Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32.Agent.cgzd


  • This topic is locked This topic is locked
37 replies to this topic

#1 Gyrfalcon

Gyrfalcon

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 20 July 2012 - 03:49 PM

I want to make sure I go through the right steps to disinfect, as this computer and its contents are very important to us.

Setup details of relevance:
- Win XP Pro SP3
- Avast (latest) running all enabled
- Spybot Search & Destroy running but not up-to-date (maybe 6-12 months behind in updates?)
- Firewall On (Windows built-in)
- NAT LAN setup with Firewalled router. Port 3389 is open and directed to my fixed IP, for RDP purposes.
- Everything has been running rock solid stable for months prior to this, no issues.
- I'm technically inclined and a somewhat advanced Windows user, but not a tinkerer and have no direct experience with viruses.

History and symptoms:
July 15th:
- Noticed Firefox (latest version) is not displaying parts of webpages.
- Further investigation reveals that Firefox is blocked from going to many websites (I get the Server Not Found page in Firefox), such as virus scanner websites (avast), Microsoft, and many others. Google is accessible and searches work, but most links from results end up with not found.
- Memory usage is high, 3.5GB when it should be closer to 1.5-2.0.
- Can't start Internet Explorer. The IE window opens then closes immediately when I launch.
- I conclude this is definitely virus-like behaviour.
- Opening Avast, going to Maintenance reveals it hasn`t updated since July 13. Odd since normally it's done daily.
- Attempt manual update, can't find server.
- Run Quick Scan with Avast, finds nothing. Run Full Scan, high sensitivity, PUPs on, finds nothing
- Windows notification that running out of memory; Virtual Memory automatically increased. This is definitely abnormal.
- Set Avast to run a Boot-Time scan, but don't reboot yet.
- Download Microsoft Security Essentials (MSE) from another PC on the LAN. Copy thru LAN and install.
- Manually download MSE definitions updates from other PC. Copy thru LAN and update.
- Run Full scan from MSE (while Avast is still enabled and active). It finds nothing.
- Reboot. Avast boot scan runs and finds nothing.
- Windows Login screen looks fine, mouse pointer works, but I can't click anywhere (clicking does nothing), including on the user icons to login. So I hard-reset the PC.
- Boot into my other partition which has Win 7 x64 Ultimate. Note that this partition is not mapped in the WinXP so hopefully not seen and still intact.
- Boot selection is via the Windows 7 boot selector.
- Win7 bootup does a C: Scandrive and reveals one problem which it fixes, unfortunately I didn't note what.
- Within Win7, Avast updates itself normally.
- Avast Full scan, high sensitivity, PUPs, all drives. Nothing found.
- Map the WinXP partition to a drive letter. Scan as above, nothing found. bcd and bcd_log not scanned though, but likely normal?
- Buy a new external HDD and backup everything over the span of the next few days, all within Win7.

July 18:
- boot back into WinXP for first time since 15th.
- I can login this time
- Desktop is slow to come. stays black. I ctrl-alt-del and get the task mgr.
- I initiate shutdown via Task manager, and as it begins the shutdown, the rest of the desktop starts showing.
- reboot and goes fine.
- Avast can now update, websites are ok.
- Full Avast high-sensitivty + PUP scan: nothing found.
- uninstall MSE.
- Run F-secure online scanner from Firefox. Finds nothing.
- Things seem to run well now. Hmmm.

July 19:
- As I'm browsing with Firefox: BSOD all of a sudden. Refers to IRQ-lower-than-or-equal. I didn't note anything further sorry.
- This is very odd. PC was rock-solid stable prior to all this. Also ran fine from Win7 partition for a few days Jul 15-18.
- I launch Spybot. Download updates. Perform a full scan.
- Scan reveals Win32.Agent.cgzd. See screenshot attached.

I did not do anything further at this point. I am convinced I have a virus from all the symptoms I have seen and finally from the Spybot find. However I'm a bit baffled that Avast and MSE and F-secore online didn't find anything. Also Avast from another boot found nothing.

Perhaps my Win7 also got infected upon bootup (that suspicious file fixing message I got upon bootup)...

On my WinXP, please note that I do have some System Restore points that date back prior to July 13th, which I'm suspecting is my infection date since that's when Avast stopped auto-updating.

I am wondering whether I should System-Restore, or let Spybot try fixing it, or maybe you have something more safe and robust as a solution.

The downside with System-restore is 2 things:
a) I had updated some user files since infection, so I would lose some data. Though I suppose I could Search by date and identify them so at least I know which.
b) My system restore is unfortunately monitoring all drives, not just C and E, so I'm afraid I would lose more user file information from other drive in this restore. (e.g. new pictures and videos downlaoded from camera etc)

fyi, I have programs installed on both C:\Program Files but also on my E: drive. Let me know if you need me to include E: in the GMER scan.

Sorry for the lengthy description, but I figure the more you know, the better. I have tried to retrace every step.

Thank you very much in advance for your assistance.

=========
DDS LOG
=========
.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by R at 15:22:29 on 2012-07-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2137 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
c:\CAD\altera\11.0sp1\quartus\bin\jtagserver.exe
E:\Progs-Main\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Second Copy 8\SCVSSSvc.exe
C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe
C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe
E:\Progs-Main\DynDNS Updater\DynUpSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\System32\MAFWTray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Second Copy 8\SecCopy.exe
C:\Program Files\ASUS\AASP\1.00.59\aaCenter.exe
C:\Program Files\Palm\AlarmApp.exe
E:\Progs-Main\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Progs-Main\DynDNS Updater\DynTray.exe
E:\Progs-Main\Evernote\EvernoteClipper.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Progs-Main\Evernote\EvernoteTray.exe
E:\Progs-Main\Evernote\Evernote.exe
C:\Program Files\APC\PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\regedit.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\WINDOWS\system32\logon.scr
E:\Progs-Main\Mozilla Firefox\firefox.exe
R:\_Installers-new_since_G_down\System\DeFogger\Defogger.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uSearch Bar = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\r\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Power2GoExpress] NA
uRun: [Second Copy] "c:\program files\second copy 8\SecCopy.exe" /InitialWait=5
mRun: [CloneCDElbyCDFL] "c:\program files\elaborate bytes\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [HP SchedIndexer] e:\progs-main\hewlett-packard\laserjet 33xx\hppschedindexer.exe
mRun: [HP AutoIndexer] e:\progs-main\hewlett-packard\laserjet 33xx\hppautoindexer.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NBKeyScan] "e:\progs-main\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\blu-ray disc suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\blu-ray disc suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe
mRun: [ASUS Energy Saving] "c:\program files\asus\ai suite\energysaving\PwSave.exe"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [<NO NAME>]
mRun: [Display] c:\program files\apc\powerchute personal edition\DataCollectionLauncher.exe
mRun: [ConnectionManager] c:\program files\winsim\connectionmanager\Simply.SystemTrayIcon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: c:\docume~1\r\startm~1\programs\startup\everno~1.lnk - e:\progs-main\evernote\EvernoteClipper.exe
StartupFolder: c:\docume~1\r\startm~1\programs\startup\everno~2.lnk - e:\progs-main\evernote\EvernoteTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\alarmm~1.lnk - c:\program files\palm\AlarmApp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - e:\progs-main\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dynupd~1.lnk - e:\progs-main\dyndns updater\DynTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2012\QBW32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-system: DisableCAD = 1 (0x1)
IE: &Google Search
IE: &Translate English Word
IE: Add to Evernote 4.0 - e:\progs-main\evernote\EvernoteIE.dll/204
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - e:\progs-~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages
IE: Translate Page into English
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://e:\progs-main\evernote\EvernoteIE.dll/204
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progs-~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {5334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpg4sax.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1339216750312
DPF: {894B8712-11F1-48A7-899F-36D6C695D9D8} - hxxp://download.sympatico.ca/bcss_cb/core/prod/codebaby.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.7002893519
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88}
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://lemieux.dragonwaveinc.com/dana-cached/sc/JuniperSetupClient.cab
TCP: Interfaces\{8F5B7AB3-7B77-4A3C-9B5B-D4A54DF2DA49} : NameServer = 192.168.2.1
TCP: Interfaces\{8F5B7AB3-7B77-4A3C-9B5B-D4A54DF2DA49} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B055BF2A-F3F5-43C5-ABDF-25A1EA7E66CB} : NameServer = 192.168.2.1
TCP: Interfaces\{DCC2909D-6688-434D-8365-6F8BDDB28EE5} : DhcpNameServer = 10.1.1.4 10.1.1.6
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2012\HelpAsyncPluggableProtocol.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - e:\progs-main\quicktax 2007\ic2007pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\r\application data\mozilla\firefox\profiles\09rcy76j.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/
FF - component: e:\progs-main\1password\firefox@1passwd.com\components\Agile1pFF.dll
FF - plugin: c:\documents and settings\r\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
FF - plugin: e:\progs-main\ign\download manager\npfpdlm.dll
FF - plugin: e:\progs-main\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: e:\progs-main\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin2.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin3.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin4.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin5.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin6.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin7.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [2002-11-28 22016]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2011-2-21 58568]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-2 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-3 353688]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2007-12-31 120320]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [2006-5-23 78848]
R1 Uim_Vim;UIM Virtual Image Plugin;c:\windows\system32\drivers\Uim_Vim.sys [2011-10-18 277576]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2012/01/13 21:40:34];c:\program files\cyberlink\powerdvd8\000.fcl [2010-1-12 87536]
R2 APC Data Service;APC Data Service;c:\program files\apc\powerchute personal edition\dataserv.exe [2011-8-24 21880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-3 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-21 44808]
R2 Dyn Updater;Dyn Updater;e:\progs-main\dyndns updater\DynUpSvc.exe [2011-11-15 95608]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-7-25 3712]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-7-5 1262400]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2011-8-24 430136]
R2 SCVSSService;Second Copy VSS Service;c:\program files\second copy 8\SCVSSSvc.exe [2012-2-12 968448]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\connectionmanager\SimplyConnectionManager.exe [2011-12-22 21320]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2012-7-5 123840]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 250056]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2012-1-20 79360]
S3 Creative Dolby Digital Live Pack Licensing Service;Creative Dolby Digital Live Pack Licensing Service;c:\program files\common files\creative labs shared\service\DDLLicensing.exe [2012-1-20 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
S3 IOMap;IOMap;c:\windows\system32\drivers\IOMap.sys [2012-1-7 33280]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2003-8-1 320384]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\drivers\MijXfilt.sys [2012-1-20 95304]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-11 113120]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-9-6 18432]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 Sage Simply Accounting Transaction Manager 2012 - CDN;Sage Simply Accounting Transaction Manager 2012 - CDN;c:\program files\winsim\transactionmanager2012 - cdn\Sage_SA.TransactionManager.exe [2011-12-22 46408]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys --> c:\windows\system32\drivers\scsiscan.sys [?]
S3 USB44LDR;M-Audio USB MidiSport 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2005-10-28 16416]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2005-10-28 22304]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-21 178112]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 siregsrv;siregsrv;e:\progs-~1\speedd~1\siregsrv.exe --> e:\progs-~1\speedd~1\SIREGSRV.EXE [?]
.
=============== File Associations ===============
.
.txt=TextPad.txt
.
=============== Created Last 30 ================
.
2012-07-18 15:41:32 -------- d-----w- c:\documents and settings\r\application data\QuickScan
2012-07-18 14:53:10 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-07-18 14:53:10 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-07-16 03:04:36 -------- d-sh--w- C:\FOUND.004
2012-07-16 02:23:22 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-07-06 02:52:00 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-07-06 02:52:00 15504192 ----a-w- c:\windows\system32\nvcpl.dll
2012-07-06 02:52:00 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-07-06 02:52:00 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-07-06 02:51:59 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-07-06 02:51:16 876864 ------w- c:\windows\system32\nvhdagenco3220103.dll
2012-07-06 02:51:16 27968 ----a-w- c:\windows\system32\nvhdap32.dll
2012-07-06 02:51:16 123840 ----a-w- c:\windows\system32\drivers\nvhda32.sys
2012-07-03 19:31:57 -------- d-----w- c:\program files\Intuit
2012-07-03 19:31:57 -------- d-----w- c:\documents and settings\all users\application data\Nuance
2012-07-02 16:54:37 4200024 ----a-w- c:\windows\system32\cdintf400.dll
2012-07-02 16:54:31 -------- d-----w- c:\program files\QuickenW
.
==================== Find3M ====================
.
2012-07-12 02:54:14 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-12 02:54:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-06 02:51:54 1074636 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-07-06 02:51:54 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-07-06 02:51:52 1074636 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-07-03 16:21:54 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22:10 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:34 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-15 10:18:00 883008 ----a-w- c:\windows\system32\nvgenco32.dll
2012-05-15 10:18:00 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-05-15 10:18:00 6012928 ----a-w- c:\windows\system32\nvcuda.dll
2012-05-15 10:18:00 4373248 ----a-w- c:\windows\system32\nv4_disp.dll
2012-05-15 10:18:00 2530624 ----a-w- c:\windows\system32\nvcuvid.dll
2012-05-15 10:18:00 2445120 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-05-15 10:18:00 2359808 ----a-w- c:\windows\system32\nvapi.dll
2012-05-15 10:18:00 18771968 ----a-w- c:\windows\system32\nvoglnt.dll
2012-05-15 10:18:00 17543168 ----a-w- c:\windows\system32\nvcompiler.dll
2012-05-15 10:18:00 14014656 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-05-15 10:18:00 1000768 ----a-w- c:\windows\system32\nvdispco32.dll
2012-05-11 14:42:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16:14 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:20 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2006-05-08 01:55:32 774144 ----a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 15:22:47.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 PM

Posted 25 July 2012 - 03:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/461642 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Gyrfalcon

Gyrfalcon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 26 July 2012 - 12:59 PM

Hello, I am still patiently waiting for help. I understand you are very busy and appreciate what you are doing.

I have rescanned with dds and gmer.

This time in the GMER I include drive E. My system drive is C, but I have applications as well as MyDocs on E, so I thought it might provide useful information.

Just as I was doing this, I had a flash updater crash (enclosed screenshot). My Avast shield was down while this happened, as I had just turned it off for the DDS and GMER scans. Note that I have deliberately stayed away from powering the computer with this OS in the past week so whatever is in there won't do any more damage.

Thank you.
---------------------------
DDS log:
.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by R at 13:25:34 on 2012-07-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.1966 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
c:\CAD\altera\11.0sp1\quartus\bin\jtagserver.exe
E:\Progs-Main\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Second Copy 8\SCVSSSvc.exe
C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe
C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe
E:\Progs-Main\DynDNS Updater\DynUpSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\System32\MAFWTray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Palm\AlarmApp.exe
E:\Progs-Main\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Progs-Main\DynDNS Updater\DynTray.exe
E:\Progs-Main\Evernote\EvernoteClipper.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Progs-Main\Evernote\EvernoteTray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ASUS\AASP\1.00.59\aaCenter.exe
E:\Progs-Main\Evernote\Evernote.exe
C:\Program Files\APC\PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\R\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Progs-Main\Mozilla Firefox\firefox.exe
E:\Progs-Main\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uSearch Bar = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\r\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Power2GoExpress] NA
mRun: [CloneCDElbyCDFL] "c:\program files\elaborate bytes\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [HP SchedIndexer] e:\progs-main\hewlett-packard\laserjet 33xx\hppschedindexer.exe
mRun: [HP AutoIndexer] e:\progs-main\hewlett-packard\laserjet 33xx\hppautoindexer.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NBKeyScan] "e:\progs-main\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\blu-ray disc suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\blu-ray disc suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe
mRun: [ASUS Energy Saving] "c:\program files\asus\ai suite\energysaving\PwSave.exe"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [<NO NAME>]
mRun: [Display] c:\program files\apc\powerchute personal edition\DataCollectionLauncher.exe
mRun: [ConnectionManager] c:\program files\winsim\connectionmanager\Simply.SystemTrayIcon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: c:\docume~1\r\startm~1\programs\startup\everno~1.lnk - e:\progs-main\evernote\EvernoteClipper.exe
StartupFolder: c:\docume~1\r\startm~1\programs\startup\everno~2.lnk - e:\progs-main\evernote\EvernoteTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\alarmm~1.lnk - c:\program files\palm\AlarmApp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - e:\progs-main\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dynupd~1.lnk - e:\progs-main\dyndns updater\DynTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2012\QBW32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-system: DisableCAD = 1 (0x1)
IE: &Google Search
IE: &Translate English Word
IE: Add to Evernote 4.0 - e:\progs-main\evernote\EvernoteIE.dll/204
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - e:\progs-~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages
IE: Translate Page into English
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://e:\progs-main\evernote\EvernoteIE.dll/204
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progs-~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {5334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpg4sax.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1339216750312
DPF: {894B8712-11F1-48A7-899F-36D6C695D9D8} - hxxp://download.sympatico.ca/bcss_cb/core/prod/codebaby.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.7002893519
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88}
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://lemieux.dragonwaveinc.com/dana-cached/sc/JuniperSetupClient.cab
TCP: Interfaces\{8F5B7AB3-7B77-4A3C-9B5B-D4A54DF2DA49} : NameServer = 192.168.2.1
TCP: Interfaces\{8F5B7AB3-7B77-4A3C-9B5B-D4A54DF2DA49} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B055BF2A-F3F5-43C5-ABDF-25A1EA7E66CB} : NameServer = 192.168.2.1
TCP: Interfaces\{DCC2909D-6688-434D-8365-6F8BDDB28EE5} : DhcpNameServer = 10.1.1.4 10.1.1.6
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2012\HelpAsyncPluggableProtocol.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - e:\progs-main\quicktax 2007\ic2007pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\r\application data\mozilla\firefox\profiles\09rcy76j.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/
FF - component: e:\progs-main\1password\firefox@1passwd.com\components\Agile1pFF.dll
FF - plugin: c:\documents and settings\r\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
FF - plugin: e:\progs-main\ign\download manager\npfpdlm.dll
FF - plugin: e:\progs-main\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: e:\progs-main\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin2.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin3.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin4.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin5.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin6.dll
FF - plugin: e:\progs-main\quicktime\plugins\npqtplugin7.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\ElbyVCD.sys [2002-11-28 22016]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2011-2-21 58568]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-2 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-3 353688]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2007-12-31 120320]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [2006-5-23 78848]
R1 Uim_Vim;UIM Virtual Image Plugin;c:\windows\system32\drivers\Uim_Vim.sys [2011-10-18 277576]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2012/01/13 21:40:34];c:\program files\cyberlink\powerdvd8\000.fcl [2010-1-12 87536]
R2 APC Data Service;APC Data Service;c:\program files\apc\powerchute personal edition\dataserv.exe [2011-8-24 21880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-3 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-21 44808]
R2 Dyn Updater;Dyn Updater;e:\progs-main\dyndns updater\DynUpSvc.exe [2011-11-15 95608]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-7-25 3712]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-7-5 1262400]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2011-8-24 430136]
R2 SCVSSService;Second Copy VSS Service;c:\program files\second copy 8\SCVSSSvc.exe [2012-2-12 968448]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\connectionmanager\SimplyConnectionManager.exe [2011-12-22 21320]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2012-7-5 123840]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 250056]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2012-1-20 79360]
S3 Creative Dolby Digital Live Pack Licensing Service;Creative Dolby Digital Live Pack Licensing Service;c:\program files\common files\creative labs shared\service\DDLLicensing.exe [2012-1-20 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
S3 IOMap;IOMap;c:\windows\system32\drivers\IOMap.sys [2012-1-7 33280]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2003-8-1 320384]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\drivers\MijXfilt.sys [2012-1-20 95304]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-11 113120]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-9-6 18432]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 Sage Simply Accounting Transaction Manager 2012 - CDN;Sage Simply Accounting Transaction Manager 2012 - CDN;c:\program files\winsim\transactionmanager2012 - cdn\Sage_SA.TransactionManager.exe [2011-12-22 46408]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys --> c:\windows\system32\drivers\scsiscan.sys [?]
S3 USB44LDR;M-Audio USB MidiSport 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2005-10-28 16416]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2005-10-28 22304]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-21 178112]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 siregsrv;siregsrv;e:\progs-~1\speedd~1\siregsrv.exe --> e:\progs-~1\speedd~1\SIREGSRV.EXE [?]
.
=============== File Associations ===============
.
.txt=TextPad.txt
.
=============== Created Last 30 ================
.
2012-07-18 15:41:32 -------- d-----w- c:\documents and settings\r\application data\QuickScan
2012-07-18 14:53:10 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-07-18 14:53:10 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-07-16 03:04:36 -------- d-sh--w- C:\FOUND.004
2012-07-16 02:23:22 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-07-06 02:52:00 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-07-06 02:52:00 15504192 ----a-w- c:\windows\system32\nvcpl.dll
2012-07-06 02:52:00 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-07-06 02:52:00 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-07-06 02:51:59 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-07-06 02:51:16 876864 ------w- c:\windows\system32\nvhdagenco3220103.dll
2012-07-06 02:51:16 27968 ----a-w- c:\windows\system32\nvhdap32.dll
2012-07-06 02:51:16 123840 ----a-w- c:\windows\system32\drivers\nvhda32.sys
2012-07-03 19:31:57 -------- d-----w- c:\program files\Intuit
2012-07-03 19:31:57 -------- d-----w- c:\documents and settings\all users\application data\Nuance
2012-07-02 16:54:37 4200024 ----a-w- c:\windows\system32\cdintf400.dll
2012-07-02 16:54:31 -------- d-----w- c:\program files\QuickenW
.
==================== Find3M ====================
.
2012-07-12 02:54:14 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-12 02:54:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-06 02:51:54 1074636 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-07-06 02:51:54 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-07-06 02:51:52 1074636 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-07-03 16:21:54 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22:10 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:34 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-15 10:18:00 883008 ----a-w- c:\windows\system32\nvgenco32.dll
2012-05-15 10:18:00 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-05-15 10:18:00 6012928 ----a-w- c:\windows\system32\nvcuda.dll
2012-05-15 10:18:00 4373248 ----a-w- c:\windows\system32\nv4_disp.dll
2012-05-15 10:18:00 2530624 ----a-w- c:\windows\system32\nvcuvid.dll
2012-05-15 10:18:00 2445120 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-05-15 10:18:00 2359808 ----a-w- c:\windows\system32\nvapi.dll
2012-05-15 10:18:00 18771968 ----a-w- c:\windows\system32\nvoglnt.dll
2012-05-15 10:18:00 17543168 ----a-w- c:\windows\system32\nvcompiler.dll
2012-05-15 10:18:00 14014656 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-05-15 10:18:00 1000768 ----a-w- c:\windows\system32\nvdispco32.dll
2012-05-11 14:42:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16:14 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:20 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2006-05-08 01:55:32 774144 ----a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 13:25:52.04 ===============

Attached Files



#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:26 PM

Posted 26 July 2012 - 06:18 PM

Hello Gyrfalcon, and welcome to BC!! :thumbsup:

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please let me know of any steps you may have performed so far.
  • And also, please refrain from making any further changes to your machine until we are finished here.

Please allow me some time to review your logs and I will get back as soon as I can!

bloopie

#5 Gyrfalcon

Gyrfalcon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 26 July 2012 - 07:22 PM

Hi bloopie, thanks for volunteering :)

I do have my WinXP install CD. Keep in mind this is an box I built myself from buying selected components.
I have refrained from doing anything since my initial posting.

Cheers

#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:26 PM

Posted 26 July 2012 - 07:32 PM

Hi again,

It's nice to meet you! :)

Hi bloopie, thanks for volunteering :)


It's my pleasure :) , and sorry for the delay!

We can sometimes get overwhelmed with logs here at BC because the number of people in need of help greatly outnumbers the helpers.

Also keep in mind that I am still a trainee here at BC, and all of my critical posts must first be approved by an instructor. This can sometimes lead to a slight delay in my responses, but on the other hand you will have two sets of eyes checking your logs instead of just one. :thumbup2:

I'm still checking over your extensive logs, so (with approval) I should be back tomorrow with instructions for you!

Thanks again for your patience!

bloopie

#7 Gyrfalcon

Gyrfalcon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 26 July 2012 - 08:37 PM

Thanks, I totally *see* that you're overwhelmed with postings, there's one every few minutes at times, it's crazy...

Understood regarding your student status, and the community certainly appreciates that there are people like you going through the motions of doing this to help others!

That being said, the "two pairs of eyes" is a good thing, if you could please ask your instructor to look over everything very carefully as well, because the stakes are high for this PC. It's the central hub for the whole family, it's also the backup server, with all our memories in pictures and videos for the past 12 years, it's also the PC I've been banking with, it has shares for the other house PCs etc etc. So I really want to make sure it doesn't get messed up!!!

I'd rather things take a bit longer and get done cautiously and methodically.

Best Regards

#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:26 PM

Posted 27 July 2012 - 07:39 AM

Hi again,

Sorry for the lengthy description, but I figure the more you know, the better. I have tried to retrace every step.

No problem and thank you for that!! It's better you let us know as much as you can! :thumbup2:

I'd rather things take a bit longer and get done cautiously and methodically.

I agree completely! :)

==========

There is not much malware showing in your logs, so I would like to get a couple of more logs from unintrusive programs before we get to any removal:

:step1:
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==========

:step2:
We need to create an OTL Report for a deeper look
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

==========

In your next reply, please include the following:

  • The ASWmbr log
  • The OTL.txt log
  • The Extra.txt log

bloopie

#9 Gyrfalcon

Gyrfalcon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 27 July 2012 - 10:37 AM

Ok here you go, I added them all as attachments.

Keep in mind as I mentioned in the initial description, I have 2 system partitions on the same physical drive, one with WinXP Pro SP3 (with Spybot-detected malware) and another with Win7 x64 Ultimate (no Spybot running). I'm using the Windows 7 built-in boot selector. I've been using the Windows 7 partition mostly since the virus.

I also have started using BitDefender Total Security 2013 on my work laptop (unrelated to all this), but I thought I could maybe try it on the Windows 7 side and scan all drives and partitions (including the WinXP partition) and see what it comes back with. I haven't done that as I don't want to change anything, but I just thought I'd let you know we also have that option. Of course, I imagine the tools we're using now are much more targeted.

Thanks again!

Attached Files



#10 Gyrfalcon

Gyrfalcon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 27 July 2012 - 10:54 AM

fyi, to do the tests you asked, I rebooted the PC from Win7 into WinXP, did the tests, then restarted and went into the Win7 partition. Both shut downs/restarts behaved fine. But Windows 7 said it needed to check drive O: for consistency (I mapped the WinXP partition as o: in my Win7 system). I don't know if that's indicative of something. It doesn't happen every time I switch boots, but it has happened every so often since the virus.

It didn't find anything wrong in the scan.

btw when I start up my WinXP now (since virus), I usually get a black screen with mouse pointer only which lasts about 30 seconds or so, after I enter my password. I usually end up doing ctrl-alt-del to see what's going on and it may be coincidence but that seems to "wake it up" to continue further and show the desktop etc.

Cheers

#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:26 PM

Posted 27 July 2012 - 01:37 PM

Hello again,

Those logs aren't looking too bad really, but there are a few orphaned entries we'll try to clear up now. Please copy and paste all further logs here instead of attaching.

We need to run an OTL Fix

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the contents of the following codebox into the Posted Image textbox.
    :otl
    
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
    O3 - HKU\S-1-5-21-2025429265-527237240-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-2025429265-527237240-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-2025429265-527237240-839522115-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-2025429265-527237240-839522115-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-2025429265-527237240-839522115-1003\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
    O3 - HKU\S-1-5-21-2025429265-527237240-839522115-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

Are you still having problems with Firefox? Notice any changes?

bloopie

Edited by bloopie, 27 July 2012 - 08:18 PM.


#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:26 PM

Posted 30 July 2012 - 12:18 PM

Hello again,

Are you still with me?

This is a 3-Day Bump! If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 48 hours, we will be forced to close this topic!

bloopie

#13 Gyrfalcon

Gyrfalcon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 30 July 2012 - 09:33 PM

Hello Bloopie,

Sorry for the silence, I was away then really busy with work.

Ok so I have a few questions for you if you don't mind, as what you are proposing looks more like just general registry cleanup (Maybe I'm mistaken though). Are they risky changes btw? I noticed some of these keys are under IE, which I barely use, and these keys have data associated to them. Do I risk breaking things?

Spybot found a registry entry with bfgt under HKEY_CURRENT_USER, which is I believe what triggered its detection of Win32.Agent.cgzd. That entry is still there.
Have a look at this site, where they describe this rootkit behaviour: http://forums.spybot.info/showthread.php?t=64172
Should we try some of the suggested tools they mention?

Key-loggers: is there any way for us to scan and have 100% (or near) certainty that there aren't any keyloggers on my system? That's one of my biggest concern, doing financial stuff etc on it.

btw are there any suggestions for safe banking in case there's something lurking after we're done? (maybe using Firefox in Safe mode (no add-ons), or in Private mode (no cookies etc...)? Or another browser?

As for your question regarding Firefox, keep in mind I've barely used this OS at all since the virus, so I don't have much time on it to report any difference good or bad. For what it's worth, the replies I've been making to you are with it, and I haven't had any issues with Firefox when making the posts.

Thanks!

#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:04:26 PM

Posted 01 August 2012 - 09:47 AM

Hello again,

First of all, I just want to clarify some things to ease your mind. You mention that Win32.Agent.cgzd is a rootkit...this is not so. It is merely a Trojan.Downloader, which could be potentially dangerous if it actually downloads anything. In your case it seems Spybot had already removed the downloader upon detection. If the downloader had actually done anything, we would have seen it in the logs. :)

Also, if you were infected with a rootkit, I would have let you know straight away, believe me! The same goes for any keyloggers. Some more information on keyloggers can be found here. Entries for those types of programs would also show up in the logs.

==========

In relation to your safe banking question, have a look here, and more specifically part C of the page. Let me know if you have other quesitons about that point.

==========

The fix I have posted above with OTL is indeed registry related. There are registry entries still in your registry, but the files pertaining to those entries are missing. That usually happens when programs don't fully remove themselves, and sometimes they can cause problems later on. That's why I'm suggesting we fix them. It should be harmless.

==========

Spybot found a registry entry with bfgt under HKEY_CURRENT_USER

That entry is still there.


This we will take care of, but I don't want to confuse you. First please run the fix in my previous post, then we'll take care of that entry.

Does this make sense? :)

bloopie

#15 Gyrfalcon

Gyrfalcon
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 01 August 2012 - 10:22 AM

Hello bloopie,

Thank you for taking the time to explain and provide links which I will read shortly. Aside from the SPybot website, I couldn't find any reliable information on that virus, maybe other tools know it under a different name?

What you're saying makes sense. btw when I ran Spybot, I didn't ask it to clean (not trusting its ability to do it right until I consulted w you guys at BC) and it said it didn't do anything. Another possibility is perhaps my Avast 7 actually stopped the virus on-the-fly but didn't quite clean up everything in the registry and left that one entry. Later when I ran a Spybot scan, it spotted that registry entry. I'm thinking that's a possibility because I had seen 1 or 2 Avast malware/virus alert popup in the past while on the web, but both times it said it stopped the virus before it could do any harm.

Hey btw congratulations on your promotion! :) (I noticed your title changed)

I have performed the OTL fixes you requested previously. It turns out it didn't ask to reboot btw. Here's the log:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\ not found.
Registry value HKEY_USERS\S-1-5-21-2025429265-527237240-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-2025429265-527237240-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-2025429265-527237240-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-2025429265-527237240-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-2025429265-527237240-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Registry value HKEY_USERS\S-1-5-21-2025429265-527237240-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

OTL by OldTimer - Version 3.2.55.0 log created on 08012012_111038




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users