Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit / malware infection


  • Please log in to reply
29 replies to this topic

#1 udwm995

udwm995

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:41 AM

Posted 03 April 2010 - 03:04 AM

Hi there, I've been having troubles with my computer and after discussing my problem and running a few scans ect, ive been referred here by the person who was helping me and asked to post a link back to that forum for the experts to see.
http://www.bleepingcomputer.com/forums/t/305647/redirectingpop-upshave-cleaned-comp-but-still-infected/
Here are the logs i neglected(apologies) to post the first time

DDS (Ver_10-03-17.01) - NTFSx86
Run by Woodsy at 15:43:42.24 on Sat 03/04/2010
Internet Explorer: 7.0.6000.16982
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.61.1033.18.1021.187 [GMT 8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.11.21\BigPond_CM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\explorer.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Windows\system32\taskeng.exe
C:\Users\Woodsy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.telstra.com/
uStart Page = hxxp://www.google.com/
uWindow Title = Telstra BigPond Home Internet Explorer
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [TOY5KNQ8OC] c:\users\woodsy\appdata\local\temp\Erh.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [BigPondWirelessBroadbandCM] "c:\program files\telstra\bigpond wireless broadband 2.11.21\BigPond_CM.exe" -tsr
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\users\woodsy\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.164.112,93.188.166.42
TCP: {A05B52E7-61A2-464C-B16B-60A808AABA85} = 93.188.164.112,93.188.166.42
TCP: {D13392CA-95CE-4815-8762-802B42997BD5} = 93.188.164.112,93.188.166.42
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-19 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-19 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-19 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-19 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-19 308064]
R3 IAMTV;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTV.sys [2008-1-14 38280]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-3-15 110080]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-3-19 369920]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-3-15 7168]

=============== Created Last 30 ================

2010-04-03 07:40:40 0 ----a-w- c:\users\woodsy\defogger_reenable
2010-04-01 03:56:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-01 03:56:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 13:57:02 0 d-----w- c:\program files\common files\DivX Shared
2010-03-28 13:54:04 0 d-----w- c:\programdata\DivX
2010-03-19 20:10:05 0 d-----w- c:\program files\Microsoft Games
2010-03-19 06:42:17 0 d--h--w- C:\$AVG
2010-03-19 05:23:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-19 05:23:34 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-19 05:23:33 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-19 05:23:14 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-19 05:23:08 0 d-----w- c:\programdata\AVG Security Toolbar
2010-03-19 05:22:27 0 d-----w- c:\programdata\avg9
2010-03-19 03:22:53 200432 ----a-w- c:\windows\system32\drivers\dwshd.sys
2010-03-19 03:22:49 21560 ----a-w- c:\windows\system32\drivers\drw6F56.tmp
2010-03-19 03:05:51 68088 ----a-w- c:\windows\system32\drivers\spiderg3.sys
2010-03-19 03:03:50 72184 ----a-w- c:\windows\system32\drivers\DrWebPF.sys
2010-03-19 03:03:43 83064 ----a-w- c:\windows\system32\drivers\drwebaf.sys
2010-03-19 01:04:48 0 d-----w- c:\programdata\Symantec
2010-03-19 01:04:48 0 d-----w- c:\programdata\Norton
2010-03-19 01:03:57 0 d-----w- c:\programdata\NortonInstaller
2010-03-19 01:00:24 0 d-----w- c:\users\woodsy\appdata\roaming\aAvgApi
2010-03-19 00:14:58 0 d-----w- c:\programdata\Sunbelt
2010-03-17 15:28:43 0 d-----w- c:\programdata\ATI
2010-03-17 14:06:25 0 d-----w- c:\program files\Nero
2010-03-17 08:16:15 0 d-----w- c:\users\woodsy\appdata\roaming\LimeWire
2010-03-17 06:23:07 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-17 05:26:48 0 d-----w- c:\users\woodsy\appdata\roaming\Malwarebytes
2010-03-17 05:26:31 0 d-----w- c:\programdata\Malwarebytes
2010-03-17 05:26:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 10:20:31 0 d-----w- c:\users\woodsy\appdata\roaming\VistaCodecs
2010-03-16 10:20:23 0 d-----w- c:\program files\VistaCodecPack
2010-03-16 08:33:54 0 d-----w- c:\programdata\Sun
2010-03-16 08:32:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-16 08:20:20 0 d-----w- c:\program files\LimeWire
2010-03-16 06:54:08 0 d-----w- c:\users\woodsy\appdata\roaming\BitTorrent
2010-03-16 06:53:31 0 d-----w- c:\program files\BitTorrent
2010-03-16 06:34:19 0 d-----w- c:\programdata\PC Drivers HeadQuarters
2010-03-15 17:23:28 229888 ----a-w- c:\windows\system32\msshsq.dll
2010-03-15 15:24:00 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-03-15 15:21:07 268800 ----a-w- c:\windows\system32\es.dll
2010-03-15 04:04:13 1585664 ----a-w- c:\windows\system32\setupapi.dll
2010-03-15 03:59:44 549888 ----a-w- c:\windows\system32\rpcss.dll
2010-03-15 03:59:41 654336 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2010-03-15 03:59:41 24576 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2010-03-15 03:59:40 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2010-03-15 03:59:40 501760 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2010-03-15 03:59:40 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2010-03-15 03:59:40 130560 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll
2010-03-15 03:59:38 97280 ----a-w- c:\windows\system32\iasrecst.dll
2010-03-15 03:59:38 53248 ----a-w- c:\windows\system32\iasads.dll
2010-03-15 03:59:38 37888 ----a-w- c:\windows\system32\iasdatastore.dll
2010-03-15 03:59:38 158720 ----a-w- c:\windows\system32\sdohlp.dll
2010-03-15 03:58:05 3502168 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-15 03:58:04 3467848 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-03-15 03:56:28 25600 ----a-w- c:\windows\system32\amxread.dll
2010-03-15 03:56:28 14848 ----a-w- c:\windows\system32\apilogen.dll
2010-03-15 03:55:32 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2010-03-15 03:55:30 712192 ----a-w- c:\windows\system32\WindowsCodecs.dll
2010-03-15 03:55:28 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2010-03-15 03:54:39 441856 ----a-w- c:\windows\system32\win32spl.dll
2010-03-15 03:54:39 37376 ----a-w- c:\windows\system32\printcom.dll
2010-03-15 03:54:01 2031104 ----a-w- c:\windows\system32\win32k.sys
2010-03-15 03:52:53 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-03-15 03:52:53 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2010-03-15 03:51:27 43520 ----a-w- c:\windows\system32\msdxm.tlb
2010-03-15 03:51:27 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-03-15 03:51:27 18432 ----a-w- c:\windows\system32\amcompat.tlb
2010-03-15 03:47:40 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-03-15 03:47:35 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-03-15 03:47:32 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-03-15 03:47:24 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-03-15 03:47:21 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-03-15 03:47:07 472576 ----a-w- c:\windows\system32\secproc.dll
2010-03-15 03:47:02 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-03-15 03:46:44 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-03-15 03:46:40 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-03-15 00:10:55 4152184 ----a-w- c:\windows\system32\wgaer_m.exe
2010-03-15 00:10:55 1303 ----a-w- c:\windows\system32\WGAScanner.xml
2010-03-14 23:11:47 27072 ----a-w- c:\windows\system32\drivers\PCASp50.sys
2010-03-14 23:11:22 104960 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2010-03-14 23:11:21 104960 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2010-03-14 23:11:17 110080 ----a-w- c:\windows\system32\drivers\ZTEusbnet.sys
2010-03-14 23:11:17 104960 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2010-03-14 23:11:16 7168 ----a-w- c:\windows\system32\drivers\massfilter.sys
2010-03-14 23:10:56 0 d-----w- c:\program files\Telstra
2010-03-14 20:55:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-03-14 20:55:47 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-03-14 20:55:46 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-03-14 20:55:46 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-03-14 20:55:46 24064 ----a-w- c:\windows\system32\lpk.dll
2010-03-14 20:55:46 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-03-14 20:48:46 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-03-14 20:48:46 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2010-03-14 20:48:46 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2010-03-14 20:48:46 272896 ----a-w- c:\windows\system32\polstore.dll
2010-03-14 20:47:36 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-03-14 20:47:36 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-03-14 20:46:23 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-03-14 20:46:23 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-03-14 20:46:23 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-03-14 20:44:22 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-03-14 20:44:22 15360 ----a-w- c:\windows\system32\netevent.dll
2010-03-14 20:44:22 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-03-14 20:44:21 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-03-14 20:44:21 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-03-14 20:44:21 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-03-14 20:44:21 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-03-14 20:44:21 103936 ----a-w- c:\windows\system32\netiohlp.dll
2010-03-14 20:44:21 10240 ----a-w- c:\windows\system32\finger.exe
2010-03-14 20:42:34 194560 ----a-w- c:\windows\system32\WebClnt.dll
2010-03-14 20:42:34 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2010-03-14 20:41:21 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2010-03-14 20:41:20 1657350 ----a-w- c:\windows\system32\wlan.tmf
2010-03-14 20:41:19 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2010-03-14 20:41:19 47104 ----a-w- c:\windows\system32\wlanapi.dll
2010-03-14 20:41:19 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2010-03-14 20:41:18 502272 ----a-w- c:\windows\system32\wlansvc.dll
2010-03-14 20:41:18 297984 ----a-w- c:\windows\system32\wlansec.dll
2010-03-14 20:39:54 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-03-14 20:39:54 1260032 ----a-w- c:\windows\system32\msxml3.dll
2010-03-14 20:39:53 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-03-14 20:39:53 1406464 ----a-w- c:\windows\system32\msxml6.dll
2010-03-14 20:38:31 216576 ----a-w- c:\windows\system32\msv1_0.dll
2010-03-14 20:36:29 2855424 ----a-w- c:\windows\system32\mf.dll
2010-03-14 20:36:28 98816 ----a-w- c:\windows\system32\mfps.dll
2010-03-14 20:36:28 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2010-03-14 20:36:28 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-03-14 20:36:28 2048 ----a-w- c:\windows\system32\mferror.dll
2010-03-14 20:34:04 71680 ----a-w- c:\windows\system32\atl.dll
2010-03-14 20:32:58 297472 ----a-w- c:\windows\system32\gdi32.dll
2010-03-14 20:31:57 1060920 ----a-w- c:\windows\system32\drivers\ntfs.sys
2010-03-14 20:31:56 41984 ----a-w- c:\windows\system32\drivers\monitor.sys
2010-03-14 20:29:19 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2010-03-14 20:29:19 30208 ----a-w- c:\windows\system32\xolehlp.dll
2010-03-14 20:28:14 156160 ----a-w- c:\windows\system32\wkssvc.dll
2010-03-14 20:27:06 36352 ----a-w- c:\windows\system32\tsgqec.dll
2010-03-14 20:27:06 116736 ----a-w- c:\windows\system32\aaclient.dll
2010-03-14 20:27:05 1871872 ----a-w- c:\windows\system32\mstscax.dll
2010-03-14 20:25:50 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2010-03-14 20:23:37 713728 ----a-w- c:\windows\system32\timedate.cpl
2010-03-14 20:15:57 428032 ----a-w- c:\windows\system32\EncDec.dll
2010-03-14 20:15:57 177152 ----a-w- c:\windows\system32\mpg2splt.ax
2010-03-14 20:15:57 1244672 ----a-w- c:\windows\system32\mcmde.dll
2010-03-14 20:15:56 80896 ----a-w- c:\windows\system32\MSNP.ax
2010-03-14 20:15:56 68608 ----a-w- c:\windows\system32\Mpeg2Data.ax
2010-03-14 20:15:56 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2010-03-14 20:15:56 292352 ----a-w- c:\windows\system32\psisdecd.dll
2010-03-14 20:15:56 217088 ----a-w- c:\windows\system32\psisrndr.ax
2010-03-14 20:11:02 2048 ----a-w- c:\windows\system32\tzres.dll
2010-03-14 20:09:42 696832 ----a-w- c:\windows\system32\localspl.dll
2010-03-14 20:06:41 45112 ----a-w- c:\windows\system32\drivers\pciidex.sys
2010-03-14 20:06:41 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-14 20:06:41 109624 ----a-w- c:\windows\system32\drivers\ataport.sys
2010-03-14 20:06:40 17464 ----a-w- c:\windows\system32\drivers\intelide.sys
2010-03-14 20:06:38 154624 ----a-w- c:\windows\system32\drivers\nwifi.sys
2010-03-14 20:04:47 2923520 ----a-w- c:\windows\explorer.exe
2010-03-14 20:03:44 494592 ----a-w- c:\windows\system32\kerberos.dll
2010-03-14 20:03:43 7680 ----a-w- c:\windows\system32\lsass.exe
2010-03-14 20:03:43 72704 ----a-w- c:\windows\system32\secur32.dll
2010-03-14 20:03:43 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-03-14 20:03:43 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-03-14 20:03:42 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2010-03-14 20:03:41 272384 ----a-w- c:\windows\system32\schannel.dll
2010-03-14 20:02:24 24064 ----a-w- c:\windows\system32\netcfg.exe
2010-03-14 16:56:09 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-03-14 16:56:09 214104 ----a-w- c:\windows\system32\drivers\netio.sys
2010-03-14 16:56:09 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-03-14 16:56:06 816640 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-03-14 16:56:04 85504 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2010-03-14 16:56:04 543232 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2010-03-14 16:56:03 816 ----a-w- c:\windows\system32\wbem\WFP.MOF
2010-03-14 16:56:03 416768 ----a-w- c:\windows\system32\IKEEXT.DLL
2010-03-14 16:56:03 317440 ----a-w- c:\windows\system32\BFE.DLL
2010-03-14 16:50:59 0 d-----w- c:\windows\PCHEALTH
2010-03-14 16:18:33 901120 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.perf
2010-03-14 16:18:33 45711360 ----a-w- c:\windows\ocsetup_install_NetFx3.etl
2010-03-14 16:18:33 16384 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2010-03-14 16:07:31 96760 ----a-w- c:\windows\system32\dfshim.dll
2010-03-14 16:07:19 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-14 16:06:48 282112 ----a-w- c:\windows\system32\mscoree.dll
2010-03-14 16:06:45 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-03-14 16:06:44 83968 ----a-w- c:\windows\system32\mscories.dll
2010-03-14 15:28:09 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-03-14 15:28:01 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-03-14 15:27:58 1686528 ----a-w- c:\windows\system32\gameux.dll
2010-03-14 15:25:59 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2010-03-14 15:25:59 94720 ----a-w- c:\windows\system32\logagent.exe
2010-03-14 15:25:12 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-03-14 15:25:12 737792 ----a-w- c:\windows\system32\inetcomm.dll
2010-03-14 15:24:31 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-03-14 15:23:51 1645568 ----a-w- c:\windows\system32\connect.dll
2010-03-14 15:23:07 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2010-03-14 15:21:05 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-14 15:21:05 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-14 15:21:04 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-14 15:16:08 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-03-14 15:15:26 274432 ----a-w- c:\windows\system32\raschap.dll
2010-03-14 15:15:25 232960 ----a-w- c:\windows\system32\rastls.dll
2010-03-14 15:14:36 321536 ----a-w- c:\windows\system32\WSDApi.dll
2010-03-14 15:13:54 99840 ----a-w- c:\windows\system32\poqexec.exe
2010-03-14 15:11:10 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-03-14 15:11:10 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-03-14 15:11:10 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-03-14 15:11:09 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-03-14 15:11:09 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-03-14 15:11:08 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-03-14 15:11:08 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-03-14 15:11:06 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-03-14 15:11:04 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-03-14 15:11:03 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-03-14 15:09:44 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-03-14 15:08:11 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2010-03-14 15:08:04 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-03-14 15:08:03 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-03-14 15:08:02 4096 ----a-w- c:\windows\system32\msdxm.ocx
2010-03-14 15:07:43 311296 ----a-w- c:\windows\system32\unregmp2.exe
2010-03-14 15:04:42 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-03-14 15:04:42 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-03-14 13:39:42 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-03-14 13:38:43 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-03-14 13:38:14 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-03-14 13:38:14 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-03-14 13:32:16 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll

==================== Find3M ====================

2010-03-19 20:04:59 969216 ----a-w- c:\windows\system32\cryptui.dll
2010-03-19 04:39:34 87608 ----a-w- c:\users\woodsy\appdata\roaming\inst.exe
2010-03-19 04:39:34 47360 ----a-w- c:\users\woodsy\appdata\roaming\pcouffin.sys
2010-03-19 03:05:32 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-19 03:05:31 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-03-19 03:05:31 86016 ----a-w- c:\windows\inf\infstor.dat
2010-03-17 12:58:45 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-15 00:19:47 174 --sha-w- c:\program files\desktop.ini
2010-03-14 20:51:47 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-14 20:51:43 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-14 20:51:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-14 20:51:33 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-03-14 20:51:25 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-14 20:51:21 56320 ----a-w- c:\windows\system32\iesetup.dll
2010-03-14 15:03:42 16710176 ----a-w- c:\windows\fonts\meiryo.ttc
2010-03-14 15:03:35 17159388 ----a-w- c:\windows\fonts\meiryob.ttc
2010-02-11 07:42:22 4450816 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-02-11 05:32:36 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-02-11 05:30:38 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-02-11 05:30:20 348160 ----a-w- c:\windows\system32\atipdlxx.dll
2010-02-11 05:30:06 274432 ----a-w- c:\windows\system32\Oemdspif.dll
2010-02-11 05:29:58 12288 ----a-w- c:\windows\system32\atimuixx.dll
2010-02-11 05:29:50 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-02-11 05:29:38 278528 ----a-w- c:\windows\system32\Ati2evxx.dll
2010-02-11 05:28:32 733184 ----a-w- c:\windows\system32\Ati2evxx.exe
2010-02-11 05:17:14 3839488 ----a-w- c:\windows\system32\atiumdag.dll
2010-02-11 05:00:38 4946432 ----a-w- c:\windows\system32\atiumdva.dll
2010-02-11 04:58:04 11513856 ----a-w- c:\windows\system32\atioglxx.dll
2010-02-11 04:49:00 51712 ----a-w- c:\windows\system32\amdpcom32.dll
2010-02-11 04:48:28 135168 ----a-w- c:\windows\system32\atiadlxx.dll
2010-02-11 04:43:56 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-02-11 04:43:44 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-02-11 04:42:40 3235840 ----a-w- c:\windows\system32\aticaldd.dll
2010-02-11 04:34:44 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-01-27 18:09:54 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-11-22 14:58:11 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:45:05.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:41 PM

Posted 06 April 2010 - 07:24 PM

Hello

Welcome to the Bleeping Computer Malware Removal Forum

You do have a few issues going on malwarewise, as to not confuse you we will run just one scan at a time.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2







* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:41 AM

Posted 07 April 2010 - 05:03 PM

Hi, thanx for looking at my problem. here is the combofix log. im in australia so i might not reply straight away due to the time difference.

ComboFix 10-04-05.06 - Woodsy 07/04/2010 11:38:24.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.61.1033.18.1021.361 [GMT 8:00]
Running from: c:\users\Woodsy\Desktop\rename.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\users\Woodsy\AppData\Roaming\inst.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-01 03:56 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-01 03:56 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 13:54 . 2010-03-28 13:54 62776 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-03-28 13:54 . 2010-03-28 13:57 -------- d-----w- c:\programdata\DivX
2010-03-19 20:10 . 2010-03-19 20:11 -------- d-----w- c:\program files\Microsoft Games
2010-03-19 06:42 . 2010-03-19 06:42 -------- d-----w- C:\$AVG
2010-03-19 05:23 . 2010-03-19 05:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-19 05:23 . 2010-03-19 05:23 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-19 05:23 . 2010-03-19 05:23 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-19 05:23 . 2010-03-19 05:23 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-19 05:23 . 2010-04-06 10:48 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-19 05:23 . 2010-03-19 05:23 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-03-19 05:22 . 2010-03-19 05:22 -------- d-----w- c:\programdata\avg9
2010-03-19 03:22 . 2010-03-19 03:55 200432 ----a-w- c:\windows\system32\drivers\dwshd.sys
2010-03-19 03:05 . 2010-03-19 02:56 68088 ----a-w- c:\windows\system32\drivers\spiderg3.sys
2010-03-19 03:03 . 2010-03-19 02:56 72184 ----a-w- c:\windows\system32\drivers\DrWebPF.sys
2010-03-19 03:03 . 2010-03-19 02:56 83064 ----a-w- c:\windows\system32\drivers\drwebaf.sys
2010-03-19 01:04 . 2010-03-19 04:41 -------- d-----w- c:\programdata\Norton
2010-03-19 01:04 . 2010-03-19 01:04 -------- d-----w- c:\programdata\Symantec
2010-03-19 01:03 . 2010-03-19 01:03 -------- d-----w- c:\programdata\NortonInstaller
2010-03-19 01:00 . 2010-03-19 01:00 -------- d-----w- c:\users\Woodsy\AppData\Roaming\aAvgApi
2010-03-19 00:26 . 2010-03-19 00:26 -------- d-----w- c:\windows\BDOSCAN8
2010-03-19 00:14 . 2010-03-19 00:14 -------- d-----w- c:\programdata\Sunbelt
2010-03-17 15:28 . 2010-03-17 15:28 -------- d-----w- c:\programdata\ATI
2010-03-17 15:21 . 2010-03-17 15:21 10134 ----a-r- c:\users\Woodsy\AppData\Roaming\Microsoft\Installer\{9DBCF44B-77AC-81D8-0F8E-1E60D6330AC2}\ARPPRODUCTICON.exe
2010-03-17 14:06 . 2010-03-17 14:06 -------- d-----w- c:\program files\Nero
2010-03-17 13:53 . 2010-03-17 13:54 -------- d-----w- c:\program files\CyberLink
2010-03-17 06:23 . 2010-03-18 06:25 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-17 05:26 . 2010-03-17 05:26 -------- d-----w- c:\users\Woodsy\AppData\Roaming\Malwarebytes
2010-03-17 05:26 . 2010-03-17 05:26 -------- d-----w- c:\programdata\Malwarebytes
2010-03-17 05:26 . 2010-04-01 03:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 10:20 . 2010-03-16 10:20 -------- d-----w- c:\users\Woodsy\AppData\Roaming\VistaCodecs
2010-03-16 10:20 . 2010-03-16 10:20 -------- d-----w- c:\program files\VistaCodecPack
2010-03-16 08:54 . 2010-03-16 08:54 -------- d-----w- c:\users\Woodsy\AppData\Local\RadarSync
2010-03-16 08:33 . 2010-03-16 08:33 -------- d-----w- c:\program files\Common Files\Java
2010-03-16 08:32 . 2010-03-16 08:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-16 08:32 . 2010-03-16 08:32 -------- d-----w- c:\program files\Java
2010-03-16 08:20 . 2010-03-17 08:15 -------- d-----w- c:\program files\LimeWire
2010-03-16 06:54 . 2010-03-16 07:16 -------- d-----w- c:\users\Woodsy\AppData\Roaming\BitTorrent
2010-03-16 06:53 . 2010-03-16 06:53 -------- d-----w- c:\program files\BitTorrent
2010-03-16 06:34 . 2010-03-16 06:34 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2010-03-15 17:23 . 2010-03-15 17:23 229888 ----a-w- c:\windows\system32\msshsq.dll
2010-03-15 15:24 . 2010-03-15 15:24 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-03-15 15:21 . 2010-03-15 15:21 268800 ----a-w- c:\windows\system32\es.dll
2010-03-15 04:04 . 2010-03-15 04:04 1585664 ----a-w- c:\windows\system32\setupapi.dll
2010-03-15 03:59 . 2010-03-15 03:59 549888 ----a-w- c:\windows\system32\rpcss.dll
2010-03-15 03:59 . 2010-03-15 03:59 654336 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2010-03-15 03:59 . 2010-03-15 03:59 24576 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2010-03-15 03:59 . 2010-03-15 03:59 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2010-03-15 03:59 . 2010-03-15 03:59 501760 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2010-03-15 03:59 . 2010-03-15 03:59 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2010-03-15 03:59 . 2010-03-15 03:59 130560 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll
2010-03-15 03:59 . 2010-03-15 03:59 97280 ----a-w- c:\windows\system32\iasrecst.dll
2010-03-15 03:59 . 2010-03-15 03:59 53248 ----a-w- c:\windows\system32\iasads.dll
2010-03-15 03:59 . 2010-03-15 03:59 37888 ----a-w- c:\windows\system32\iasdatastore.dll
2010-03-15 03:59 . 2010-03-15 03:59 158720 ----a-w- c:\windows\system32\sdohlp.dll
2010-03-15 03:58 . 2010-03-15 03:58 3502168 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-15 03:58 . 2010-03-15 03:58 3467848 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-03-15 03:56 . 2010-03-15 03:56 25600 ----a-w- c:\windows\system32\amxread.dll
2010-03-15 03:56 . 2010-03-15 03:56 14848 ----a-w- c:\windows\system32\apilogen.dll
2010-03-15 03:55 . 2010-03-15 03:55 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2010-03-15 03:55 . 2010-03-15 03:55 712192 ----a-w- c:\windows\system32\WindowsCodecs.dll
2010-03-15 03:55 . 2010-03-15 03:55 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2010-03-15 03:54 . 2010-03-15 03:54 441856 ----a-w- c:\windows\system32\win32spl.dll
2010-03-15 03:54 . 2010-03-15 03:54 37376 ----a-w- c:\windows\system32\printcom.dll
2010-03-15 03:54 . 2010-03-15 03:54 2031104 ----a-w- c:\windows\system32\win32k.sys
2010-03-15 03:52 . 2010-03-15 03:52 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-03-15 03:52 . 2010-03-15 03:52 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2010-03-15 03:51 . 2010-03-15 03:51 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-03-15 03:47 . 2010-03-15 03:47 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-03-15 03:47 . 2010-03-15 03:47 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-03-15 03:47 . 2010-03-15 03:47 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-03-15 03:47 . 2010-03-15 03:47 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-03-15 03:47 . 2010-03-15 03:47 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-03-15 03:47 . 2010-03-15 03:47 472576 ----a-w- c:\windows\system32\secproc.dll
2010-03-15 03:47 . 2010-03-15 03:47 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-03-15 03:46 . 2010-03-15 03:46 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-03-15 03:46 . 2010-03-15 03:46 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-03-15 00:10 . 2010-03-14 19:54 4152184 ----a-w- c:\windows\system32\wgaer_m.exe
2010-03-14 23:11 . 2008-06-27 01:52 27072 ----a-w- c:\windows\system32\drivers\PCASp50.sys
2010-03-14 23:11 . 2008-08-22 12:56 104960 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2010-03-14 23:11 . 2008-08-22 12:56 104960 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2010-03-14 23:11 . 2008-08-22 12:58 110080 ----a-w- c:\windows\system32\drivers\ZTEusbnet.sys
2010-03-14 23:11 . 2008-08-22 12:55 104960 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2010-03-14 23:11 . 2008-08-22 12:55 7168 ----a-w- c:\windows\system32\drivers\massfilter.sys
2010-03-14 23:10 . 2010-03-14 23:10 -------- d-----w- c:\program files\Telstra
2010-03-14 20:55 . 2010-03-14 20:55 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-03-14 20:55 . 2010-03-14 20:55 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-03-14 20:55 . 2010-03-14 20:55 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-03-14 20:55 . 2010-03-14 20:55 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-03-14 20:55 . 2010-03-14 20:55 24064 ----a-w- c:\windows\system32\lpk.dll
2010-03-14 20:55 . 2010-03-14 20:55 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-03-14 20:48 . 2010-03-14 20:48 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-03-14 20:48 . 2010-03-14 20:48 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2010-03-14 20:48 . 2010-03-14 20:48 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2010-03-14 20:48 . 2010-03-14 20:48 272896 ----a-w- c:\windows\system32\polstore.dll
2010-03-14 20:47 . 2010-03-14 20:47 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-03-14 20:47 . 2010-03-14 20:47 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-03-14 20:46 . 2010-03-14 20:46 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-03-14 20:46 . 2010-03-14 20:46 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-03-14 20:46 . 2010-03-14 20:46 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-03-14 20:44 . 2010-03-14 20:44 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-03-14 20:44 . 2010-03-14 20:44 15360 ----a-w- c:\windows\system32\netevent.dll
2010-03-14 20:44 . 2010-03-14 20:44 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-03-14 20:44 . 2010-03-14 20:44 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-03-14 20:44 . 2010-03-14 20:44 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-03-14 20:44 . 2010-03-14 20:44 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-03-14 20:44 . 2010-03-14 20:44 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-03-14 20:44 . 2010-03-14 20:44 103936 ----a-w- c:\windows\system32\netiohlp.dll
2010-03-14 20:44 . 2010-03-14 20:44 10240 ----a-w- c:\windows\system32\finger.exe
2010-03-14 20:42 . 2010-03-14 20:42 194560 ----a-w- c:\windows\system32\WebClnt.dll
2010-03-14 20:42 . 2010-03-14 20:42 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2010-03-14 20:41 . 2010-03-14 20:41 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2010-03-14 20:41 . 2010-03-14 20:41 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2010-03-14 20:41 . 2010-03-14 20:41 47104 ----a-w- c:\windows\system32\wlanapi.dll
2010-03-14 20:41 . 2010-03-14 20:41 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2010-03-14 20:41 . 2010-03-14 20:41 502272 ----a-w- c:\windows\system32\wlansvc.dll
2010-03-14 20:41 . 2010-03-14 20:41 297984 ----a-w- c:\windows\system32\wlansec.dll
2010-03-14 20:39 . 2010-03-14 20:39 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-03-14 20:39 . 2010-03-14 20:39 1260032 ----a-w- c:\windows\system32\msxml3.dll
2010-03-14 20:39 . 2010-03-14 20:39 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-03-14 20:39 . 2010-03-14 20:39 1406464 ----a-w- c:\windows\system32\msxml6.dll
2010-03-14 20:38 . 2010-03-14 20:38 216576 ----a-w- c:\windows\system32\msv1_0.dll
2010-03-14 20:36 . 2010-03-14 20:36 2855424 ----a-w- c:\windows\system32\mf.dll
2010-03-14 20:36 . 2010-03-14 20:36 98816 ----a-w- c:\windows\system32\mfps.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 03:19 . 2010-03-17 08:16 -------- d-----w- c:\users\Woodsy\AppData\Roaming\LimeWire
2010-03-30 02:27 . 2008-03-16 09:04 -------- d-----w- c:\program files\Common Files\Ahead
2010-03-28 13:57 . 2008-03-16 08:58 -------- d-----w- c:\program files\DivX
2010-03-28 13:57 . 2010-03-28 13:57 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-03-28 13:57 . 2010-03-28 13:57 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-03-28 13:57 . 2010-03-28 13:57 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-03-28 13:57 . 2010-03-28 13:57 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-03-28 13:57 . 2010-03-28 13:57 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-28 13:57 . 2010-03-28 13:57 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-03-28 13:57 . 2010-03-28 13:57 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-28 13:54 . 2010-03-28 13:57 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-03-28 13:53 . 2010-03-28 13:57 986904 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-03-19 20:04 . 2006-11-02 08:43 969216 ----a-w- c:\windows\system32\cryptui.dll
2010-03-19 05:22 . 2009-02-15 10:15 -------- d-----w- c:\program files\AVG
2010-03-19 04:39 . 2009-02-07 13:58 47360 ----a-w- c:\users\Woodsy\AppData\Roaming\pcouffin.sys
2010-03-19 04:39 . 2009-02-07 13:58 47360 ----a-w- c:\users\Woodsy\AppData\Roaming\pcouffin.sys
2010-03-19 04:39 . 2009-02-07 13:58 -------- d-----w- c:\users\Woodsy\AppData\Roaming\Vso
2010-03-19 03:22 . 2010-03-19 03:22 21560 ----a-w- c:\windows\system32\drivers\drw6F56.tmp
2010-03-17 15:27 . 2008-02-12 07:23 -------- d-----w- c:\program files\ATI Technologies
2010-03-17 13:54 . 2008-01-12 12:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-17 12:58 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-16 10:24 . 2008-05-13 12:30 -------- d-----w- c:\programdata\VistaCodecs
2010-03-16 10:04 . 2008-01-12 12:16 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-16 09:33 . 2008-02-12 07:32 1356 ----a-w- c:\users\Woodsy\AppData\Local\d3d9caps.dat
2010-03-15 03:56 . 2010-03-15 03:56 40960 ----a-w- c:\windows\AppPatch\apihex86.dll
2010-03-15 00:24 . 2008-01-11 11:23 48728 ----a-w- c:\users\Woodsy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-15 00:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-14 20:51 . 2010-03-14 20:51 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-14 20:51 . 2010-03-14 20:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-14 20:51 . 2010-03-14 20:51 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2010-03-14 20:51 . 2010-03-14 20:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-14 20:51 . 2010-03-14 20:51 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-03-14 20:51 . 2010-03-14 20:51 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-14 20:51 . 2010-03-14 20:51 56320 ----a-w- c:\windows\system32\iesetup.dll
2010-03-14 15:28 . 2010-03-14 15:28 2560 ----a-w- c:\windows\AppPatch\AcRes.dll
2010-03-14 15:28 . 2010-03-14 15:28 449024 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-03-14 15:28 . 2010-03-14 15:28 2143744 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-03-14 15:28 . 2010-03-14 15:28 537600 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-03-14 15:28 . 2010-03-14 15:28 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-02-11 07:42 . 2010-02-11 07:42 4450816 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-02-11 05:32 . 2010-02-11 05:32 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-02-11 05:30 . 2010-02-11 05:30 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-02-11 05:30 . 2010-02-11 05:30 348160 ----a-w- c:\windows\system32\atipdlxx.dll
2010-02-11 05:30 . 2010-02-11 05:30 274432 ----a-w- c:\windows\system32\Oemdspif.dll
2010-02-11 05:29 . 2010-02-11 05:29 12288 ----a-w- c:\windows\system32\atimuixx.dll
2010-02-11 05:29 . 2010-02-11 05:29 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-02-11 05:29 . 2010-02-11 05:29 278528 ----a-w- c:\windows\system32\Ati2evxx.dll
2010-02-11 05:28 . 2010-02-11 05:28 733184 ----a-w- c:\windows\system32\Ati2evxx.exe
2010-02-11 05:17 . 2010-02-11 05:17 3839488 ----a-w- c:\windows\system32\atiumdag.dll
2010-02-11 05:00 . 2010-02-11 05:00 4946432 ----a-w- c:\windows\system32\atiumdva.dll
2010-02-11 04:58 . 2010-02-11 04:58 11513856 ----a-w- c:\windows\system32\atioglxx.dll
2010-02-11 04:49 . 2010-02-11 04:49 51712 ----a-w- c:\windows\system32\amdpcom32.dll
2010-02-11 04:48 . 2010-02-11 04:48 135168 ----a-w- c:\windows\system32\atiadlxx.dll
2010-02-11 04:43 . 2010-02-11 04:43 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-02-11 04:43 . 2010-02-11 04:43 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-02-11 04:42 . 2010-02-11 04:42 3235840 ----a-w- c:\windows\system32\aticaldd.dll
2010-02-11 04:34 . 2010-02-11 04:34 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-01-27 18:09 . 2010-01-27 18:09 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 06:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-13 1006264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"BigPondWirelessBroadbandCM"="c:\program files\Telstra\BigPond Wireless Broadband 2.11.21\BigPond_CM.exe" [2008-10-22 2289664]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]

c:\users\Woodsy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-11 503808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-02-23 369920]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-08-22 7168]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2008-08-22 110080]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-03-19 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-03-19 242696]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-19 916760]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-19 308064]
S3 IAMTV;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTV.sys [2006-10-18 38280]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
Notify-AtiExtEvent - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 11:47
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x8558C8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82b8bd1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> atapi.sys @ 0x807b099c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-07 11:50:22
ComboFix-quarantined-files.txt 2010-04-07 03:50

Pre-Run: 110,710,210,560 bytes free
Post-Run: 110,791,929,856 bytes free

- - End Of File - - 0A5C7F5AB8F060D4B996D1DD7045406E


#4 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:41 PM

Posted 07 April 2010 - 05:38 PM

Hi,

c:\program files\LimeWire <-- File Sharing programs have become the latest avenue of attack by malware writers, your downloading that file from and unknown source and some contain malicious software attached to it, you would be doing yourself a favor if you uninstalled this program via add remove programs in the control panel and not use any P2P programs.


You may still be infected by the TDSS rootkit, run this program please


Extract the file and run it.

Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)

please post the content of that log TDSSKiller

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#5 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:41 AM

Posted 08 April 2010 - 02:07 AM

Here is the log you requested

14:50:37:594 5284 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
14:50:37:594 5284 ================================================================================
14:50:37:594 5284 SystemInfo:

14:50:37:594 5284 OS Version: 6.0.6000 ServicePack: 0.0
14:50:37:594 5284 Product type: Workstation
14:50:37:594 5284 ComputerName: WOODSY-PC
14:50:37:595 5284 UserName: Woodsy
14:50:37:595 5284 Windows directory: C:\Windows
14:50:37:595 5284 Processor architecture: Intel x86
14:50:37:595 5284 Number of processors: 2
14:50:37:595 5284 Page size: 0x1000
14:50:37:597 5284 Boot type: Normal boot
14:50:37:597 5284 ================================================================================
14:50:37:603 5284 UnloadDriverW: NtUnloadDriver error 2
14:50:37:603 5284 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:50:37:759 5284 wfopen_ex: Trying to open file C:\Windows\system32\config\system
14:50:37:759 5284 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:50:37:759 5284 wfopen_ex: Trying to KLMD file open
14:50:37:760 5284 wfopen_ex: File opened ok (Flags 2)
14:50:37:781 5284 wfopen_ex: Trying to open file C:\Windows\system32\config\software
14:50:37:781 5284 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:50:37:781 5284 wfopen_ex: Trying to KLMD file open
14:50:37:781 5284 wfopen_ex: File opened ok (Flags 2)
14:50:37:781 5284 Initialize success
14:50:37:781 5284
14:50:37:782 5284 Scanning Services ...
14:50:38:495 5284 Raw services enum returned 416 services
14:50:38:511 5284
14:50:38:511 5284 Scanning Kernel memory ...
14:50:38:512 5284 Devices to scan: 2
14:50:38:512 5284
14:50:38:512 5284 Driver Name: USBSTOR
14:50:38:512 5284 IRP_MJ_CREATE : 8BFBBB40
14:50:38:512 5284 IRP_MJ_CREATE_NAMED_PIPE : 8201D1D9
14:50:38:512 5284 IRP_MJ_CLOSE : 8BFBBBB8
14:50:38:512 5284 IRP_MJ_READ : 8BFBBC30
14:50:38:512 5284 IRP_MJ_WRITE : 8BFBBC30
14:50:38:512 5284 IRP_MJ_QUERY_INFORMATION : 8201D1D9
14:50:38:512 5284 IRP_MJ_SET_INFORMATION : 8201D1D9
14:50:38:512 5284 IRP_MJ_QUERY_EA : 8201D1D9
14:50:38:512 5284 IRP_MJ_SET_EA : 8201D1D9
14:50:38:512 5284 IRP_MJ_FLUSH_BUFFERS : 8201D1D9
14:50:38:512 5284 IRP_MJ_QUERY_VOLUME_INFORMATION : 8201D1D9
14:50:38:512 5284 IRP_MJ_SET_VOLUME_INFORMATION : 8201D1D9
14:50:38:512 5284 IRP_MJ_DIRECTORY_CONTROL : 8201D1D9
14:50:38:512 5284 IRP_MJ_FILE_SYSTEM_CONTROL : 8201D1D9
14:50:38:512 5284 IRP_MJ_DEVICE_CONTROL : 8BFBB828
14:50:38:513 5284 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8BFB04AA
14:50:38:513 5284 IRP_MJ_SHUTDOWN : 8201D1D9
14:50:38:513 5284 IRP_MJ_LOCK_CONTROL : 8201D1D9
14:50:38:513 5284 IRP_MJ_CLEANUP : 8201D1D9
14:50:38:513 5284 IRP_MJ_CREATE_MAILSLOT : 8201D1D9
14:50:38:513 5284 IRP_MJ_QUERY_SECURITY : 8201D1D9
14:50:38:513 5284 IRP_MJ_SET_SECURITY : 8201D1D9
14:50:38:513 5284 IRP_MJ_POWER : 8BFB9F9A
14:50:38:513 5284 IRP_MJ_SYSTEM_CONTROL : 8BFB77A2
14:50:38:513 5284 IRP_MJ_DEVICE_CHANGE : 8201D1D9
14:50:38:513 5284 IRP_MJ_QUERY_QUOTA : 8201D1D9
14:50:38:513 5284 IRP_MJ_SET_QUOTA : 8201D1D9
14:50:38:524 5284 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
14:50:38:524 5284
14:50:38:524 5284 Driver Name: atapi
14:50:38:524 5284 IRP_MJ_CREATE : 807B099C
14:50:38:524 5284 IRP_MJ_CREATE_NAMED_PIPE : 807B099C
14:50:38:524 5284 IRP_MJ_CLOSE : 807B099C
14:50:38:524 5284 IRP_MJ_READ : 807B099C
14:50:38:524 5284 IRP_MJ_WRITE : 807B099C
14:50:38:524 5284 IRP_MJ_QUERY_INFORMATION : 807B099C
14:50:38:524 5284 IRP_MJ_SET_INFORMATION : 807B099C
14:50:38:524 5284 IRP_MJ_QUERY_EA : 807B099C
14:50:38:524 5284 IRP_MJ_SET_EA : 807B099C
14:50:38:524 5284 IRP_MJ_FLUSH_BUFFERS : 807B099C
14:50:38:524 5284 IRP_MJ_QUERY_VOLUME_INFORMATION : 807B099C
14:50:38:524 5284 IRP_MJ_SET_VOLUME_INFORMATION : 807B099C
14:50:38:524 5284 IRP_MJ_DIRECTORY_CONTROL : 807B099C
14:50:38:524 5284 IRP_MJ_FILE_SYSTEM_CONTROL : 807B099C
14:50:38:524 5284 IRP_MJ_DEVICE_CONTROL : 807B099C
14:50:38:524 5284 IRP_MJ_INTERNAL_DEVICE_CONTROL : 807B099C
14:50:38:524 5284 IRP_MJ_SHUTDOWN : 807B099C
14:50:38:524 5284 IRP_MJ_LOCK_CONTROL : 807B099C
14:50:38:524 5284 IRP_MJ_CLEANUP : 807B099C
14:50:38:525 5284 IRP_MJ_CREATE_MAILSLOT : 807B099C
14:50:38:525 5284 IRP_MJ_QUERY_SECURITY : 807B099C
14:50:38:525 5284 IRP_MJ_SET_SECURITY : 807B099C
14:50:38:525 5284 IRP_MJ_POWER : 807B099C
14:50:38:525 5284 IRP_MJ_SYSTEM_CONTROL : 807B099C
14:50:38:525 5284 IRP_MJ_DEVICE_CHANGE : 807B099C
14:50:38:525 5284 IRP_MJ_QUERY_QUOTA : 807B099C
14:50:38:525 5284 IRP_MJ_SET_QUOTA : 807B099C
14:50:38:525 5284 Driver "atapi" infected by TDSS rootkit!
14:50:38:534 5284 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
14:50:38:534 5284 File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... 14:50:38:534 5284 Processing driver file: C:\Windows\system32\drivers\atapi.sys
14:50:39:884 5284 vfvi6
14:50:40:040 5284 dsvbh1
14:50:41:347 5284 fdfb1
14:50:41:348 5284 Backup copy found, using it..
14:50:41:363 5284 will be cured on next reboot
14:50:41:364 5284 Reboot required for cure complete..
14:50:41:375 5284 Cure on reboot scheduled successfully
14:50:41:375 5284
14:50:41:375 5284 Completed
14:50:41:376 5284
14:50:41:376 5284 Results:
14:50:41:376 5284 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
14:50:41:377 5284 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:50:41:377 5284 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:50:41:377 5284
14:50:41:378 5284 fclose_ex: Trying to close file C:\Windows\system32\config\system
14:50:41:378 5284 fclose_ex: Trying to close file C:\Windows\system32\config\software
14:50:41:378 5284 UnloadDriverW: NtUnloadDriver error 1
14:50:41:380 5284 KLMD(ARK) unloaded successfully


#6 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:41 PM

Posted 08 April 2010 - 03:22 AM

Great thumbup2.gif

Your Hard Disk Controller was infected by a Rootkit and its been fixed.



Please download ATF Cleaner by Atribune to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.






Please download Malwarebytes from Here or Here
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please





  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)




1. Post the Malwarebytes log
2. Post the RSIT log
3. Let me know how things are running now ??

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#7 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:41 AM

Posted 08 April 2010 - 08:50 AM

Heres the mbam and rsit logs you requested

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3968

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

8/04/2010 9:29:14 PM
mbam-log-2010-04-08 (21-29-14).txt

Scan type: Quick scan
Objects scanned: 102986
Time elapsed: 7 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of random's system information tool 1.06 (written by random/random)
Run by Woodsy at 2010-04-08 21:40:38
Microsoft® Windows Vista™ Ultimate
System drive C: has 104 GB (44%) free of 238 GB
Total RAM: 1021 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:54 PM, on 8/04/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.11.21\BigPond_CM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.11.21\BigPond_CM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Users\Woodsy\Desktop\RSIT.exe
C:\Program Files\trend micro\Woodsy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.11.21\BigPond_CM.exe" -tsr
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.112,93.188.166.42
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 5414 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-04-08 1602912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2010-02-23 1664256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-03-16 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2010-02-23 1664256]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-14 1006264]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"BigPondWirelessBroadbandCM"=C:\Program Files\Telstra\BigPond Wireless Broadband 2.11.21\BigPond_CM.exe [2008-10-22 2289664]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2006-11-23 56928]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-12-05 54832]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2010-02-10 61440]
"DivXUpdate"=C:\Program Files\DivX\DivX Update\DivXUpdate.exe [2010-03-05 1135912]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2006-11-02 125440]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-11-02 201728]

C:\Users\Woodsy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\Windows\System32\avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Windows\system32\wininit.exe"="C:\Windows\system32\wininit.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-04-08 21:40:39 ----D---- C:\Program Files\trend micro
2010-04-08 21:40:38 ----D---- C:\rsit
2010-04-08 21:10:15 ----A---- C:\Windows\isRS-000.tmp
2010-04-08 14:50:37 ----A---- C:\TDSSKiller.2.2.8.1_08.04.2010_14.50.37_log.txt
2010-04-07 11:50:31 ----SHD---- C:\$RECYCLE.BIN
2010-04-07 11:50:26 ----D---- C:\Windows\temp
2010-04-07 11:50:23 ----A---- C:\ComboFix.txt
2010-04-07 11:35:58 ----A---- C:\Windows\zip.exe
2010-04-07 11:35:58 ----A---- C:\Windows\SWXCACLS.exe
2010-04-07 11:35:58 ----A---- C:\Windows\SWSC.exe
2010-04-07 11:35:58 ----A---- C:\Windows\SWREG.exe
2010-04-07 11:35:58 ----A---- C:\Windows\sed.exe
2010-04-07 11:35:58 ----A---- C:\Windows\PEV.exe
2010-04-07 11:35:58 ----A---- C:\Windows\NIRCMD.exe
2010-04-07 11:35:58 ----A---- C:\Windows\MBR.exe
2010-04-07 11:35:58 ----A---- C:\Windows\grep.exe
2010-04-07 11:35:45 ----D---- C:\Windows\ERDNT
2010-04-07 11:35:07 ----D---- C:\Qoobox
2010-03-29 14:10:51 ----A---- C:\Windows\ntbtlog.txt
2010-03-28 21:57:02 ----D---- C:\Program Files\Common Files\DivX Shared
2010-03-28 21:54:04 ----D---- C:\ProgramData\DivX
2010-03-20 04:10:05 ----D---- C:\Program Files\Microsoft Games
2010-03-19 14:42:17 ----D---- C:\$AVG
2010-03-19 13:23:35 ----A---- C:\Windows\system32\avgrsstx.dll
2010-03-19 13:23:08 ----D---- C:\ProgramData\AVG Security Toolbar
2010-03-19 13:22:27 ----D---- C:\ProgramData\avg9
2010-03-19 09:04:48 ----D---- C:\ProgramData\Symantec
2010-03-19 09:04:48 ----D---- C:\ProgramData\Norton
2010-03-19 09:03:57 ----D---- C:\ProgramData\NortonInstaller
2010-03-19 09:00:24 ----D---- C:\Users\Woodsy\AppData\Roaming\aAvgApi
2010-03-19 08:26:32 ----D---- C:\Windows\BDOSCAN8
2010-03-19 08:14:58 ----D---- C:\ProgramData\Sunbelt
2010-03-18 13:53:49 ----A---- C:\debug.txt
2010-03-17 23:28:43 ----D---- C:\ProgramData\ATI
2010-03-17 22:06:25 ----D---- C:\Program Files\Nero
2010-03-17 21:53:15 ----D---- C:\Program Files\CyberLink
2010-03-17 16:17:06 ----D---- C:\Users\Woodsy\AppData\Roaming\Mozilla
2010-03-17 16:16:15 ----D---- C:\Users\Woodsy\AppData\Roaming\LimeWire
2010-03-17 13:26:48 ----D---- C:\Users\Woodsy\AppData\Roaming\Malwarebytes
2010-03-17 13:26:31 ----D---- C:\ProgramData\Malwarebytes
2010-03-17 13:26:30 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-16 18:20:31 ----D---- C:\Users\Woodsy\AppData\Roaming\VistaCodecs
2010-03-16 18:20:23 ----D---- C:\Program Files\VistaCodecPack
2010-03-16 16:33:54 ----D---- C:\ProgramData\Sun
2010-03-16 16:33:47 ----D---- C:\Program Files\Common Files\Java
2010-03-16 16:32:58 ----A---- C:\Windows\system32\javaws.exe
2010-03-16 16:32:58 ----A---- C:\Windows\system32\javaw.exe
2010-03-16 16:32:58 ----A---- C:\Windows\system32\deploytk.dll
2010-03-16 16:32:57 ----A---- C:\Windows\system32\java.exe
2010-03-16 16:32:15 ----D---- C:\Program Files\Java
2010-03-16 16:20:20 ----D---- C:\Program Files\LimeWire
2010-03-16 14:54:08 ----D---- C:\Users\Woodsy\AppData\Roaming\BitTorrent
2010-03-16 14:53:31 ----D---- C:\Program Files\BitTorrent
2010-03-16 14:34:19 ----D---- C:\ProgramData\PC Drivers HeadQuarters
2010-03-16 01:23:28 ----A---- C:\Windows\system32\msshsq.dll
2010-03-15 23:24:00 ----A---- C:\Windows\system32\winhttp.dll
2010-03-15 23:21:07 ----A---- C:\Windows\system32\es.dll
2010-03-15 12:04:13 ----A---- C:\Windows\system32\setupapi.dll
2010-03-15 12:03:29 ----A---- C:\Windows\system32\srclient.dll
2010-03-15 12:03:28 ----A---- C:\Windows\system32\srdelayed.exe
2010-03-15 12:03:28 ----A---- C:\Windows\system32\srcore.dll
2010-03-15 12:03:28 ----A---- C:\Windows\system32\rstrui.exe
2010-03-15 12:03:27 ----A---- C:\Windows\system32\wpd_ci.dll
2010-03-15 12:03:27 ----A---- C:\Windows\system32\kd1394.dll
2010-03-15 12:03:26 ----A---- C:\Windows\system32\winresume.exe
2010-03-15 12:03:26 ----A---- C:\Windows\system32\winload.exe
2010-03-15 12:03:25 ----A---- C:\Windows\system32\drvinst.exe
2010-03-15 12:03:25 ----A---- C:\Windows\system32\ci.dll
2010-03-15 12:03:25 ----A---- C:\Windows\system32\cfgmgr32.dll
2010-03-15 12:03:24 ----A---- C:\Windows\system32\umpnpmgr.dll
2010-03-15 12:03:21 ----A---- C:\Windows\system32\kbd106n.dll
2010-03-15 12:03:21 ----A---- C:\Windows\system32\dpx.dll
2010-03-15 12:03:18 ----A---- C:\Windows\system32\unlodctr.exe
2010-03-15 12:03:18 ----A---- C:\Windows\system32\oleaut32.dll
2010-03-15 12:03:18 ----A---- C:\Windows\system32\lodctr.exe
2010-03-15 12:03:17 ----A---- C:\Windows\system32\prflbmsg.dll
2010-03-15 12:03:17 ----A---- C:\Windows\system32\loadperf.dll
2010-03-15 12:03:16 ----A---- C:\Windows\system32\schedsvc.dll
2010-03-15 12:03:14 ----A---- C:\Windows\system32\f3ahvoas.dll
2010-03-15 12:03:14 ----A---- C:\Windows\system32\dispci.dll
2010-03-15 12:03:14 ----A---- C:\Windows\system32\batt.dll
2010-03-15 11:59:44 ----A---- C:\Windows\system32\rpcss.dll
2010-03-15 11:59:41 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2010-03-15 11:59:41 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2010-03-15 11:59:38 ----A---- C:\Windows\system32\sdohlp.dll
2010-03-15 11:59:38 ----A---- C:\Windows\system32\iasrecst.dll
2010-03-15 11:59:38 ----A---- C:\Windows\system32\iasdatastore.dll
2010-03-15 11:59:38 ----A---- C:\Windows\system32\iasads.dll
2010-03-15 11:58:44 ----A---- C:\Windows\system32\jscript.dll
2010-03-15 11:58:05 ----A---- C:\Windows\system32\ntkrnlpa.exe
2010-03-15 11:58:04 ----A---- C:\Windows\system32\ntoskrnl.exe
2010-03-15 11:56:33 ----A---- C:\Windows\system32\kernel32.dll
2010-03-15 11:56:28 ----A---- C:\Windows\system32\apilogen.dll
2010-03-15 11:56:28 ----A---- C:\Windows\system32\amxread.dll
2010-03-15 11:55:32 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2010-03-15 11:55:30 ----A---- C:\Windows\system32\WindowsCodecs.dll
2010-03-15 11:55:28 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2010-03-15 11:54:39 ----A---- C:\Windows\system32\win32spl.dll
2010-03-15 11:54:39 ----A---- C:\Windows\system32\printcom.dll
2010-03-15 11:52:53 ----A---- C:\Windows\system32\wshrm.dll
2010-03-15 11:51:27 ----A---- C:\Windows\system32\wmpdxm.dll
2010-03-15 11:47:40 ----A---- C:\Windows\system32\msdrm.dll
2010-03-15 11:47:35 ----A---- C:\Windows\system32\RMActivate_ssp.exe
2010-03-15 11:47:32 ----A---- C:\Windows\system32\secproc_ssp.dll
2010-03-15 11:47:24 ----A---- C:\Windows\system32\secproc_ssp_isv.dll
2010-03-15 11:47:21 ----A---- C:\Windows\system32\RMActivate_ssp_isv.exe
2010-03-15 11:47:07 ----A---- C:\Windows\system32\secproc.dll
2010-03-15 11:47:02 ----A---- C:\Windows\system32\RMActivate.exe
2010-03-15 11:46:44 ----A---- C:\Windows\system32\RMActivate_isv.exe
2010-03-15 11:46:40 ----A---- C:\Windows\system32\secproc_isv.dll
2010-03-15 08:10:55 ----A---- C:\Windows\system32\wgaer_m.exe
2010-03-15 07:10:56 ----D---- C:\Program Files\Telstra
2010-03-15 04:55:47 ----A---- C:\Windows\system32\t2embed.dll
2010-03-15 04:55:47 ----A---- C:\Windows\system32\atmfd.dll
2010-03-15 04:55:46 ----A---- C:\Windows\system32\lpk.dll
2010-03-15 04:55:46 ----A---- C:\Windows\system32\fontsub.dll
2010-03-15 04:55:46 ----A---- C:\Windows\system32\dciman32.dll
2010-03-15 04:55:46 ----A---- C:\Windows\system32\atmlib.dll
2010-03-15 04:51:48 ----A---- C:\Windows\system32\advpack.dll
2010-03-15 04:51:47 ----A---- C:\Windows\system32\iedkcs32.dll
2010-03-15 04:51:47 ----A---- C:\Windows\system32\ieaksie.dll
2010-03-15 04:51:47 ----A---- C:\Windows\system32\admparse.dll
2010-03-15 04:51:46 ----A---- C:\Windows\system32\ieakui.dll
2010-03-15 04:51:44 ----A---- C:\Windows\system32\ieapfltr.dll
2010-03-15 04:51:43 ----A---- C:\Windows\system32\wininet.dll
2010-03-15 04:51:42 ----A---- C:\Windows\system32\jsproxy.dll
2010-03-15 04:51:41 ----A---- C:\Windows\system32\dxtrans.dll
2010-03-15 04:51:41 ----A---- C:\Windows\system32\dxtmsft.dll
2010-03-15 04:51:39 ----A---- C:\Windows\system32\msfeeds.dll
2010-03-15 04:51:38 ----A---- C:\Windows\system32\ieui.dll
2010-03-15 04:51:37 ----A---- C:\Windows\system32\ieframe.dll
2010-03-15 04:51:34 ----A---- C:\Windows\system32\mshtmled.dll
2010-03-15 04:51:34 ----A---- C:\Windows\system32\ieencode.dll
2010-03-15 04:51:33 ----A---- C:\Windows\system32\mshtmler.dll
2010-03-15 04:51:32 ----A---- C:\Windows\system32\mshtml.dll
2010-03-15 04:51:29 ----A---- C:\Windows\system32\mstime.dll
2010-03-15 04:51:29 ----A---- C:\Windows\system32\icardie.dll
2010-03-15 04:51:25 ----A---- C:\Windows\system32\ieUnatt.exe
2010-03-15 04:51:23 ----A---- C:\Windows\system32\urlmon.dll
2010-03-15 04:51:23 ----A---- C:\Windows\system32\occache.dll
2010-03-15 04:51:22 ----A---- C:\Windows\system32\pngfilt.dll
2010-03-15 04:51:22 ----A---- C:\Windows\system32\iertutil.dll
2010-03-15 04:51:21 ----A---- C:\Windows\system32\iesetup.dll
2010-03-15 04:51:21 ----A---- C:\Windows\system32\iernonce.dll
2010-03-15 04:51:21 ----A---- C:\Windows\system32\ie4uinit.exe
2010-03-15 04:48:46 ----A---- C:\Windows\system32\winipsec.dll
2010-03-15 04:48:46 ----A---- C:\Windows\system32\polstore.dll
2010-03-15 04:48:46 ----A---- C:\Windows\system32\IPSECSVC.DLL
2010-03-15 04:48:46 ----A---- C:\Windows\system32\FwRemoteSvr.dll
2010-03-15 04:46:23 ----A---- C:\Windows\system32\PortableDeviceTypes.dll
2010-03-15 04:46:23 ----A---- C:\Windows\system32\PortableDeviceClassExtension.dll
2010-03-15 04:46:23 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2010-03-15 04:44:22 ----A---- C:\Windows\system32\TCPSVCS.EXE
2010-03-15 04:44:22 ----A---- C:\Windows\system32\netevent.dll
2010-03-15 04:44:22 ----A---- C:\Windows\system32\MRINFO.EXE
2010-03-15 04:44:21 ----A---- C:\Windows\system32\ROUTE.EXE
2010-03-15 04:44:21 ----A---- C:\Windows\system32\NETSTAT.EXE
2010-03-15 04:44:21 ----A---- C:\Windows\system32\netiohlp.dll
2010-03-15 04:44:21 ----A---- C:\Windows\system32\HOSTNAME.EXE
2010-03-15 04:44:21 ----A---- C:\Windows\system32\finger.exe
2010-03-15 04:44:21 ----A---- C:\Windows\system32\ARP.EXE
2010-03-15 04:42:34 ----A---- C:\Windows\system32\WebClnt.dll
2010-03-15 04:41:21 ----A---- C:\Windows\system32\L2SecHC.dll
2010-03-15 04:41:19 ----A---- C:\Windows\system32\wlanmsm.dll
2010-03-15 04:41:19 ----A---- C:\Windows\system32\wlanhlp.dll
2010-03-15 04:41:19 ----A---- C:\Windows\system32\wlanapi.dll
2010-03-15 04:41:18 ----A---- C:\Windows\system32\wlansvc.dll
2010-03-15 04:41:18 ----A---- C:\Windows\system32\wlansec.dll
2010-03-15 04:39:54 ----A---- C:\Windows\system32\msxml3r.dll
2010-03-15 04:39:54 ----A---- C:\Windows\system32\msxml3.dll
2010-03-15 04:39:53 ----A---- C:\Windows\system32\msxml6r.dll
2010-03-15 04:39:53 ----A---- C:\Windows\system32\msxml6.dll
2010-03-15 04:38:31 ----A---- C:\Windows\system32\msv1_0.dll
2010-03-15 04:36:29 ----A---- C:\Windows\system32\mf.dll
2010-03-15 04:36:28 ----A---- C:\Windows\system32\rrinstaller.exe
2010-03-15 04:36:28 ----A---- C:\Windows\system32\mfps.dll
2010-03-15 04:36:28 ----A---- C:\Windows\system32\mfpmp.exe
2010-03-15 04:36:28 ----A---- C:\Windows\system32\mferror.dll
2010-03-15 04:36:26 ----A---- C:\Windows\system32\WMVCORE.DLL
2010-03-15 04:34:04 ----A---- C:\Windows\system32\atl.dll
2010-03-15 04:32:58 ----A---- C:\Windows\system32\gdi32.dll
2010-03-15 04:29:19 ----A---- C:\Windows\system32\xolehlp.dll
2010-03-15 04:29:19 ----A---- C:\Windows\system32\msdtcprx.dll
2010-03-15 04:28:14 ----A---- C:\Windows\system32\wkssvc.dll
2010-03-15 04:27:06 ----A---- C:\Windows\system32\tsgqec.dll
2010-03-15 04:27:06 ----A---- C:\Windows\system32\aaclient.dll
2010-03-15 04:27:05 ----A---- C:\Windows\system32\mstscax.dll
2010-03-15 04:25:50 ----A---- C:\Windows\system32\wmpeffects.dll
2010-03-15 04:22:31 ----A---- C:\Windows\system32\netapi32.dll
2010-03-15 04:15:57 ----A---- C:\Windows\system32\mcmde.dll
2010-03-15 04:15:57 ----A---- C:\Windows\system32\EncDec.dll
2010-03-15 04:15:56 ----A---- C:\Windows\system32\psisdecd.dll
2010-03-15 04:12:30 ----A---- C:\Windows\system32\shell32.dll
2010-03-15 04:11:02 ----A---- C:\Windows\system32\tzres.dll
2010-03-15 04:09:42 ----A---- C:\Windows\system32\localspl.dll
2010-03-15 04:04:47 ----A---- C:\Windows\explorer.exe
2010-03-15 04:03:44 ----A---- C:\Windows\system32\kerberos.dll
2010-03-15 04:03:43 ----A---- C:\Windows\system32\wdigest.dll
2010-03-15 04:03:43 ----A---- C:\Windows\system32\secur32.dll
2010-03-15 04:03:43 ----A---- C:\Windows\system32\lsass.exe
2010-03-15 04:03:42 ----A---- C:\Windows\system32\lsasrv.dll
2010-03-15 04:03:41 ----A---- C:\Windows\system32\schannel.dll
2010-03-15 04:02:24 ----A---- C:\Windows\system32\netcfg.exe
2010-03-15 00:56:09 ----A---- C:\Windows\system32\tcpipcfg.dll
2010-03-15 00:56:09 ----A---- C:\Windows\system32\netiougc.exe
2010-03-15 00:56:04 ----A---- C:\Windows\system32\FWPUCLNT.DLL
2010-03-15 00:56:03 ----A---- C:\Windows\system32\IKEEXT.DLL
2010-03-15 00:56:03 ----A---- C:\Windows\system32\BFE.DLL
2010-03-15 00:50:59 ----D---- C:\Windows\PCHEALTH
2010-03-15 00:07:31 ----A---- C:\Windows\system32\dfshim.dll
2010-03-15 00:07:19 ----A---- C:\Windows\system32\netfxperf.dll
2010-03-15 00:06:48 ----A---- C:\Windows\system32\mscoree.dll
2010-03-15 00:06:45 ----A---- C:\Windows\system32\mscorier.dll
2010-03-15 00:06:44 ----A---- C:\Windows\system32\mscories.dll
2010-03-14 23:28:09 ----A---- C:\Windows\system32\Apphlpdm.dll
2010-03-14 23:28:01 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-03-14 23:27:58 ----A---- C:\Windows\system32\gameux.dll
2010-03-14 23:25:59 ----A---- C:\Windows\system32\WMNetMgr.dll
2010-03-14 23:25:59 ----A---- C:\Windows\system32\logagent.exe
2010-03-14 23:25:12 ----A---- C:\Windows\system32\INETRES.dll
2010-03-14 23:25:12 ----A---- C:\Windows\system32\inetcomm.dll
2010-03-14 23:24:31 ----A---- C:\Windows\system32\msasn1.dll
2010-03-14 23:23:51 ----A---- C:\Windows\system32\connect.dll
2010-03-14 23:23:07 ----A---- C:\Windows\system32\rpcrt4.dll
2010-03-14 23:21:05 ----A---- C:\Windows\system32\httpapi.dll
2010-03-14 23:21:04 ----A---- C:\Windows\system32\nshhttp.dll
2010-03-14 23:15:26 ----A---- C:\Windows\system32\raschap.dll
2010-03-14 23:15:25 ----A---- C:\Windows\system32\rastls.dll
2010-03-14 23:14:36 ----A---- C:\Windows\system32\WSDApi.dll
2010-03-14 23:13:54 ----A---- C:\Windows\system32\poqexec.exe
2010-03-14 23:11:10 ----A---- C:\Windows\system32\tsbyuv.dll
2010-03-14 23:11:10 ----A---- C:\Windows\system32\msyuv.dll
2010-03-14 23:11:10 ----A---- C:\Windows\system32\iyuv_32.dll
2010-03-14 23:11:09 ----A---- C:\Windows\system32\quartz.dll
2010-03-14 23:11:09 ----A---- C:\Windows\system32\avicap32.dll
2010-03-14 23:11:08 ----A---- C:\Windows\system32\msvfw32.dll
2010-03-14 23:11:08 ----A---- C:\Windows\system32\mciavi32.dll
2010-03-14 23:11:06 ----A---- C:\Windows\system32\avifil32.dll
2010-03-14 23:11:04 ----A---- C:\Windows\system32\msvidc32.dll
2010-03-14 23:11:03 ----A---- C:\Windows\system32\msrle32.dll
2010-03-14 23:09:44 ----A---- C:\Windows\system32\WMSPDMOD.DLL
2010-03-14 23:08:11 ----A---- C:\Windows\system32\wmploc.DLL
2010-03-14 23:08:04 ----A---- C:\Windows\system32\wmp.dll
2010-03-14 23:08:04 ----A---- C:\Windows\system32\spwmp.dll
2010-03-14 23:08:03 ----A---- C:\Windows\system32\dxmasf.dll
2010-03-14 23:07:43 ----A---- C:\Windows\system32\unregmp2.exe
2010-03-14 21:39:42 ----A---- C:\Windows\system32\wups2.dll
2010-03-14 21:39:42 ----A---- C:\Windows\system32\wucltux.dll
2010-03-14 21:39:42 ----A---- C:\Windows\system32\wuaueng.dll
2010-03-14 21:39:42 ----A---- C:\Windows\system32\wuauclt.exe
2010-03-14 21:38:43 ----A---- C:\Windows\system32\wups.dll
2010-03-14 21:38:43 ----A---- C:\Windows\system32\wudriver.dll
2010-03-14 21:38:43 ----A---- C:\Windows\system32\wuapi.dll
2010-03-14 21:38:14 ----A---- C:\Windows\system32\wuwebv.dll
2010-03-14 21:38:14 ----A---- C:\Windows\system32\wuapp.exe
2010-03-14 21:32:16 ----A---- C:\Windows\system32\MpSigStub.exe
2010-03-09 01:59:18 ----A---- C:\Windows\system32\dpl100.dll

======List of files/folders modified in the last 1 months======

2010-04-08 21:40:54 ----D---- C:\Windows\Prefetch
2010-04-08 21:40:39 ----RD---- C:\Program Files
2010-04-08 21:14:16 ----D---- C:\Windows
2010-04-08 21:10:13 ----D---- C:\Windows\system32\drivers
2010-04-08 18:57:28 ----SHD---- C:\System Volume Information
2010-04-07 11:47:25 ----A---- C:\Windows\system.ini
2010-04-07 11:43:25 ----D---- C:\Windows\System32
2010-04-07 11:43:25 ----D---- C:\Windows\AppPatch
2010-04-07 11:43:24 ----D---- C:\Program Files\Common Files
2010-04-04 08:28:41 ----D---- C:\Windows\system32\catroot2
2010-03-31 21:33:43 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-03-31 21:33:42 ----D---- C:\Windows\inf
2010-03-30 10:42:55 ----SHD---- C:\Windows\Installer
2010-03-30 10:28:22 ----D---- C:\Windows\winsxs
2010-03-30 10:27:58 ----D---- C:\Program Files\Common Files\Ahead
2010-03-30 10:27:53 ----D---- C:\Windows\ehome
2010-03-29 15:14:07 ----D---- C:\Windows\tracing
2010-03-28 21:57:32 ----D---- C:\Program Files\DivX
2010-03-28 21:54:04 ----D---- C:\ProgramData
2010-03-25 00:35:47 ----D---- C:\Windows\Microsoft.NET
2010-03-25 00:35:46 ----RSD---- C:\Windows\assembly
2010-03-24 20:56:21 ----D---- C:\Windows\rescache
2010-03-24 20:54:15 ----D---- C:\Windows\system32\XPSViewer
2010-03-24 20:54:15 ----D---- C:\Windows\system32\wbem
2010-03-24 20:54:15 ----D---- C:\Windows\system32\en-US
2010-03-23 23:52:52 ----SD---- C:\Windows\Downloaded Program Files
2010-03-20 09:46:02 ----D---- C:\Windows\Tasks
2010-03-20 04:10:09 ----D---- C:\Windows\system32\Tasks
2010-03-20 04:04:59 ----A---- C:\Windows\system32\cryptui.dll
2010-03-19 13:22:27 ----D---- C:\Program Files\AVG
2010-03-19 13:20:44 ----SD---- C:\Users\Woodsy\AppData\Roaming\Microsoft
2010-03-19 12:39:34 ----D---- C:\Users\Woodsy\AppData\Roaming\Vso
2010-03-19 11:05:32 ----D---- C:\Windows\system32\catroot
2010-03-18 04:45:07 ----D---- C:\Boot
2010-03-17 23:27:53 ----D---- C:\Program Files\ATI Technologies
2010-03-17 21:54:01 ----HD---- C:\Program Files\InstallShield Installation Information
2010-03-17 21:20:42 ----D---- C:\Windows\system32\manifeststore
2010-03-17 20:59:15 ----D---- C:\Windows\system32\migration
2010-03-17 20:59:15 ----D---- C:\Windows\servicing
2010-03-16 18:24:20 ----D---- C:\ProgramData\VistaCodecs
2010-03-16 18:04:05 ----D---- C:\Program Files\Common Files\InstallShield
2010-03-15 08:19:47 ----ASH---- C:\Program Files\desktop.ini
2010-03-15 08:11:29 ----D---- C:\Program Files\Internet Explorer
2010-03-15 08:11:15 ----D---- C:\Program Files\Movie Maker
2010-03-15 08:10:57 ----D---- C:\Program Files\Windows Mail
2010-03-15 08:10:02 ----RSD---- C:\Windows\Fonts
2010-03-15 08:10:02 ----D---- C:\Program Files\Windows Media Player
2010-03-15 00:50:59 ----D---- C:\Program Files\Common Files\microsoft shared
2010-03-14 22:15:12 ----D---- C:\Windows\system32\Macromed
2010-03-14 21:40:24 ----D---- C:\Windows\PolicyDefinitions

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2010-03-19 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2010-03-19 29512]
R1 AvgTdiX;AVG Free Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2010-03-19 242696]
R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-14 320000]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2010-02-11 4450816]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-16 214912]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 IAMTV;Driver for Intel® Active Management Technology - KCS; C:\Windows\system32\DRIVERS\IAMTV.sys [2006-10-19 38280]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]
R3 ZTEusbmdm6k;ZTE Proprietary USB Driver; C:\Windows\system32\DRIVERS\ZTEusbmdm6k.sys [2008-08-22 104960]
R3 ZTEusbnet;ZTE USB-NDIS miniport; C:\Windows\system32\DRIVERS\ZTEusbnet.sys [2008-08-22 110080]
R3 ZTEusbnmea;ZTE NMEA Port; C:\Windows\system32\DRIVERS\ZTEusbnmea.sys [2008-08-22 104960]
R3 ZTEusbser6k;ZTE Diagnostic Port; C:\Windows\system32\DRIVERS\ZTEusbser6k.sys [2008-08-22 104960]
S3 catchme;catchme; \??\C:\Users\Woodsy\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\Windows\system32\DRIVERS\ewusbmdm.sys []
S3 massfilter;ZTE Mass Storage Filter Driver; C:\Windows\system32\drivers\massfilter.sys [2008-08-22 7168]
S3 moufiltr;Mouse Filter; C:\Windows\system32\DRIVERS\moufiltr.sys [2007-01-09 6144]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S3 PCASp50;PCASp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\PCASp50.sys [2008-06-27 27072]
S3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2009-02-07 47360]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2010-02-11 4450816]
S3 sfng32;Sonic Focus Plugin for Sigmatel HDA; C:\Windows\system32\drivers\sfng32.sys []
S3 STHDA;IDT High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2010-02-11 733184]
R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2010-03-19 916760]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-03-19 308064]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2006-11-02 22016]
R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2008-01-11 66872]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2005-08-07 167936]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2006-11-02 22016]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service; C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-02-23 369920]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2006-11-02 521216]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2006-11-02 22016]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2006-11-02 562176]
S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-04-08 21:40:59

======Uninstall list======

-->C:\ProgramData\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe /CONVERTER
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
BigPond Wireless Broadband 2.11.21-->MsiExec.exe /I{F95549B8-D0D2-437F-8637-C8B46CBDDBFA}
BitTorrent-->C:\Program Files\BitTorrent\uninst.exe
Catalyst Control Center - Branding-->MsiExec.exe /I{8D7133DE-27D2-47E5-B248-4180278D32AA}
DivX Codec-->C:\ProgramData\DivX\DivX7\DivX Codec\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\ProgramData\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\ProgramData\DivX\DivX7\DivX Player\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\ProgramData\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Setup-->C:\ProgramData\DivX\Setup\DivXSetup.exe /uninstall /bundleGroupId divx.com
DVD Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Empire Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2447500B-22D7-47BD-9B13-1A927F43A267}\SETUP.EXE"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel® PRO Network Connections Drivers-->Prounstl.exe
Java™ 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
LimeWire 5.5.6-->"C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PunkBuster Services-->C:\Windows\system32\pbsvc.exe -u
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
Vista Codec Package-->MsiExec.exe /I{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}

Securitycenter WMI appears to be broken

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 6 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0604
"NUMBER_OF_PROCESSORS"=2

-----------------EOF-----------------

My computer does seem to be running a bit better and i haven't yet seen the fake online protection tool popup and also haven't been redirected, however my browser is still quite slow and avg update still doesnt work. apart from that it does seem to have freed it up a bit.

#8 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:41 PM

Posted 08 April 2010 - 11:50 AM

Hi,

Bedsides Limewire still running you also have BitTorrent. If you where sitting where I am and saw all the latest threats , you would be getting rid of both of those programs real quick. I would no way , no how ever allow garbage like that on any of my systems. There are threats going around that steal all your passwords, banking and credit card numbers, and there are a few that are uncleanable, what i mean by that is the damage they do to your system is so great that the only recourse is to format and reinstall windows mad.gif

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.112,93.188.166.42



You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

c:\windows\system32\drivers\klmdb.sys <--This file

If the site is busy you can try this one

http://virusscan.jotti.org/en








mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#9 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:41 AM

Posted 08 April 2010 - 12:01 PM

ill uninstall limewire and bitorrent then follow the instructions and post my reply
thanx:)

#10 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:41 AM

Posted 08 April 2010 - 12:17 PM

okay when i run hijackthis its saying that i should copy it to hardisk if i want backups or somethig along these lines, then when i click on scan only it says sum more stuff about running as administrator, you didnt mention anything about these warnings so should i ignore them and run it as instructed or?? sorry just want to be absolutelty sure

#11 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:41 PM

Posted 08 April 2010 - 12:49 PM

Forgot you had Vista

Just right click on HJT and select RUN AS ADMINISTRATOR, and then just delete that entry

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#12 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:41 AM

Posted 08 April 2010 - 12:59 PM

okay ive deleted that entry and now when i tired to browse that specific file it wasn't there?

#13 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:41 PM

Posted 08 April 2010 - 01:16 PM

Almost done

QUOTE
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]


Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

If you saved the file correctly it should look like this

How are things running now ?

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#14 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:41 AM

Posted 08 April 2010 - 01:25 PM

okay ive successfully added them to the registry, ill now reboot and use my computer for a while, see how things are going and let you know tomorow, as its 230 in the morning here and im seriously tired. thanx 4 the help so far, hopefully everythings good and fixed!!

#15 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:41 PM

Posted 08 April 2010 - 01:37 PM

Go ahead and reboot and let me know how its going. I will keep this thread open for you for a few days so post back also and let me know

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users