-17 02:10 -------- d-----w- c:\program files\CCleaner
2010-02-17 01:59 . 2010-02-17 01:50 141357 ----a-w- c:\windows\hpoins15.dat
2010-02-17 01:59 . 2010-02-17 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-02-17 01:57 . 2010-02-17 01:57 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\HPAppData
2010-02-17 01:56 . 2010-02-17 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-02-17 01:56 . 2010-02-17 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-02-17 01:56 . 2010-02-17 01:55 -------- d-----w- c:\program files\Common Files\HP
2010-02-17 01:55 . 2010-02-17 01:55 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-17 01:55 . 2010-02-17 01:55 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-02-17 01:54 . 2010-02-17 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-02-17 01:53 . 2010-02-17 01:53 -------- d-----w- c:\program files\HP
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\AdobeUM
2010-02-17 01:13 . 2010-02-17 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-02-17 01:13 . 2010-02-17 01:13 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-02-17 01:11 . 2010-02-17 01:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-17 00:13 . 2010-02-17 00:13 -------- d-----w- c:\program files\MSBuild
2010-02-17 00:11 . 2010-02-17 00:11 -------- d-----w- c:\program files\Reference Assemblies
2010-02-16 23:29 . 2010-02-16 23:29 -------- d-----w- c:\program files\AVG
2010-02-16 22:34 . 2010-02-16 22:26 81920 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-16 22:34 . 2010-02-16 22:26 221184 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-16 22:31 . 2010-02-16 22:31 -------- d-----w- c:\program files\Creative
2010-02-16 22:26 . 2010-02-16 22:26 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\Creative
2010-02-14 12:24 . 2003-01-17 06:49 77155 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-14 11:09 . 2010-02-14 11:09 0 --sha-r- c:\windows\system32\drivers\TOSHIBA_Satellite 2450_00737000-4B_PS245E-022MY.MRK
2010-02-02 17:00 . 2010-02-17 02:31 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-05 09:00 . 1979-12-31 23:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 09:00 . 2010-02-14 12:22 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 09:00 . 1979-12-31 23:00 17408 ------w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-30_23.52.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-03 16:54 . 2010-04-03 16:54 16384 c:\windows\Temp\Perflib_Perfdata_770.dat
- 2003-01-17 06:54 . 2010-03-30 23:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-01-17 06:54 . 2010-04-03 17:01 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-01-17 06:54 . 2010-04-03 16:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-01-17 06:54 . 2010-03-30 23:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-01-17 06:54 . 2010-04-03 16:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2003-01-17 06:54 . 2010-03-30 23:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 13:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"Creative MediaSource Go"="c:\program files\Creative\MediaSource\Go\CTCMSGo.exe" [2004-11-30 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"nwiz"="nwiz.exe" [2002-12-12 438272]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2002-11-14 40960]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-01-14 249856]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"Tpwrtray"="TPWRTRAY.EXE" [2003-01-14 221184]
"TMESBS.EXE"="c:\program files\TOSHIBA\TME3\TMESBS32.EXE" [2003-01-08 57344]
"TFncKy"="TFncKy.exe" [BU]
"TFNF5"="TFNF5.exe" [2001-08-03 73728]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 49152]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-12-04 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-12-04 569344]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2002-08-09 122880]
"NDSTray.exe"="c:\program files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-17 458752]
"CTHelper"="CTHELPER.EXE" [2005-02-17 14848]
"CTSysVol"="c:\program files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTFeatureModeUtility"="c:\program files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe" [2005-01-10 81920]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-03-19 632048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-2-17 25214]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msapdm32.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-23 21:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8080:TCP"= 8080:TCP:i-Catcher
"8080:UDP"= 8080:UDP:i-Catcher

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/03/2010 22:47 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/03/2010 22:47 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 10:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 10:15 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [23/03/2010 22:45 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [23/03/2010 22:45 308064]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\tmesbs32.exe [17/01/2003 09:22 57344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [23/03/2010 22:47 369920]
S3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\CTMSFSYN.SYS [31/01/2005 06:31 159104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 10:15 12872]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [17/01/2003 09:15 156672]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [17/02/2010 03:12 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [17/02/2010 03:12 5248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 18:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\msapdm32.exe 229376 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(612)
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(3108)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
Completion time: 2010-04-03 18:15:20
ComboFix-quarantined-files.txt 2010-04-03 17:15
ComboFix2.txt 2010-03-30 23:57

Pre-Run: 150,894,641,152 bytes free
Post-Run: 150,864,265,216 bytes free

- - End Of File - - 1E18981196E541C5F2D20AD87A7D6688
Upload was successful



Good PC Techs are those that say they know everything, GREAT PC Techs are those that know WHERE to Find Everything.
So for GREAT PC Techs come to http://www.bleepingcomputer.com

#10 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:12:17 PM

Posted 06 April 2010 - 04:53 AM

Hello alltrips,

Let's run another combofix script:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Rootkit::
c:\windows\system32\msapdm32.exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • Combofix

Edited by Tokek, 06 April 2010 - 01:30 PM.

If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#11 alltrips

alltrips
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:17 PM

Posted 06 April 2010 - 02:43 PM

Hi Tokek

Have run the Rootkit CFscript, here is the new combofix log:


ComboFix 10-04-05.06 - Keith Lewis 06/04/2010 20:19:10.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.49 [GMT 1:00]
Running from: c:\documents and settings\Keith Lewis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Keith Lewis\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-03 01:25 . 2010-02-23 13:04 1664256 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-03-30 23:31 . 2010-03-30 23:31 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\AVG9
2010-03-24 03:16 . 2010-03-24 03:16 52224 ----a-w- c:\documents and settings\Keith Lewis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-24 03:16 . 2010-03-24 03:16 117760 ----a-w- c:\documents and settings\Keith Lewis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-24 03:15 . 2010-03-24 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-24 03:15 . 2010-03-24 03:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 03:15 . 2010-03-24 03:15 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\SUPERAntiSpyware.com
2010-03-24 03:14 . 2010-03-24 03:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-23 21:47 . 2010-03-23 21:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-23 21:47 . 2010-03-23 21:47 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 21:47 . 2010-03-23 21:47 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-23 21:47 . 2010-03-23 21:47 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-23 21:47 . 2010-03-23 21:47 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-23 21:47 . 2010-03-23 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-03-23 21:42 . 2010-03-23 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-23 21:34 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 21:34 . 2010-03-23 21:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 21:34 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 13:36 . 2010-03-23 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-20 14:04 . 2010-03-20 14:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-19 23:53 . 2010-03-19 23:53 -------- d-----w- c:\windows\system32\LogFiles
2010-03-19 23:43 . 2010-03-19 23:43 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\Malwarebytes
2010-03-19 23:43 . 2010-03-19 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-18 20:12 . 2010-03-18 20:12 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\Chief Architect X2
2010-03-18 20:01 . 2007-03-06 20:39 694272 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-03-18 20:01 . 2010-03-18 20:01 -------- d-----w- c:\program files\Common Files\Aladdin Shared
2010-03-18 20:01 . 2007-03-15 13:48 535807 ----a-w- c:\windows\system32\hasplms.exe
2010-03-18 20:01 . 2007-03-15 13:48 535807 ----a-w- c:\windows\system32\aksllmtp.exe
2010-03-18 20:01 . 2007-03-12 19:48 351744 ----a-w- c:\windows\system32\drivers\aksfridge.sys
2010-03-18 19:59 . 2010-03-18 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Chief Architect X2
2010-03-17 19:33 . 2010-03-17 19:33 -------- d-----w- c:\documents and settings\Keith Lewis\Local Settings\Application Data\Help
2010-03-17 16:01 . 2010-03-17 16:01 -------- d-----w- C:\Punch! Master Landscape
2010-03-10 19:15 . 2010-03-10 19:15 -------- d-----w- c:\documents and settings\Keith Lewis\Local Settings\Application Data\HP
2010-03-10 19:11 . 2010-03-10 19:11 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 17:32 . 2010-02-14 12:27 33760 ----a-w- c:\documents and settings\Keith Lewis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-18 01:17 . 2010-02-18 01:16 -------- d-----w- c:\program files\Common Files\Java
2010-02-18 01:16 . 2010-02-18 01:16 61440 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-68de2eb0-n\decora-sse.dll
2010-02-18 01:16 . 2010-02-18 01:16 503808 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa78885-n\msvcp71.dll
2010-02-18 01:16 . 2010-02-18 01:16 499712 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa78885-n\jmc.dll
2010-02-18 01:16 . 2010-02-18 01:16 348160 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa78885-n\msvcr71.dll
2010-02-18 01:16 . 2010-02-18 01:16 12800 ----a-w- c:\documents and settings\Keith Lewis\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-68de2eb0-n\decora-d3d.dll
2010-02-18 01:16 . 2010-02-18 01:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-18 01:16 . 2010-02-18 01:16 -------- d-----w- c:\program files\Java
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\eBay
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WholeSecurity
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\eBay
2010-02-17 03:10 . 2010-02-17 03:10 -------- d-----w- c:\program files\eBay
2010-02-17 03:09 . 2010-02-17 03:09 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\InstallShield
2010-02-17 02:31 . 2010-02-17 02:31 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-02-17 02:25 . 2010-02-17 02:25 -------- d-----w- c:\program files\PC Inspector File Recovery
2010-02-17 02:19 . 2010-02-17 02:19 -------- d-----w- c:\program files\7-Zip
2010-02-17 02:12 . 2010-02-17 02:12 -------- d-----w- c:\program files\Alcohol Soft
2010-02-17 02:10 . 2010-02-17 02:10 -------- d-----w- c:\program files\CCleaner
2010-02-17 01:59 . 2010-02-17 01:50 141357 ----a-w- c:\windows\hpoins15.dat
2010-02-17 01:59 . 2010-02-17 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-02-17 01:57 . 2010-02-17 01:57 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\HPAppData
2010-02-17 01:56 . 2010-02-17 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-02-17 01:56 . 2010-02-17 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-02-17 01:56 . 2010-02-17 01:55 -------- d-----w- c:\program files\Common Files\HP
2010-02-17 01:55 . 2010-02-17 01:55 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-17 01:55 . 2010-02-17 01:55 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-02-17 01:54 . 2010-02-17 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-02-17 01:53 . 2010-02-17 01:53 -------- d-----w- c:\program files\HP
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\AdobeUM
2010-02-17 01:13 . 2010-02-17 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-02-17 01:13 . 2010-02-17 01:13 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-02-17 01:11 . 2010-02-17 01:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-17 00:13 . 2010-02-17 00:13 -------- d-----w- c:\program files\MSBuild
2010-02-17 00:11 . 2010-02-17 00:11 -------- d-----w- c:\program files\Reference Assemblies
2010-02-16 23:29 . 2010-02-16 23:29 -------- d-----w- c:\program files\AVG
2010-02-16 22:34 . 2010-02-16 22:26 81920 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-16 22:34 . 2010-02-16 22:26 221184 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-16 22:31 . 2010-02-16 22:31 -------- d-----w- c:\program files\Creative
2010-02-16 22:26 . 2010-02-16 22:26 -------- d-----w- c:\documents and settings\Keith Lewis\Application Data\Creative
2010-02-14 12:24 . 2003-01-17 06:49 77155 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-14 11:09 . 2010-02-14 11:09 0 --sha-r- c:\windows\system32\drivers\TOSHIBA_Satellite 2450_00737000-4B_PS245E-022MY.MRK
2010-02-02 17:00 . 2010-02-17 02:31 85504 ----a-w- c:\windows\system32\ff_vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 13:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"Creative MediaSource Go"="c:\program files\Creative\MediaSource\Go\CTCMSGo.exe" [2004-11-30 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"nwiz"="nwiz.exe" [2002-12-12 438272]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2002-11-14 40960]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-01-14 249856]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"Tpwrtray"="TPWRTRAY.EXE" [2003-01-14 221184]
"TMESBS.EXE"="c:\program files\TOSHIBA\TME3\TMESBS32.EXE" [2003-01-08 57344]
"TFncKy"="TFncKy.exe" [BU]
"TFNF5"="TFNF5.exe" [2001-08-03 73728]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-09-09 49152]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-12-04 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-12-04 569344]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2002-08-09 122880]
"NDSTray.exe"="c:\program files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-17 458752]
"CTHelper"="CTHELPER.EXE" [2005-02-17 14848]
"CTSysVol"="c:\program files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTFeatureModeUtility"="c:\program files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe" [2005-01-10 81920]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-03-19 632048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-2-17 25214]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msapdm32.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-23 21:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8080:TCP"= 8080:TCP:i-Catcher
"8080:UDP"= 8080:UDP:i-Catcher

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/03/2010 22:47 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/03/2010 22:47 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 10:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 10:15 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [23/03/2010 22:45 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [23/03/2010 22:45 308064]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\tmesbs32.exe [17/01/2003 09:22 57344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [23/03/2010 22:47 369920]
S3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\CTMSFSYN.SYS [31/01/2005 06:31 159104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 10:15 12872]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [17/01/2003 09:15 156672]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [17/02/2010 03:12 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [17/02/2010 03:12 5248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 20:30
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(360)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\CTsvcCDA.EXE
c:\windows\system32\hasplms.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\TPWRTRAY.EXE
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TFNF5.exe
c:\windows\CTHELPER.EXE
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-04-06 20:32:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 19:32
ComboFix2.txt 2010-04-03 17:16
ComboFix3.txt 2010-03-30 23:57

Pre-Run: 150,804,725,760 bytes free
Post-Run: 150,775,332,864 bytes free

- - End Of File - - 951E471CB99D5A64B3A7C440404564F3



Good PC Techs are those that say they know everything, GREAT PC Techs are those that know WHERE to Find Everything.
So for GREAT PC Techs come to http://www.bleepingcomputer.com

#12 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:12:17 PM

Posted 07 April 2010 - 08:19 AM

Hello alltrips,

We're going to update and run a scan with Malwarebytes' Anti-Malware that you already have installed:
  • Make sure you are connected to the Internet.
  • Launch Malwarebytes' Anti-Malware.
  • Once the program is started, click the Update tab.
  • Click the Check for Updates button in order to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

In your next reply, please include the following:
  • MBAM log
  • a new DDS log

If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#13 alltrips

alltrips
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:17 PM

Posted 07 April 2010 - 10:41 AM

Hi Tokek

Have updated MBAM and performed quick scan followed by new DDS scan, here are the requested logs:


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

07/04/2010 16:28:28
mbam-log-2010-04-07 (16-28-28).txt

Scan type: Quick scan
Objects scanned: 106782
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-----------------------------------------------------------------------------------------



DDS (Ver_10-03-17.01) - FAT32x86
Run by Keith Lewis at 16:31:16.68 on 07/04/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.144 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Keith Lewis\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\msapdm32.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [Creative MediaSource Go] "c:\program files\creative\mediasource\go\CTCMSGo.exe" /SCB
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /installquiet
mRun: [PmProxy] c:\program files\analog devices\soundmax\PmProxy.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Tpwrtray] TPWRTRAY.EXE
mRun: [TMESBS.EXE] c:\program files\toshiba\tme3\TMESBS32.EXE /Client
mRun: [TFncKy] TFncKy.exe /Type 28
mRun: [TFNF5] TFNF5.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTSysVol] "c:\program files\creative\sound blaster audigy 2\surround mixer\CTSysVol.exe" /r
mRun: [CTFeatureModeUtility] c:\program files\creative\sound blaster audigy 2\feature mode utility\CTModUtl.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-23 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-23 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-23 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-23 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-23 308064]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 Tmesbs;Tmesbs32;c:\program files\toshiba\tme3\tmesbs32.exe [2003-1-17 57344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-3-23 369920]
S3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\CTMSFSYN.SYS [2005-1-31 159104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [2003-1-17 156672]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2010-2-17 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2010-2-17 5248]

=============== Created Last 30 ================

2010-03-30 23:38:17 0 d-sha-r- C:\cmdcons
2010-03-30 23:34:58 98816 ----a-w- c:\windows\sed.exe
2010-03-30 23:34:58 77312 ----a-w- c:\windows\MBR.exe
2010-03-30 23:34:58 261632 ----a-w- c:\windows\PEV.exe
2010-03-30 23:34:58 161792 ----a-w- c:\windows\SWREG.exe
2010-03-30 23:31:10 0 d-----w- c:\docume~1\keithl~1\applic~1\AVG9
2010-03-24 20:42:11 54 ----a-w- c:\documents and settings\keith lewis\defogger_reenable
2010-03-24 03:22:28 4958588 ----a-w- c:\windows\{00000004-00000000-00000000-00001102-00000008-20011102}.BAK
2010-03-24 03:15:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-24 03:15:14 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 03:15:14 0 d-----w- c:\docume~1\keithl~1\applic~1\SUPERAntiSpyware.com
2010-03-24 03:14:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-23 21:47:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-23 21:47:23 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 21:47:15 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-23 21:47:10 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-23 21:47:06 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-03-23 21:42:46 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-23 21:34:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 21:34:25 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 21:34:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 13:36:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-19 23:53:44 0 d-----w- c:\windows\system32\LogFiles
2010-03-19 23:43:24 0 d-----w- c:\docume~1\keithl~1\applic~1\Malwarebytes
2010-03-19 23:43:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-18 20:12:46 0 d-----w- c:\docume~1\keithl~1\applic~1\Chief Architect X2
2010-03-18 20:01:36 694272 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-03-18 20:01:35 0 d-----w- c:\program files\common files\Aladdin Shared
2010-03-18 20:01:34 535807 ----a-w- c:\windows\system32\hasplms.exe
2010-03-18 20:01:34 535807 ----a-w- c:\windows\system32\aksllmtp.exe
2010-03-18 20:01:33 351744 ----a-w- c:\windows\system32\drivers\aksfridge.sys
2010-03-18 19:59:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Chief Architect X2
2010-03-17 16:01:06 0 d-----w- C:\Punch! Master Landscape

==================== Find3M ====================

2010-02-18 01:16:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-17 01:59:18 141357 ----a-w- c:\windows\hpoins15.dat
2010-02-16 22:34:30 81920 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-16 22:34:30 221184 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-14 11:09:54 0 --sha-r- c:\windows\system32\drivers\TOSHIBA_Satellite 2450_00737000-4B_PS245E-022MY.MRK
2010-02-02 17:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll

============= FINISH: 16:32:53.36 ===============



Good PC Techs are those that say they know everything, GREAT PC Techs are those that know WHERE to Find Everything.
So for GREAT PC Techs come to http://www.bleepingcomputer.com

#14 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:12:17 PM

Posted 09 April 2010 - 01:03 AM

Hello alltrips,

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



In your next reply, please include the following:
  • Kaspersky log
  • a new DDS log

If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#15 alltrips

alltrips
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:17 PM

Posted 09 April 2010 - 04:06 PM

Hi Tokek

I have finally managed to run the Kaspersky Online Scanner after some difficulty with my laptop CPU running at a constant 100% usage which prevented the Program / Database files and updates from being downloaded. I kept getting the following Message:

Attached File  Error.JPG   9.28KB   6 downloads

Prior to starting the scanner for a third attempt I opened task manager and found that there were two processes "AVGCSRVX.EXE" & "AVGRSX.EXE" running at a combined total of 70 - 75% which when put together with the process file for internet explorer may be where the CPU usage was being topped out as shown in this image:

Attached File  TaskMan_1.JPG   97.13KB   5 downloads

I also Noticed that there are two versions of "AVGCSRVX. EXE" in the process list one being 5,444k in size using 00 CPU the other at 344k in size using 40+ CPU as shown in this image:

Attached File  TaskMan_2.JPG   95.64KB   6 downloads

I stopped these two processes from within task manager, then went back to the Kaspersky Online Scanner and followed your instructions, this time the Program and Databases downloaded rapidly and without interruption or error.


Here are the two requested logs:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, April 9, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, April 09, 2010 14:42:47
Records in database: 3927891
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
E:\
G:\

Scan statistics:
Objects scanned: 55484
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 01:05:34


File name / Threat / Threats count
C:\WINDOWS\Temp\5.tmp Infected: Trojan.Win32.Agent2.cqch 1
C:\Qoobox\Quarantine\[4]-Submit_2010-04-03_18.01.08.zip Infected: Trojan.Win32.Sasfis.akhy 1

Selected area has been scanned.


-------------------------------------------------------------------------------------------------------------


DDS (Ver_10-03-17.01) - FAT32x86
Run by Keith Lewis at 17:01:30.38 on 09/04/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.357 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\Keith Lewis\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\msapdm32.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [Creative MediaSource Go] "c:\program files\creative\mediasource\go\CTCMSGo.exe" /SCB
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /installquiet
mRun: [PmProxy] c:\program files\analog devices\soundmax\PmProxy.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Tpwrtray] TPWRTRAY.EXE
mRun: [TMESBS.EXE] c:\program files\toshiba\tme3\TMESBS32.EXE /Client
mRun: [TFncKy] TFncKy.exe /Type 28
mRun: [TFNF5] TFNF5.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTSysVol] "c:\program files\creative\sound blaster audigy 2\surround mixer\CTSysVol.exe" /r
mRun: [CTFeatureModeUtility] c:\program files\creative\sound blaster audigy 2\feature mode utility\CTModUtl.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: chrome.exe - ZASRAKOMONDOHUI31338.EXE
IFEO: firefox.exe - ZASRAKOMONDOHUI31338.EXE
IFEO: RapportMgmtService.exe - ZASRAKOMONDOHUI31338.EXE
IFEO: RapportService.exe - ZASRAKOMONDOHUI31338.EXE
IFEO: safari.exe - ZASRAKOMONDOHUI31338.EXE

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-23 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-23 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-23 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-23 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-23 308064]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 Tmesbs;Tmesbs32;c:\program files\toshiba\tme3\tmesbs32.exe [2003-1-17 57344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-3-23 369920]
S3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\CTMSFSYN.SYS [2005-1-31 159104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [2003-1-17 156672]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2010-2-17 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2010-2-17 5248]

=============== Created Last 30 ================

2010-04-09 09:42:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-09 09:35:22 0 d-sh--w- C:\Recycled
2010-03-30 23:38:17 0 d-sha-r- C:\cmdcons
2010-03-30 23:34:58 98816 ----a-w- c:\windows\sed.exe
2010-03-30 23:34:58 77312 ----a-w- c:\windows\MBR.exe
2010-03-30 23:34:58 261632 ----a-w- c:\windows\PEV.exe
2010-03-30 23:34:58 161792 ----a-w- c:\windows\SWREG.exe
2010-03-30 23:31:10 0 d-----w- c:\docume~1\keithl~1\applic~1\AVG9
2010-03-24 20:42:11 54 ----a-w- c:\documents and settings\keith lewis\defogger_reenable
2010-03-24 03:22:28 4958588 ----a-w- c:\windows\{00000004-00000000-00000000-00001102-00000008-20011102}.BAK
2010-03-24 03:15:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-24 03:15:14 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 03:15:14 0 d-----w- c:\docume~1\keithl~1\applic~1\SUPERAntiSpyware.com
2010-03-24 03:14:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-23 21:47:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-23 21:47:23 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 21:47:15 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-23 21:47:10 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-23 21:47:06 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-03-23 21:42:46 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-23 21:34:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 21:34:25 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 21:34:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 13:36:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-19 23:53:44 0 d-----w- c:\windows\system32\LogFiles
2010-03-19 23:43:24 0 d-----w- c:\docume~1\keithl~1\applic~1\Malwarebytes
2010-03-19 23:43:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-18 20:12:46 0 d-----w- c:\docume~1\keithl~1\applic~1\Chief Architect X2
2010-03-18 20:01:36 694272 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-03-18 20:01:35 0 d-----w- c:\program files\common files\Aladdin Shared
2010-03-18 20:01:34 535807 ----a-w- c:\windows\system32\hasplms.exe
2010-03-18 20:01:34 535807 ----a-w- c:\windows\system32\aksllmtp.exe
2010-03-18 20:01:33 351744 ----a-w- c:\windows\system32\drivers\aksfridge.sys
2010-03-18 19:59:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Chief Architect X2
2010-03-17 16:01:06 0 d-----w- C:\Punch! Master Landscape

==================== Find3M ====================

2010-04-09 09:42:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-17 01:59:18 141357 ----a-w- c:\windows\hpoins15.dat
2010-02-16 22:34:30 81920 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-16 22:34:30 221184 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-14 11:09:54 0 --sha-r- c:\windows\system32\drivers\TOSHIBA_Satellite 2450_00737000-4B_PS245E-022MY.MRK
2010-02-02 17:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll

============= FINISH: 17:02:44.81 ===============




Good PC Techs are those that say they know everything, GREAT PC Techs are those that know WHERE to Find Everything.
So for GREAT PC Techs come to http://www.bleepingcomputer.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users