Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer CPU's get maxed out


  • This topic is locked This topic is locked
19 replies to this topic

#1 sanjb

sanjb

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 09 February 2011 - 05:40 AM

Hi Guys

Trying to find out why my Dell Optiplex 320 (config below) slows down (java.exe generally using most of cpu and memory) and the computer sounds like an aeroplane about to take off! I am attaching a log from Hijack This (below the system config) and shall be grateful if this could be analysed and any weaknesses identified. I wonder whether its the AVG; have heard its not as good as it used to be? Thanks.
=================================================
Operating System: OS Name Microsoft Windows XP Professional, OS Version 5.1.2600, ServicePack 3.0, Internet Explorer Version 8.0.6001.18702, Microsoft DirectX Version 9.0c (4.09.00.0904), OpenGL Version 5.1.2600.5512 (xpsp.080413-0845), Free Physical Memory 1966 MB, Free Page File 3538 MB, Free Virtual Memory 2007 MB

Center Processor: CPU Name Intel® Pentium® 4 CPU 2.80GHz, Code Name Model 4 Stepping 9, Manufacturer GenuineIntel, Current Clock Speed 2793Mhz, Max Clock Speed 2793Mhz, Voltage 1.8V,External Clock 800Mhz, CPU ID x86 Family 15 Model 4 Stepping 9, Socket Designation Microprocessor 16KB 1024KB

Memory Resource: Total Memory 3582 MB, Used Memory 1615 MB, Free Memory 1967 MB, Memory Usage 45%

Video Adapter:Name 128MB ATI RADEON X600 SE,Video Processor RADEON X600 SE (0x5B62), Manufacturer ATI Technologies Inc.,Video Architecture VGA, DAC Type Internal DAC(400MHz), Memory Size 128MB, Memory Type Unknown, Video Mode 1680 x 1050 x 4294967296 colors, Current Refresh Rate 60Hz,Driver Version 6.14.10.6641, Driver Date 15/02/2007 19:59:56
=================================================

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:37:11, on 09/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gemalto\Classic Client\BIN\GslShmSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Gemalto\Classic Client\BIN\RegTool.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe

BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:42 PM

Posted 15 February 2011 - 01:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.


Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Best Regards,
oneof4.


#3 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:42 PM

Posted 19 February 2011 - 12:47 PM

Do you still need help?

Best Regards,
oneof4.


#4 sanjb

sanjb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 21 February 2011 - 05:55 AM

Hi Guys

Sorry I had been away & got back today & yes the PC still sounds like an aeroplane at take off when programs are running - so do need help.
To start with, I ran the OTL scan (both as normal and also with no internet or anti virus on); in both cases I got the same error message: 'SYSTEM' IS MOT A VALID INTEGER VALUE

I then tried to run the GMER scan (after I had stopped the internet, anti virus, etc) - when I clicked the exe file, I got the dreaded Blue Screen: A PROBLEM HAS BEEN DETECTED AND WINDOWS HAS BEEN SHUT DOWN TO PREVENT DAMAGE TO YOUR COMPUTER. A DRIVER HAS OVERRUN THE A STACK BASED BUFFER. THIS OVERRUN COULD POTENTIALLY ALLOW A MALICIOUS USER TO GAIN CONTROL OF THIS MACHINE. IF THIS IS THE FIRST TIME YOU HAVE SEEN THIS STOP ERROR SCREEN, RESTART THE COMPUTER ....... TECH INFO; STOP:0X000000F7 (0X00009C70, 0x0000C32, 0xFFFFF3CD, 0x00000000)

I have restarted the pc and will run the scan again and post the results on here when I get back from work later this evening - apologies for drip feeding the info, but have to leave for work now.

Thanks.

#5 sanjb

sanjb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 22 February 2011 - 03:46 AM

Hi

Please see below the GMER scan report. I hope this and the above post will help in trying to locate the problem. Thanks.


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-22 08:31:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
Running: ygl5cr52.exe; Driver: C:\DOCUME~1\SANJAY~1.HH-\LOCALS~1\Temp\uglyipod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xAFA68FE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xAFA69996]
SSDT spkr.sys ZwCreateKey [0xB9EB50E0]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xBA3B3864]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xAFA69AF6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xAFA6D36C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xAFA6D39E]
SSDT spkr.sys ZwEnumerateKey [0xB9ECDDA4]
SSDT spkr.sys ZwEnumerateValueKey [0xB9ECE132]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xAFA6D500]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xAFA69A5A]
SSDT spkr.sys ZwOpenKey [0xB9EB50C0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xAFA69128]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xAFA6931A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xAFA6944C]
SSDT spkr.sys ZwQueryKey [0xB9ECE20A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xAFA6D476]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xAFA6D3E0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xAFA6D412]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xAFA6D444]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xAFA68F8A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xAFA69B56]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xBA3B382E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xAFA68F26]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xAFA68E7A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xAFA68EC2]

INT 0x62 ? 8B651BF8
INT 0x63 ? 8B4B6BF8
INT 0x82 ? 8B651BF8
INT 0x94 ? 8B4B6BF8
INT 0xA4 ? 8B4B6BF8
INT 0xB4 ? 8B4B6BF8

---- Kernel code sections - GMER 1.0.15 ----

? spkr.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B8E4E8AC 5 Bytes JMP 8B4B61D8
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB8D80F80]
.text arvsd76l.SYS B8CAF386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text arvsd76l.SYS B8CAF3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text arvsd76l.SYS B8CAF3C4 3 Bytes [00, 80, 02]
.text arvsd76l.SYS B8CAF3C9 1 Byte [30]
.text arvsd76l.SYS B8CAF3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1336] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1700] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414C10 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1700] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1700] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1700] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1700] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3596] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 004397C0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3596] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3596] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spkr.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spkr.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spkr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spkr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spkr.sys
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\arvsd76l.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B6C01F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 8B3DA1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B6C21F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B6C21F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B6C21F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B6C21F8
Device \Driver\usbuhci \Device\USBPDO-1 8B3DA1F8
Device \Driver\usbuhci \Device\USBPDO-2 8B3DA1F8
Device \Driver\usbuhci \Device\USBPDO-3 8B3DA1F8
Device \Driver\usbehci \Device\USBPDO-4 8B3C31F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCI_PNP2312 \Device\00000062 spkr.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B6521F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B6521F8
Device \Driver\Cdrom \Device\CdRom0 8B4111F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9DEAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8B4111F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AC141F8
Device \Driver\NetBT \Device\NetbiosSmb 8AC141F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5BDAB0FC-A0C9-4B58-BAB2-85AF0239E6A5} 8AC141F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8B3DA1F8
Device \Driver\usbuhci \Device\USBFDO-1 8B3DA1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AC031F8
Device \Driver\usbuhci \Device\USBFDO-2 8B3DA1F8
Device \Driver\sptd \Device\1783441062 spkr.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AC031F8
Device \Driver\usbuhci \Device\USBFDO-3 8B3DA1F8
Device \Driver\usbehci \Device\USBFDO-4 8B3C31F8
Device \Driver\Ftdisk \Device\FtControl 8B6521F8
Device \Driver\arvsd76l \Device\Scsi\arvsd76l1 8B4071F8
Device \Driver\imagedrv \Device\Scsi\imagedrv1 8B6C11F8
Device \Driver\arvsd76l \Device\Scsi\arvsd76l1Port3Path0Target0Lun0 8B4071F8
Device \FileSystem\Fastfat \Fat 89D4D1F8
Device \FileSystem\Fastfat \Fat AB596297

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8B403500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x56 0xD7 0xC5 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE9 0x56 0x35 0xD3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x22 0xE2 0x44 0x1F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x56 0xD7 0xC5 0x0E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE9 0x56 0x35 0xD3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x22 0xE2 0x44 0x1F ...

---- EOF - GMER 1.0.15 ----

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:42 AM

Posted 23 February 2011 - 08:39 AM

Hello, and sorry for the delay.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 sanjb

sanjb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 25 February 2011 - 07:10 AM

Hi

Please see below the result of Combofix scan

ComboFix 11-02-24.05 - Sanjay 25/02/2011 11:16:21.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3582.2376 [GMT 0:00]
Running from: c:\documents and settings\Sanjay.HH-XP-05\My Documents\Downloads\ComboFix.exe
AV: AVG Internet Security *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\SANJAY~1.HH-\LOCALS~1\Temp\gdt98.tmp
c:\docume~1\SANJAY~1.HH-\LOCALS~1\Temp\sfamcc00001.dll
c:\docume~1\SANJAY~1.HH-\LOCALS~1\Temp\sfareca00001.dll
c:\documents and settings\Sanjay.HH-XP-05\Local Settings\Temp\gdt98.tmp
c:\documents and settings\Sanjay.HH-XP-05\Local Settings\Temp\sfamcc00001.dll
c:\documents and settings\Sanjay.HH-XP-05\Local Settings\Temp\sfareca00001.dll
c:\program files\Freenet\updater\wget.exe
.
---- Previous Run -------
.
c:\documents and settings\administrator.HENRYGROUP\GoToAssistDownloadHelper.exe
c:\documents and settings\Sanjay.HH-XP-05\Application Data\Local\Temp\DDM\Settings\.ddr
c:\documents and settings\Sanjay.HH-XP-05\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\Sanjay.HH-XP-05\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\Sanjay.HH-XP-05\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\(2)
c:\documents and settings\Sanjay.HH-XP-05\System\win_qs8.jqx
c:\program files\RelevantKnowledge\rlls.dll
c:\program files\RelevantKnowledge\rlls64.dll
c:\program files\RelevantKnowledge\rlservice.exe
c:\program files\RelevantKnowledge\rlvknlg.exe
c:\program files\RelevantKnowledge\rlvknlg64.exe
C:\test.txt
c:\windows\jestertb.dll
c:\windows\system32\Nagasoft\32.ICO
c:\windows\system32\Nagasoft\Codecs\asyncflt.ax
c:\windows\system32\Nagasoft\Codecs\atrc.dll
c:\windows\system32\Nagasoft\Codecs\cook.dll
c:\windows\system32\Nagasoft\Codecs\drvc.dll
c:\windows\system32\Nagasoft\Codecs\raac.dll
c:\windows\system32\Nagasoft\Codecs\RealMediaSplitter.ax
c:\windows\system32\Nagasoft\Codecs\WMFDemux.dll
c:\windows\system32\Nagasoft\config.ini
c:\windows\system32\Nagasoft\FFVJPlayer.exe
c:\windows\system32\Nagasoft\GifShower.dll
c:\windows\system32\Nagasoft\Uninstall.exe
c:\windows\system32\Nagasoft\vjocx.dll
c:\windows\system32\Nagasoft\vjocx.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_vvdsvc
-------\Legacy_vvdsvc
-------\Service_vvdsvc
-------\Service_vvdsvc


((((((((((((((((((((((((( Files Created from 2011-01-25 to 2011-02-25 )))))))))))))))))))))))))))))))
.

2011-02-25 10:49 . 2011-02-25 10:54 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-15 22:32 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2011-02-09 23:03 . 2011-02-09 23:03 -------- dc----w- C:\$AVG
2011-02-08 22:11 . 2011-02-08 22:11 -------- d-----w- c:\documents and settings\Sonia\Application Data\DivX
2011-02-07 23:42 . 2010-12-22 16:37 158720 ----a-w- c:\windows\system32\WS_VideoConverterContextMenu.dll
2011-02-07 23:42 . 2010-11-19 18:02 892928 ----a-w- c:\windows\system32\iconv.dll
2011-02-07 23:42 . 2010-11-19 18:02 675840 ----a-w- c:\windows\system32\ac3filter.ax
2011-02-07 23:41 . 2011-02-07 23:41 -------- d-----w- c:\program files\Wondershare
2011-02-07 21:36 . 2011-02-07 23:56 -------- d-----w- c:\program files\4Videosoft Studio
2011-02-07 17:05 . 2011-02-07 17:05 -------- d-----w- c:\documents and settings\Sanjay.HH-XP-05\Application Data\Media Player Classic
2011-02-07 17:04 . 2011-02-07 17:04 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-02-07 16:57 . 2011-02-07 16:57 -------- d-----w- c:\documents and settings\Sanjay.HH-XP-05\Application Data\VistaCodecs
2011-02-07 16:57 . 2011-02-07 16:57 -------- d-----w- c:\program files\VistaCodecPack
2011-02-07 16:56 . 2011-02-07 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\VistaCodecs
2011-02-07 16:20 . 2011-02-07 16:25 -------- d-----w- c:\documents and settings\Sanjay.HH-XP-05\Application Data\vlc
2011-02-07 16:09 . 2011-02-07 16:09 -------- d--h--w- c:\windows\PIF
2011-02-07 15:28 . 2011-02-07 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickMediaConverter
2011-02-07 15:28 . 2011-02-07 15:28 -------- d-----w- c:\documents and settings\Sanjay.HH-XP-05\Application Data\CocoonSoftware
2011-02-07 15:28 . 2011-02-07 15:28 -------- d-----w- c:\program files\QuickMediaConverter
2011-02-07 15:27 . 2011-02-07 15:27 -------- d-----w- c:\documents and settings\Sanjay.HH-XP-05\Local Settings\Application Data\WDSetup
2011-02-05 02:21 . 2011-02-05 02:21 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc1AE.tmp
2011-02-03 10:56 . 2011-02-03 10:56 -------- d-----w- c:\program files\KC Softwares
2011-02-03 01:18 . 2011-02-03 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-02-03 00:26 . 2008-10-29 00:27 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-02-03 00:26 . 2008-10-29 00:27 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-02-03 00:26 . 2009-09-15 20:09 966656 ----a-w- c:\windows\system32\hpost_p03b.dll
2011-02-03 00:26 . 2009-09-15 20:09 885760 ----a-w- c:\windows\system32\hposwia_p03b.dll
2011-02-03 00:26 . 2009-09-15 20:09 315392 ----a-w- c:\windows\system32\hposc_p03a.dll
2011-02-03 00:14 . 2011-02-03 02:25 -------- d-----w- c:\documents and settings\Copm Admin
2011-02-02 21:54 . 2011-02-06 01:04 -------- d-----w- c:\documents and settings\Sanjay.HH-XP-05\Application Data\HP
2011-02-02 21:53 . 2011-02-02 21:53 -------- d-----w- c:\documents and settings\Sanjay.HH-XP-05\Local Settings\Application Data\Octoshape
2011-02-02 21:36 . 2011-02-02 21:36 -------- d-----w- c:\documents and settings\Sanjay.HH-XP-05\Application Data\Octoshape
2011-02-02 10:28 . 2011-02-02 10:28 -------- d-----w- c:\documents and settings\Sonia\Application Data\Yahoo!
2011-02-02 04:12 . 2011-01-20 10:39 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{3BA662E5-3059-408C-B752-F594C795FB36}\mpengine.dll
2011-02-02 04:06 . 2011-01-20 10:39 5890896 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-02-02 01:48 . 2011-02-02 01:48 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-02-02 01:48 . 2011-02-02 01:48 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-02-02 01:48 . 2011-02-02 01:48 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-02-02 01:48 . 2011-02-02 01:48 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-02-02 01:47 . 2011-02-25 08:17 -------- d-----w- c:\windows\system32\drivers\Avg
2011-02-02 01:47 . 2011-02-02 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2011-02-02 01:09 . 2011-02-02 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2011-02-02 01:09 . 2011-02-02 01:09 -------- d-----w- c:\program files\HP Photo Creations
2011-02-02 01:09 . 2011-02-02 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2011-02-02 01:07 . 2011-02-03 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-02-02 00:30 . 2011-02-02 03:34 -------- d-----w- c:\documents and settings\Printer
2011-02-02 00:11 . 2011-02-02 00:11 -------- d-----w- c:\program files\1-abc
2011-02-02 00:11 . 2011-02-02 00:11 -------- d-----w- c:\documents and settings\Sanjay.HH-XP-05\Application Data\1-abc
2011-02-01 23:26 . 2011-02-01 23:26 -------- d-----w- c:\program files\CCleaner
2011-01-30 14:57 . 2011-01-30 14:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 14:57 . 2011-01-30 14:57 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-11 16:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-16 17:42 . 2011-01-16 17:42 3584 ----a-r- c:\documents and settings\Sanjay.HH-XP-05\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2011-01-07 14:09 . 2004-08-11 16:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-11 16:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-29 01:23 . 2010-12-29 01:23 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2010-12-29 01:19 . 2010-12-29 01:19 45056 ----a-w- c:\windows\system32\ff_acm.acm
2010-12-28 01:17 . 2010-12-28 01:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-28 01:17 . 2010-04-29 08:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-22 12:34 . 2004-08-11 16:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-11 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-11 16:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-11 16:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-11 16:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-11 16:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-11 16:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-11 16:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-11 16:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 21:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-08 14:46 . 2010-12-02 23:07 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2010-12-08 14:46 . 2010-07-16 00:56 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2010-12-08 13:12 . 2010-12-02 23:07 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 13:11 . 2010-12-02 23:07 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 13:11 . 2010-12-02 23:07 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 13:11 . 2010-12-02 23:07 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-28 16:24 . 2009-04-10 23:34 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-09-08 20:11 . 2010-04-05 15:00 119808 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 2402512]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"RegTool"="c:\program files\Gemalto\Classic Client\BIN\RegTool.exe" [2009-11-06 861696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 1501064]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-08 30192]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\su\Start Menu\Programs\Startup\
Outlook 2007.lnk - c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe [2007-8-23 845584]
SmartCapture.lnk - \\Hh-xp-05\c$\WINDOWS\Seiko\slpcap.exe [2007-2-14 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WN111 Smart Wizard.lnk - c:\program files\NETGEAR\WN111\wn111.exe [2007-8-27 1343488]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2011-02-02 01:48 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 13:11 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"PMX Daemon"=ICO.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"4oD"="c:\program files\Kontiki\KHost.exe" -all
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\Sanjay.HH-XP-05\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{CCD42CCF-9AFF-4BC5-862A-38CCD3C8E8F8}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [23/08/2007 00:55 3456]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/04/2009 23:34 691696]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/02/2011 01:48 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/02/2011 01:48 243024]
R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys [24/02/2011 18:16 55224]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [30/01/2009 13:34 86552]
R2 freenet;Freenet background service;c:\program files\Freenet\bin\wrapper-windows-x86-32.exe [09/12/2010 02:23 241664]
R2 GslShmSrvc;GSL Share Memory;c:\program files\Gemalto\Classic Client\BIN\GslShmSrvc.exe [26/02/2009 14:45 69632]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [03/12/2010 08:40 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [27/01/2010 12:22 12856]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [18/05/2010 16:54 13408]
S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\AVG\AVG9\avgemc.exe" --> c:\program files\AVG\AVG9\avgemc.exe [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate1c9a8ea988e1312;Google Update Service (gupdate1c9a8ea988e1312);c:\program files\Google\Update\GoogleUpdate.exe [19/03/2009 23:29 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [05/04/2010 21:05 30192]
S3 GPinPad;GPinPad;c:\windows\system32\drivers\GPinPad.sys [29/09/2010 11:03 90752]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [28/08/2007 13:25 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [28/08/2007 13:25 14336]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\21923\RapportIaso.sys [17/12/2010 01:06 12928]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [30/01/2009 13:33 24876]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqddsvc hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2011-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2011-02-24 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2011-01-16 15:24]

2011-02-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-28 23:28]

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-19 23:29]

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-19 23:29]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3976014023-1560603607-688862853-1011Core.job
- c:\documents and settings\Sanjay.HH-XP-05\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-10 14:08]

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3976014023-1560603607-688862853-1011UA.job
- c:\documents and settings\Sanjay.HH-XP-05\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-10 14:08]

2009-12-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-05-26 19:16]

2009-12-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-05-21 18:25]

2011-02-25 c:\windows\Tasks\User_Feed_Synchronization-{DFFE9861-4AF6-409F-8AE0-20E653EDEC2A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
mStart Page = hxxp://www.duxot.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} - hxxp://web.tpa.it/activex/AMC.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam.spiez.ch/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Sanjay.HH-XP-05\Application Data\Mozilla\Firefox\Profiles\mm72cqfz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4aee9927&v=6.010.006.004&i=26&tp=ab&iy=&ychte=uk&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Property Bee: {da8bd68d-8e90-41cd-8345-a71b294e72e6} - %profile%\extensions\{da8bd68d-8e90-41cd-8345-a71b294e72e6}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: keyword.URL - hxxp://www.afodo.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=FOmlHOjH&q=
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-VJOcx2.0 - c:\windows\system32\Nagasoft\Uninstall.exe
AddRemove-{d08d9f98-1c78-4704-87e6-368b0023d831} - c:\program files\RelevantKnowledge\rlvknlg.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-25 11:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d4,2d,b1,91,79,fe,e0,4d,ba,99,0f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d4,2d,b1,91,79,fe,e0,4d,ba,99,0f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1368)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(5196)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Java\jre6\bin\java.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\taskmgr.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\dwwin.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-02-25 11:59:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-25 11:59

Pre-Run: 14,366,232,576 bytes free
Post-Run: 14,408,937,472 bytes free

- - End Of File - - 19BAFB9F616BC2C6A706FDEF29F56911

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:42 AM

Posted 25 February 2011 - 01:52 PM

How are things running now? One of the infections (relevant knowledge) is known to slow down computers, so I hope that things have improved now that it is removed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 sanjb

sanjb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 25 February 2011 - 06:07 PM

Elise

Thanks very much for the help - appreciate the saying "silence is golden" now! CPU not maxing out & my pc does not seem like its about to sprout wings and take off! Problem solved - you guys are Ace!

Sanj

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:42 AM

Posted 26 February 2011 - 03:33 AM

I'm glad to hear that!

Lets make sure everything is fine indeed. Please run OTL as instructed earlier and post me the logs.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 sanjb

sanjb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 26 February 2011 - 05:23 PM

Hi

Tried to run the OLT scan again, but get the same error message 'SYSTEM' IS NOT A VALID INTEGER VALUE - message appears when the file is scanning "HKEY_LOCAL_MACHINE Winsock 2 settings....". Only get an OK option & the scan stops when OK is clicked.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:42 AM

Posted 27 February 2011 - 02:58 AM

Please try the following:


We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 sanjb

sanjb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 27 February 2011 - 08:18 AM

Hi - please see below the DDS scan log plus the attach log zipped and attached as per the instructions post scan.
Many Thanks.
---------------------------------------------------------------------------------------------------------------------

DDS (Ver_10-12-12.02) - NTFSx86
Run by Sanjay at 13:10:09.51 on 27/02/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3582.2791 [GMT 0:00]

AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled*

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Gemalto\Classic Client\BIN\RegTool.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Sanjay.HH-XP-05\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.co.uk/
mStart Page = hxxp://www.duxot.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [RegTool] c:\program files\gemalto\classic client\bin\RegTool.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wn111\wn111.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256029368625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader4.cab
DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} - hxxp://web.tpa.it/activex/AMC.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam.spiez.ch/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sanjay~1.hh-\applic~1\mozilla\firefox\profiles\mm72cqfz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4aee9927&v=6.010.006.004&i=26&tp=ab&iy=&ychte=uk&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\mozilla firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Property Bee: {da8bd68d-8e90-41cd-8345-a71b294e72e6} - %profile%\extensions\{da8bd68d-8e90-41cd-8345-a71b294e72e6}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: keyword.URL - hxxp://www.afodo.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=FOmlHOjH&q=

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2007-8-23 3456]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R1 AvgLdx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-2-2 251728]
R1 AvgMfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-2-2 34384]
R1 AvgTdiX;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-2 299984]
R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\23945\RapportCerberus_23945.sys [2011-2-24 55224]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2009-1-30 86552]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-12-2 47640]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2010-5-18 13408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
S3 GPinPad;GPinPad;c:\windows\system32\drivers\GPinPad.sys [2010-9-29 90752]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2007-8-28 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2007-8-28 14336]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\21923\RapportIaso.sys [2010-12-17 12928]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2009-1-30 24876]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\toolbarbroker.exe --> c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [?]
S4 avg9emc;AVG Free E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
S4 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S4 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
S4 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S4 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S4 freenet;Freenet background service;c:\program files\freenet\bin\wrapper-windows-x86-32.exe [2010-12-9 241664]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-4-5 30192]
S4 GslShmSrvc;GSL Share Memory;c:\program files\gemalto\classic client\bin\GslShmSrvc.exe [2009-2-26 69632]
S4 gupdate1c9a8ea988e1312;Google Update Service (gupdate1c9a8ea988e1312);c:\program files\google\update\GoogleUpdate.exe [2009-3-19 133104]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-3 374152]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2011-02-26 10:34:56 -------- d-----w- c:\program files\Support Tools
2011-02-25 13:44:02 -------- d-----w- c:\docume~1\sanjay~1.hh-\applic~1\AVG
2011-02-25 12:56:48 -------- d-----w- c:\docume~1\sanjay~1.hh-\applic~1\AVG10
2011-02-25 12:49:56 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-25 12:46:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-25 11:13:58 -------- dc----w- C:\ComboFix
2011-02-25 10:49:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-25 08:47:20 98816 ----a-w- c:\windows\sed.exe
2011-02-25 08:47:20 89088 ----a-w- c:\windows\MBR.exe
2011-02-25 08:47:20 256512 ----a-w- c:\windows\PEV.exe
2011-02-25 08:47:20 161792 ----a-w- c:\windows\SWREG.exe
2011-02-24 23:40:09 -------- dcsha-r- C:\cmdcons
2011-02-24 23:40:04 -------- d-----w- c:\windows\setup.pss
2011-02-24 23:39:31 -------- d-----w- c:\windows\setupupd
2011-02-15 22:32:08 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2011-02-09 23:03:23 -------- dc----w- C:\$AVG
2011-02-07 23:42:08 158720 ----a-w- c:\windows\system32\WS_VideoConverterContextMenu.dll
2011-02-07 23:42:01 892928 ----a-w- c:\windows\system32\iconv.dll
2011-02-07 23:42:01 675840 ----a-w- c:\windows\system32\ac3filter.ax
2011-02-07 23:41:57 -------- d-----w- c:\program files\Wondershare
2011-02-07 21:36:19 -------- d-----w- c:\program files\4Videosoft Studio
2011-02-07 17:04:01 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-02-07 16:57:35 -------- d-----w- c:\docume~1\sanjay~1.hh-\applic~1\VistaCodecs
2011-02-07 16:57:24 -------- d-----w- c:\program files\VistaCodecPack
2011-02-07 16:56:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\VistaCodecs
2011-02-07 16:09:49 -------- d--h--w- c:\windows\PIF
2011-02-07 15:28:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\QuickMediaConverter
2011-02-07 15:28:29 -------- d-----w- c:\docume~1\sanjay~1.hh-\applic~1\CocoonSoftware
2011-02-07 15:28:10 -------- d-----w- c:\program files\QuickMediaConverter
2011-02-07 15:27:56 -------- d-----w- c:\docume~1\sanjay~1.hh-\locals~1\applic~1\WDSetup
2011-02-05 02:21:33 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc1AE.tmp
2011-02-03 10:56:39 -------- d-----w- c:\program files\KC Softwares
2011-02-03 00:26:28 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-02-03 00:26:28 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-02-03 00:26:27 966656 ----a-w- c:\windows\system32\hpost_p03b.dll
2011-02-03 00:26:27 885760 ----a-w- c:\windows\system32\hposwia_p03b.dll
2011-02-03 00:26:27 315392 ----a-w- c:\windows\system32\hposc_p03a.dll
2011-02-02 21:53:56 -------- d-----w- c:\docume~1\sanjay~1.hh-\locals~1\applic~1\Octoshape
2011-02-02 21:36:02 -------- d-----w- c:\docume~1\sanjay~1.hh-\applic~1\Octoshape
2011-02-02 04:12:06 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{3ba662e5-3059-408c-b752-f594c795fb36}\mpengine.dll
2011-02-02 04:06:28 5890896 ------w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\updates\mpengine.dll
2011-02-02 01:48:17 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-02-02 01:48:13 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-02-02 01:48:05 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-02-02 01:47:52 -------- d-----w- c:\windows\system32\drivers\Avg
2011-02-02 01:47:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2011-02-02 01:09:21 -------- d-----w- c:\program files\HP Photo Creations
2011-02-02 01:09:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\HP Photo Creations
2011-02-02 00:11:22 -------- d-----w- c:\program files\1-abc
2011-02-02 00:11:22 -------- d-----w- c:\docume~1\sanjay~1.hh-\applic~1\1-abc
2011-02-01 23:26:41 -------- d-----w- c:\program files\CCleaner
2011-01-30 14:57:00 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-01-30 14:57:00 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 23:30:08 256 ----a-w- c:\windows\system32\pool.bin
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-29 01:23:14 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2010-12-29 01:19:12 45056 ----a-w- c:\windows\system32\ff_acm.acm
2010-12-28 01:17:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-28 01:17:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-08 14:46:44 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2010-12-08 14:46:43 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2010-12-08 13:12:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 13:11:52 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 13:11:46 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 13:11:44 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 13:11:55.06 ===============

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:42 AM

Posted 27 February 2011 - 08:49 AM

Hi, that looks all pretty good. :)


P2P WARNING
-------------------
Going over your logs I noticed that you have BitTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


Your version of Adobe reader is outdated. Older versions have known security vulnerabilities. I recommend you to visit adobe's site and download and install Adobe Reader X.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 sanjb

sanjb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 27 February 2011 - 04:26 PM

Hi Elise

Thanks for the last post - bit torrent was loaded on the pc a while ago & as I don't use it, I will un-install it. I did the malwarebytes update & ran the scan & got the result below - am hopinbg I have now cleaned the machine out - definitely much quieter now. Thanks again for all your help.

=====================================

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5892

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/02/2011 18:16:05
mbam-log-2011-02-27 (18-16-05).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 469940
Time elapsed: 2 hour(s), 57 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\sanjay.hh-xp-05\my documents\downloads\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\relevantknowledge\rlls.dll.vir (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\relevantknowledge\rlls64.dll.vir (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\relevantknowledge\rlservice.exe.vir (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\relevantknowledge\rlvknlg.exe.vir (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\relevantknowledge\rlvknlg64.exe.vir (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1279\A0204424.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1279\A0204425.exe (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1279\A0204426.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1279\A0204427.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1279\A0204428.exe (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1279\A0204429.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1290\A0206406.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1310\A0214092.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1310\A0214093.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1310\A0214094.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1310\A0214095.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1310\A0214096.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users