Sign In
Create Account
0
Hi, this is my latest log files having recently had an attack similar to this: error message: "DCOM Server Process Launcher Terminated Unexpectedly" upon startup it reboots within a couple of minutes. There is no opportunity to run any anti-virus, rootkit, malware, adware or Hijack software to help resolve the issue. I managed to stop the PC shutting down by using "Start - run -shutdown a" then scanned with malwarbytes, AVG (removed 17 infections - Trojan horse/agents) turned of system restore rebooted in safe mode re scanned etc. Am not to up on log reading, do you think it is all clear now please?
Malwarebytes' Anti-Malware 1.34
Database version: 1840
Windows 5.1.2600 Service Pack 3
12/03/2009 13:49:40
mbam-log-2009-03-12 (13-49-40).txt
Scan type: Full Scan (C:\|D:\|E:\|I:\|J:\|K:\|L:\|)
Objects scanned: 360407
Time elapsed: 2 hour(s), 16 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
I:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8FA5OP89\jtgtuhddr[1].txt (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of HijackThis v1.99.1
Scan saved at 10:54:36, on 13/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spnsrvnt.exe
D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\JAVA\JRE16~1.0_0\bin\java.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Martins\Desktop\xp repair\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bt.software.y...rowser?.src=yum
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System settings protector] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Memeo AutoBackup Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download2.gam...nts/y/jt0_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.5.107.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170942508906
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171800943046
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader4.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadban...tivePreQual.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashpoker.l...kes/FlashAX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15031/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - D:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - F:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99378e8278052) (gupdate1c99378e8278052) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: MBAMService - Malwarebytes Corporation - D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Rainbow Technologies - C:\WINDOWS\system32\spnsrvnt.exe
O23 - Service: TIS 2000 Apache Web Server - Unknown owner - D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
-
This topic is locked
Back to top
#2
Posted 14 March 2009 - 12:30 AM
-
- Administrators
-
- 22,575 posts
Forum Deity
- Gender:Male
- Location:US
STEP 01
[indent]Update TrendMicro™ HijackThis™
Your version of TrendMicro™ HijackThis™ is outdated. You need to download and install the latest version 2.0.2
STEP 02
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
STEP 03
RootRepeal - Rootkit Detector
[indent]
STEP 05
[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr
Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
[indent]Update TrendMicro™ HijackThis™
Your version of TrendMicro™ HijackThis™ is outdated. You need to download and install the latest version 2.0.2
- Download HJTInstall.exe to your desktop.
- Doubleclick HJTInstall.exe to install HijackThis.
- By default it will install to C:\Program Files\Trend Micro\HijackThis .
- It will create a HijackThis icon on your desktop.
- Once installed, it will launch HijackThis.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log in your next reply.
- You can delete the old version of HJT, located here: C:\Program Files\HijackThis\HijackThis.exe
STEP 02
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
STEP 03
- Please create a BOOTLOG
- Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
- Select "Enable Boot Logging" option and press enter.
- Windows prompts you to select a Windows Installation (even if there is only one windows installation)
- This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
If you're already running inside Windows you can enable it the following way.
- Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
- Click on OK and you will be prompted to RESTART Windows. Please do restart now.
- After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
- From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
- Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
- The tab is called BOOT on Vista. Then choose Boot log
RootRepeal - Rootkit Detector
[indent]
- Please download the following tool: RootRepeal - Rootkit Detector
- Direct download link is here: RootRepeal.rar
- If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
- Extract the program file to a new folder such as C:\RootRepeal
- Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the same location where you ran it from, such as C:\RootRepeal
- Save it as your_name_rootrepeal.txt - where your_name is your forum name
- This makes it more easy to track who the log belongs to.
- Then open that log and select all and copy/paste it back on your next reply please.
- Quit the RootRepeal program.
STEP 05
[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr
Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
- When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
- Save both reports to your desktop
- Please include the following logs in your next reply: DDS.txt and Attach.txt
#3
Posted 15 March 2009 - 12:49 PM
-
- Members
-
- 5 posts
New Member
QUOTE (AdvancedSetup @ Mar 14 2009, 12:30 AM) <{POST_SNAPBACK}>
STEP 01
STEP 02
STEP 03
STEP 04
RootRepeal - Rootkit Detector
STEP 05
Update TrendMicro™ HijackThis™
Your version of TrendMicro™ HijackThis™ is outdated. You need to download and install the latest version 2.0.2
- Download HJTInstall.exe to your desktop.
- Doubleclick HJTInstall.exe to install HijackThis.
- By default it will install to C:\Program Files\Trend Micro\HijackThis .
- It will create a HijackThis icon on your desktop.
- Once installed, it will launch HijackThis.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log in your next reply.
- You can delete the old version of HJT, located here: C:\Program Files\HijackThis\HijackThis.exe
STEP 02
Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
STEP 03
- Please create a BOOTLOG
- Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
- Select "Enable Boot Logging" option and press enter.
- Windows prompts you to select a Windows Installation (even if there is only one windows installation)
- This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
If you're already running inside Windows you can enable it the following way.
- Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
- Click on OK and you will be prompted to RESTART Windows. Please do restart now.
- After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
- From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
- Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
- The tab is called BOOT on Vista. Then choose Boot log
STEP 04
RootRepeal - Rootkit Detector
- Please download the following tool: RootRepeal - Rootkit Detector
- Direct download link is here: RootRepeal.rar
- If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
- Extract the program file to a new folder such as C:\RootRepeal
- Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the same location where you ran it from, such as C:\RootRepeal
- Save it as your_name_rootrepeal.txt - where your_name is your forum name
- This makes it more easy to track who the log belongs to.
- Then open that log and select all and copy/paste it back on your next reply please.
- Quit the RootRepeal program.
STEP 05
Download DDS and save it to your desktop
http://download.blee...om/sUBs/dds.scr
Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
- Save both reports to your desktop
- Please include the following logs in your next reply: DDS.txt and Attach.txt
Followed intructions and pasted all scans below: Thank you for your help with this, it is very much appreciated.
logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:15, on 15/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spnsrvnt.exe
D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\JAVA\JRE16~1.0_0\bin\java.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bt.software.yahoo.com/getbrowser?.src=yum
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System settings protector] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Memeo AutoBackup Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n042p/EN/install/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170942508906
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171800943046
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader4.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashpoker.ladbrokes.com/ladbrokes/FlashAX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - D:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - F:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99378e8278052) (gupdate1c99378e8278052) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: MBAMService - Malwarebytes Corporation - D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Rainbow Technologies - C:\WINDOWS\system32\spnsrvnt.exe
O23 - Service: TIS 2000 Apache Web Server - Unknown owner - D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 1: Watch Clan - http://www.thewatch.co.uk/
--
End of file - 13736 bytes
ComboFix 09-03-14.01 - Martins 2009-03-15 11:47:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1451 [GMT 0:00]
Running from: c:\documents and settings\Martins\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.
2009-03-15 11:01 . 2009-03-15 11:01 <DIR> d-------- c:\program files\Trend Micro
2009-03-13 11:36 . 2009-03-13 11:36 <DIR> d-------- c:\program files\Avira
2009-03-13 11:36 . 2009-03-13 11:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-06 06:35 . 2009-03-06 06:35 <DIR> d-------- c:\program files\Memeo
2009-03-06 06:35 . 2009-03-06 06:35 <DIR> d-------- c:\program files\Common Files\eSellerate
2009-03-06 06:35 . 2009-03-06 06:35 <DIR> d---s---- c:\documents and settings\All Users\Application Data\Memeo
2009-03-05 16:56 . 2009-03-05 16:56 <DIR> d-------- c:\program files\BUFFALO
2009-03-05 16:56 . 2008-02-12 01:48 17,152 --a------ c:\windows\system32\drivers\bfturboh.sys
2009-03-05 15:52 . 2009-03-05 15:52 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-03-05 15:51 . 2009-03-05 15:51 <DIR> d-------- c:\windows\ERUNT
2009-03-05 15:50 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-03-05 12:23 . 2009-03-05 12:23 65,024 --a------ c:\windows\system32\wextract.exe
2009-03-05 12:23 . 2009-03-05 12:23 65,024 --a--c--- c:\windows\system32\dllcache\wextract.exe
2009-03-03 13:25 . 2008-12-20 23:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-03-03 13:25 . 2007-04-17 09:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-03-03 13:25 . 2007-03-08 05:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-03 13:25 . 2008-12-20 23:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-03-03 13:25 . 2008-12-20 23:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-03 13:25 . 2008-12-20 23:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-03-03 13:25 . 2008-12-20 23:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-03-03 13:25 . 2008-12-20 23:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-03 13:25 . 2008-12-19 09:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-03-03 11:56 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-03 09:16 . 2009-03-03 09:22 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-02 23:06 . 2009-03-06 14:05 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-02 18:07 . 2009-03-02 18:07 <DIR> d-------- c:\documents and settings\Administrator.MARTIN\Application Data\WinCare2008
2009-03-01 11:12 . 2009-03-01 11:32 <DIR> d-------- c:\program files\Spotmau WinCare 2008
2009-03-01 11:12 . 2009-03-01 11:12 <DIR> d-------- c:\documents and settings\Martins\Application Data\WinCare2008
2009-02-28 14:58 . 2009-02-28 14:58 <DIR> d-------- c:\documents and settings\Administrator.MARTIN\Application Data\Malwarebytes
2009-02-28 11:21 . 2009-02-28 11:21 <DIR> d-------- c:\documents and settings\Administrator.MARTIN\Application Data\iWin
2009-02-28 11:17 . 2009-02-28 11:17 <DIR> d-------- c:\documents and settings\Administrator.MARTIN\Application Data\TuneUp Software
2009-02-28 10:55 . 2009-03-02 18:46 <DIR> d-------- c:\documents and settings\Administrator.MARTIN
2009-02-25 14:30 . 2009-02-25 14:30 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-25 14:27 . 2009-02-25 14:27 <DIR> d-------- c:\program files\NOS
2009-02-25 14:27 . 2009-02-25 14:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-21 17:03 . 2009-02-21 17:03 <DIR> d-------- c:\documents and settings\Martins\Application Data\Malwarebytes
2009-02-21 17:03 . 2009-02-21 17:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-21 17:03 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 17:03 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-20 16:29 . 2009-03-15 10:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-02-16 20:23 . 2009-02-26 19:36 <DIR> d-------- c:\program files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 11:41 139,152 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-14 11:41 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2009-03-12 10:16 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 11:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-10 14:16 --------- d-----w c:\documents and settings\Martins\Application Data\dvdcss
2009-03-08 18:45 --------- d-----w c:\documents and settings\Martins\Application Data\teamspeak2
2009-03-06 06:35 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 23:10 --------- d-s---w c:\program files\HLSW
2009-03-01 23:10 --------- d-----w c:\documents and settings\Martins\Application Data\HLSW
2009-03-01 23:04 --------- d-----w c:\program files\Absolute Uninstaller
2009-03-01 00:07 --------- d-----w c:\documents and settings\Martins\Application Data\uTorrent
2009-02-27 11:56 --------- d-----w c:\documents and settings\Martins\Application Data\iWin
2009-02-25 14:30 --------- d-----w c:\program files\Common Files\Adobe
2009-02-20 16:34 --------- d-----w c:\program files\Google
2009-02-14 15:58 --------- d-----w c:\program files\TuneUp Utilities 2008
2009-02-13 12:41 --------- d-----w c:\program files\Common Files\Logitech
2009-02-13 12:40 --------- d-----w c:\program files\Common Files\LogiShared
2009-02-11 10:14 --------- d-----w c:\documents and settings\Martins\Application Data\LimeWire
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-31 15:08 --------- d-----w c:\documents and settings\Martins\Application Data\Island
2009-01-30 19:16 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-30 19:16 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-30 12:52 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-01-25 07:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-06-06 07:55 22,328 ----a-w c:\documents and settings\Martins\Application Data\PnkBstrK.sys
2008-02-02 13:37 1,435 ----a-w c:\documents and settings\Martins\Application Data\SAS7_000.DAT
2007-02-18 09:57 5,687,840 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-02-18 09:57 260,384 --sha-w c:\windows\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-03-05_12.35.34.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 15:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-03-05 15:51:39 3,833,856 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-03-05 15:51:39 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 15:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-03-05 15:51:31 3,833,856 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-03-05 15:51:31 8,192 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2009-02-11 11:09:13 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-11 11:11:05 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2009-02-11 11:09:14 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-03-11 11:11:06 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-02-11 11:09:14 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-03-11 11:11:06 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-02-11 11:09:14 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-03-11 11:11:06 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-02-11 11:09:14 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-03-11 11:11:06 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-02-11 11:09:14 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-03-11 11:11:06 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-02-11 11:09:14 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-03-11 11:11:06 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-02-11 11:09:14 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-03-11 11:11:06 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-02-11 11:09:14 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-03-11 11:11:06 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-02-11 11:09:14 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-03-11 11:11:06 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-02-11 11:09:14 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-03-11 11:11:06 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-02-11 11:09:14 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-03-11 11:11:06 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
- 2007-06-11 22:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-11 18:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-05-09 12:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 17:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-10-30 10:21:03 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 09:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2009-03-03 09:22:54 298,848 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-11 13:55:55 298,848 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2009-03-05 09:19:08 72,020 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-15 10:25:41 72,020 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-05 09:19:08 444,336 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-15 10:25:41 444,336 ----a-w c:\windows\system32\perfh009.dat
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2007-11-30 11:18:51 26,488 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 09:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2007-06-11 22:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 18:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
+ 2008-06-26 07:47:29 173,360 ----a-w c:\windows\UN070618.EXE
+ 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@="{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}"
[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 17:05 348160 --a------ c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@="{8A814C29-D3CD-4F9E-9770-DF8704503ACA}"
[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 17:05 348160 --a------ c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"System settings protector"="e:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-02-11 399504]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-25 13524992]
c:\documents and settings\Martins\Start Menu\Programs\Startup\
Memeo AutoBackup Launcher.lnk - c:\documents and settings\Martins\Application Data\Microsoft\Installer\{BD1F8143-C678-43CD-A296-A3A32A8C2976}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [2009-03-06 73728]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 19:16 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\system32\ctmp3.acm
"SENTINEL"= snti386.dll
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"EA Core"="c:\program files\Electronic Arts\EA Link\Core.exe" -silent
"XPRepairPro2007"=d:\program files\XP Repair Pro 2007\XPRepairPro.exe /r
"Google Update"="c:\documents and settings\Martins\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"btbb_wcm_McciTrayApp"=c:\program files\btbb_wcm\McciTrayApp.exe
"CTStartup"=c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe"
"YOP"=c:\progra~1\Yahoo!\YOP\yop.exe /autostart
"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"Logitech BT Wizard"=LBTWiz.exe -silent
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"Easy-PrintToolBox"=c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
"CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"WINDVDPatch"=CTHELPER.EXE
"Logitech Hardware Abstraction Layer"=KHALMNPR.EXE
"USB2Check"=RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
"PWRISOVM.EXE"=d:\program files\PowerISO\PWRISOVM.EXE
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE
"Bluetooth Connection Assistant"=LBTWIZ.EXE -silent
"RecordPadRun"="c:\program files\NCH Swift Sound\RecordPad\recordpad.exe" -logon
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\Martins\\Desktop\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-09-03 325128]
R1 FolderProtectDriver;FolderProtectDriver;c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2009-03-01 15616]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-30 298264]
R2 COSIDS_TB;COSIDS_TB;d:\progra~1\COSIDS\BIN\TbMux32.exe [2007-06-21 165376]
R2 FolderProtectService;FolderProtectService;c:\program files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2009-03-01 10240]
R3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2009-03-05 17152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-02-21 15504]
S2 gupdate1c99378e8278052;Google Update Service (gupdate1c99378e8278052);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 133104]
S2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-02-21 179856]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;f:\program files\MAGIX\Common\Database\bin\fbserver.exe --> f:\program files\MAGIX\Common\Database\bin\fbserver.exe [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-25 33752]
S3 SaiH0006;SaiH0006;c:\windows\system32\drivers\SaiH0006.sys [2004-07-26 56576]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{609d9a11-c25d-11db-847c-00147f903c40}]
\Shell\AutoRun\command - K:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7aaaa58e-b773-11db-93cf-806d6172696f}]
\Shell\AutoRun\command - I:\AUTORUN.EXE
.
Contents of the 'Scheduled Tasks' folder
2009-03-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-20 16:29]
2009-03-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 16:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://bt.software.yahoo.com/getbrowser?.src=yum
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 11:50:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-842925246-1604221776-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:41,59,25,82,74,dd,8b,93,7d,32,7c,ff,97,39,18,0f,ae,b2,43,4d,ba,5c,a3,
44,25,68,50,24,76,95,19,db,16,80,b9,f5,42,70,76,fc,d6,80,08,18,fc,dc,be,f6,\
"??"=hex:9d,99,7d,3e,e2,ad,d6,b0,52,4b,77,9c,62,df,aa,73
[HKEY_USERS\S-1-5-21-842925246-1604221776-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:b4,ab,95,ff,0f,f1,57,54,c0,33,5c,63,26,89,da,e8,29,e7,ba,6c,7e,
9e,5d,02,a7,cb,4b,fd,53,0f,d9,25,9b,7f,22,4a,7b,ed,96,f1,94,34,7a,83,5b,96,\
"rkeysecu"=hex:86,fb,8d,bb,75,a9,52,3a,ca,71,e3,0a,0d,cf,9d,a5
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,b1,e2,72,73,60,
fd,88,5a,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,69,1e,f2,9b,24,
4f,d7,f0,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,68,12,78,ca,47,
e5,cf,71,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,a4,67,bf,e9,54,
96,de,34,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,65,2e,bd,93,f4,
80,07,87,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,35,dc,1f,f9,65,
c9,a0,08,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,91,02,9f,c5,10,
87,92,86,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:35,85,2c,5f,08,b0,1f,eb,20,c3,4b,3d,43,65,83,20,ff,1f,79,f4,29,
43,d3,52,d7,16,e6,30,90,42,12,c5,70,1d,43,d6,74,4b,bd,26,66,f4,a4,e1,9c,74,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,40,4e,d1,be,c6,
c6,2e,1a,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,21,b6,17,8f,b9,
fc,8f,80,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,08,fe,08,9d,32,
0f,b0,f7,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,c3,64,44,f9,b1,
20,b5,35,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,52,72,a8,98,c2,
b8,5f,31,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:35,85,2c,5f,08,b0,1f,eb,20,c3,4b,3d,43,65,83,20,ff,1f,79,f4,29,
43,d3,52,d7,16,e6,30,90,42,12,c5,70,1d,43,d6,74,4b,bd,26,66,f4,a4,e1,9c,74,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(904)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-03-15 11:53:08
ComboFix-quarantined-files.txt 2009-03-15 11:52:55
ComboFix2.txt 2009-03-05 12:36:37
Pre-Run: 26,808,786,944 bytes free
Post-Run: 26,818,646,016 bytes free
Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,4,5
372 --- E O F --- 2009-03-11 11:12:00
Service Pack 3 3 15 2009 12:09:59.500
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver sptd.sys
Loaded driver \WINDOWS\System32\Drivers\WMILIB.SYS
Loaded driver \WINDOWS\System32\Drivers\SCSIPORT.SYS
Loaded driver ACPI.sys
Loaded driver pci.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver sfsync02.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver nvata.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver sfvfs02.sys
Loaded driver sfhlp02.sys
Loaded driver sfdrv01.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\AmdK8.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\drivers\nvax.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\drivers\ctoss2k.sys
Loaded driver \SystemRoot\System32\drivers\ctprxy2k.sys
Loaded driver \SystemRoot\system32\drivers\ctaud2k.sys
Loaded driver \SystemRoot\system32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\nvnetbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\System32\Drivers\awyidiuc.SYS
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\serial.sys
Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\L8042Kbd.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\btkrnl.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\vsb.sys
Loaded driver \SystemRoot\system32\DRIVERS\MarvinBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\drivers\btaudio.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\nvapu.sys
Loaded driver \SystemRoot\system32\drivers\ha10kx2k.sys
Loaded driver \SystemRoot\System32\drivers\ctac32k.sys
Loaded driver \SystemRoot\System32\drivers\emupia2k.sys
Loaded driver \SystemRoot\System32\drivers\ctsfm2k.sys
Loaded driver \SystemRoot\system32\DRIVERS\NVENETFD.sys
Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \??\C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\system32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ssmdrv.sys
Loaded driver \SystemRoot\System32\Drivers\SCDEmu.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\system32\DRIVERS\avipbb.sys
Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys
Loaded driver \SystemRoot\system32\drivers\bfturboh.sys
Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS
Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys
Loaded driver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\Wdf01000.sys
Loaded driver \SystemRoot\system32\DRIVERS\LHidFilt.Sys
Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\system32\DRIVERS\LMouFilt.Sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\System32\Drivers\SENTINEL.SYS
Loaded driver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\mbam.sys
Loaded driver \SystemRoot\System32\Drivers\btwusb.sys
Loaded driver \??\C:\WINDOWS\system32\PfModNT.sys
Loaded driver \SystemRoot\system32\DRIVERS\btport.sys
Loaded driver \SystemRoot\system32\DRIVERS\btwhid.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\DRIVERS\secdrv.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Tanky15-rootrepeal.txt
ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/15 12:25
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB685D000 Size: 98304 File Visible: No
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5EA000 Size: 8192 File Visible: No
Status: -
Name: PCI_PNP1726
Image Path: \Driver\PCI_PNP1726
Address: 0x00000000 Size: 0 File Visible: No
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5480000 Size: 45056 File Visible: No
Status: -
Name: spnt.sys
Image Path: spnt.sys
Address: 0xB9EA7000 Size: 1048576 File Visible: No
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No
Status: -
Hidden/Locked Files
-------------------
Path: C:\WINDOWS\wiaservc.log
Status: Allocation size mismatch (API: 56, Raw: 0)
Path: C:\Documents and Settings\Martins\Desktop\dds.scr
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Martins\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!
Path: C:\Documents and Settings\Martins\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!
SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spnt.sys" at address 0xb9ea80e0
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba6ecbb4
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spnt.sys" at address 0xb9ec6ca2
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spnt.sys" at address 0xb9ec7030
#: 119 Function Name: NtOpenKey
Status: Hooked by "spnt.sys" at address 0xb9ea80c0
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba6ecba0
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba6ecba5
#: 160 Function Name: NtQueryKey
Status: Hooked by "spnt.sys" at address 0xb9ec7108
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spnt.sys" at address 0xb9ec6f88
#: 247 Function Name: NtSetValueKey
Status: Hooked by "spnt.sys" at address 0xb9ec719a
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba6ecbaf
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xba6ecbaa
Stealth Objects
-------------------
Object: Hidden Module [Name: Tanagra.Utility.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x03700000 Size: 634880
Object: Hidden Module [Name: Tanagra.Interop.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x039b0000 Size: 61440
Object: Hidden Module [Name: Tanagra.DataClad.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x03b60000 Size: 937984
Object: Hidden Module [Name: XMLSettings.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x03a00000 Size: 45056
Object: Hidden Module [Name: Tanagra.DataClad.DataAccess.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x03f70000 Size: 233472
Object: Hidden Module [Name: Tanagra.BMU.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x04410000 Size: 1044480
Object: Hidden Module [Name: System.Data.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x04130000 Size: 2961408
Object: Hidden Module [Name: SQLite.NET.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x04930000 Size: 86016
Object: Hidden Module [Name: Tanagra.BMU.Providers.FileCopyBackupProvider.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x04bd0000 Size: 77824
Object: Hidden Module [Name: Tanagra.BMU.Providers.HardDiskBackupProvider.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x04ba0000 Size: 61440
Object: Hidden Module [Name: Tanagra.Third-party.Security.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x04c10000 Size: 28672
Object: Hidden Module [Name: Interop.eWebControl.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x05570000 Size: 36864
Object: Hidden Module [Name: Interop.Outlook.dll]
Process: MemeoBackup.exe (PID: 3708) Address: 0x05610000 Size: 405504
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a7cd1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_CLOSE]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_READ]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_WRITE]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_SET_EA]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_POWER]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: nvata, IRP_MJ_PNP]
Process: System Address: 0x8a7ce1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a61d1f8 Size: -
Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a6291f8 Size: -
Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a6291f8 Size: -
Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6291f8 Size: -
Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6291f8 Size: -
Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a6291f8 Size: -
Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6291f8 Size: -
Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a6291f8 Size: -
Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8a6351f8 Size: -
Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8a6351f8 Size: -
Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6351f8 Size: -
Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6351f8 Size: -
Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8a6351f8 Size: -
Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6351f8 Size: -
Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8a6351f8 Size: -
Object: Hidden Code [Driver: awyidiucЅః扏济CdRom1 #Ѓట灐†, IRP_MJ_CREATE]
Process: System Address: 0x8a6021f8 Size: -
Object: Hidden Code [Driver: awyidiucЅః扏济CdRom1 #Ѓట灐†, IRP_MJ_CLOSE]
Process: System Address: 0x8a6021f8 Size: -
Object: Hidden Code [Driver: awyidiucЅః扏济CdRom1 #Ѓట灐†, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6021f8 Size: -
Object: Hidden Code [Driver: awyidiucЅః扏济CdRom1 #Ѓట灐†, IRP_MJ_POWER]
Process: System Address: 0x8a6021f8 Size: -
Object: Hidden Code [Driver: awyidiucЅః扏济CdRom1 #Ѓట灐†, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6021f8 Size: -
Object: Hidden Code [Driver: awyidiucЅః扏济CdRom1 #Ѓట灐†, IRP_MJ_PNP]
Process: System Address: 0x8a6021f8 Size: -
Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x883e71f8 Size: -
Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x883e71f8 Size: -
Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x883e71f8 Size: -
Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x883e71f8 Size: -
Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x883e71f8 Size: -
Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x883e71f8 Size: -
Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x883e71f8 Size: -
Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x883e71f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a7cf1f8 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x883ec1f8 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x883ec1f8 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x883ec1f8 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x883ec1f8 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x883ec1f8 Size: -
Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x883ec1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x883ab1f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_CREATE]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_CLOSE]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_READ]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_CLEANUP]
Process: System Address: 0x8a6b21f8 Size: -
Object: Hidden Code [Driver: CdfsЅఈ灐畳�, IRP_MJ_PNP]
Process: System Address: 0x8a6b21f8 Size: -
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-02-01.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 08/02/2007 13:24:35
System Uptime: 15/03/2009 12:09:59 (0 hours ago)
Motherboard: EPoX COMPUTER CO., LTD | | nForce4 DDR: 9NPA+ / 9NPA+Ultra / 9NPAJ Series
Processor: AMD Athlon™ 64 Processor 3200+ | Socket 939 | 2009/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 57 GiB total, 24.991 GiB free.
D: is FIXED (NTFS) - 116 GiB total, 92.335 GiB free.
E: is FIXED (NTFS) - 116 GiB total, 66.606 GiB free.
F: is CDROM ()
G: is CDROM (CDFS)
H: is CDROM ()
I: is FIXED (NTFS) - 57 GiB total, 25.174 GiB free.
J: is FIXED (NTFS) - 408 GiB total, 408.415 GiB free.
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 02/03/2009 19:29:12 - System Checkpoint
RP2: 02/03/2009 19:29:52 - After clean up march 09
RP3: 02/03/2009 23:02:06 - Installed Windows Backup Utility
RP4: 03/03/2009 09:11:42 - Software Distribution Service 3.0
RP5: 03/03/2009 09:25:20 - Printer Driver Microsoft XPS Document Writer Installed
RP6: 03/03/2009 13:17:47 - Software Distribution Service 3.0
RP7: 03/03/2009 13:29:42 - Installed Windows NLSDownlevelMapping.
RP8: 03/03/2009 13:30:10 - Installed Windows IDNMitigationAPIs.
RP9: 03/03/2009 13:31:16 - Installed Windows Internet Explorer 7.
RP10: 03/03/2009 13:31:48 - Software Distribution Service 3.0
RP11: 03/03/2009 14:50:24 - Software Distribution Service 3.0
RP12: 04/03/2009 10:47:45 - Software Distribution Service 3.0
RP13: 05/03/2009 09:17:23 - Avg8 Update
RP14: 05/03/2009 12:24:02 - ComboFix created restore point
RP15: 06/03/2009 06:34:50 - Installed Memeo AutoBackup
RP16: 07/03/2009 17:01:37 - System Checkpoint
RP17: 09/03/2009 12:23:53 - System Checkpoint
RP18: 10/03/2009 15:31:36 - System Checkpoint
RP19: 11/03/2009 11:10:34 - Software Distribution Service 3.0
RP20: 12/03/2009 13:03:39 - System Checkpoint
RP21: 13/03/2009 11:35:09 - Avira AntiVir Personal - 13/03/2009 11:35
RP22: 15/03/2009 11:46:35 - ComboFix created restore point
==== Installed Programs ======================
µTorrent
2007 Microsoft Office Suite Service Pack 1 (SP1)
6000 Sound Effects
Acrobat.com
Adobe Acrobat 5.0
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Center 2.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Premiere Pro 2.0
Adobe Reader 9
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos 1.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AlphaStar v.1.0.02
AMD Processor Driver
ATI - Software Uninstall Utility
AVG Free 8.0
Avira AntiVir Personal - Free Antivirus
Battlefield 1942
BitTornado 0.3.7
BT Home Hub
BT Yahoo! Applications
BUFFALO TurboUSB for FLASH/HDD
Canon iP4200
Canon MP Navigator EX 1.0
Canon MP210 series
Canon MP210 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Easy-PrintToolBox
Canon Utilities Solution Menu
CCleaner (remove only)
CD-LabelPrint
CDDRV_Installer
Chess3D 2.8
Company of Heroes
Company of Heroes - FAKEMSI
Critical Update for Windows Media Player 11 (KB959772)
Desert Conflict v0.1 Alpha
DesertCombat 0.7
DivX Content Uploader
DivX Web Player
DVD Architect Pro 5.0
DVDFab Ghosthunter release 5.2.3.0
EA Link
EA SPORTS online 2008
Firebird SQL Server - MAGIX Edition
getPlus® for Adobe
Google Earth
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
IGN Download Manager 2.3.2
iWin Games (remove only)
Java Servlet Development Kit 2.0
Java™ SE Runtime Environment 6 Update 1
KhalInstallWrapper
Lightroom
LimeWire 4.16.6
Logitech Registration
Logitech SetPoint
Logitech Updater
MahJong Suite
MahJong Suite Graphics Pack Volume 1
MahJong Suite Graphics Pack Volume 2
Malwarebytes' Anti-Malware
Memeo AutoBackup
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mobile Phone Suite Easy Synchronization
Monkey's Audio
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nuance Palm Voice Recorder
NVIDIA Drivers
NVIDIA PhysX v8.04.25
NvMixer
OpenAL
Paint.NET v3.36
PowerISO
PunkBuster Services
RarZilla Free Unrar 2.53
Real3D
RealPlayer
RecordPad Sound Recorder
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Sentinel System Driver
SiSoftware Sandra Lite XII.SP1
Sony Cinescore 1.0
Sony Cinescore Plug-In 1.0
Sony Vegas Pro 8.0
Sound Blaster Live!
Spotmau Wincare 2008
Spybot - Search & Destroy
Switch
TeamSpeak 2 RC2
Texas Hold'em Poker 3D - Deluxe Edition 1.0
Text-To-Speech-Runtime
TuneUp Utilities 2008
TweakNow RegCleaner Professional
ubi.com
Ufindus Rapidsite
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Urban Desert Combat Version 0.0.3
Vegas Movie Studio Platinum 9.0
VideoLAN VLC media player 0.8.6a
Water 1.04. for Adobe After Effects
WavePad Uninstall
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Backup Utility
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XP Repair Pro 2007
YouTube Uploader
==== Event Viewer Messages From Past Week ========
09/03/2009 10:55:11, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: kl1
09/03/2009 10:54:55, error: Service Control Manager [7000] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service failed to start due to the following error: The system cannot find the file specified.
12/03/2009 10:39:05, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D.
15/03/2009 10:22:18, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
==== End Of File ===========================
Rest of log files in next reply (too long for forum post limit)
#4
Posted 15 March 2009 - 12:51 PM
-
- Members
-
- 5 posts
New Member
[quote name='Tanky' date='Mar 15 2009, 12:49 PM' post='64645']
Followed intructions and pasted all scans below: Thank you for your help with this, it is very much appreciated.
DDS (Ver_09-02-01.01) - NTFSx86
Run by Martins at 12:39:44.76 on 15/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1375 [GMT 0:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\spnsrvnt.exe
D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\JAVA\JRE16~1.0_0\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Martins\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://uk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://bt.software.yahoo.com/getbrowser?.src=yum
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [System settings protector] e:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Malwarebytes' Anti-Malware] "d:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\martins\startm~1\programs\startup\memeoa~1.lnk - c:\docume~1\martins\applic~1\microsoft\installer\{bd1f8143-c678-43cd-a296-a3a32a8c2976}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java
DPF: Yahoo! Blackjack - hxxp://download2.games.yahoo.com/games/clients/y/jt0_x.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/n042p/EN/install/gtdownlr.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170942508906
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171800943046
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab
DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader4.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://help.broadbandassist.com/prequal/MotivePreQual.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://flashpoker.ladbrokes.com/ladbrokes/FlashAX.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15031/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: ShellExecuteHook class: {fe24cd78-7c63-465d-8787-4edf7fc79895} - c:\program files\logitech\easy synchronization\shellexecutehook.dll
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-13 11840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-3 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-3 27656]
R1 FolderProtectDriver;FolderProtectDriver;c:\program files\spotmau wincare 2008\sub\fsdriver\FolderProtectDriver.sys [2009-3-1 15616]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-13 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-13 151297]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-30 298264]
R2 COSIDS_TB;COSIDS_TB;d:\progra~1\cosids\bin\TbMux32.exe [2007-6-21 165376]
R2 FolderProtectService;FolderProtectService;c:\program files\spotmau wincare 2008\sub\fsdriver\FolderProtectService.exe [2009-3-1 10240]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-13 52032]
R3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2009-3-5 17152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-2-21 15504]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S2 gupdate1c99378e8278052;Google Update Service (gupdate1c99378e8278052);c:\program files\google\update\GoogleUpdate.exe [2009-2-20 133104]
S2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-2-21 179856]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;f:\program files\magix\common\database\bin\fbserver.exe --> f:\program files\magix\common\database\bin\fbserver.exe [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-25 33752]
S3 SaiH0006;SaiH0006;c:\windows\system32\drivers\SaiH0006.sys [2004-7-26 56576]
=============== Created Last 30 ================
2009-03-15 11:01 <DIR> --d----- c:\program files\Trend Micro
2009-03-13 11:36 <DIR> --d----- c:\program files\Avira
2009-03-13 11:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-06 06:35 <DIR> --d----- c:\program files\common files\eSellerate
2009-03-06 06:35 <DIR> --d----- c:\program files\Memeo
2009-03-06 06:35 <DIR> --ds---- c:\docume~1\alluse~1\applic~1\Memeo
2009-03-05 16:56 17,152 a------- c:\windows\system32\drivers\bfturboh.sys
2009-03-05 16:56 <DIR> --d----- c:\program files\BUFFALO
2009-03-05 15:52 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-03-05 15:51 <DIR> --d----- c:\windows\ERUNT
2009-03-05 15:50 <DIR> --d----- C:\SDFix
2009-03-05 12:24 <DIR> a-dshr-- C:\cmdcons
2009-03-05 12:23 65,024 ac------ c:\windows\system32\dllcache\wextract.exe
2009-03-05 12:23 65,024 a------- c:\windows\system32\wextract.exe
2009-03-05 12:18 161,792 a------- c:\windows\SWREG.exe
2009-03-05 12:18 98,816 a------- c:\windows\sed.exe
2009-03-03 13:25 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-03-03 13:25 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-03-03 13:25 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-03 13:25 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-03-03 13:25 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-03-03 13:25 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-03-03 13:25 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-03-03 13:25 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-03 13:25 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-03-03 11:56 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-03 09:16 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-02 23:06 <DIR> --d----- c:\windows\system32\NtmsData
2009-03-01 11:12 <DIR> --d----- c:\docume~1\martins\applic~1\WinCare2008
2009-03-01 11:12 <DIR> --d----- c:\program files\Spotmau WinCare 2008
2009-02-21 17:03 <DIR> --d----- c:\docume~1\martins\applic~1\Malwarebytes
2009-02-21 17:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-21 17:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 17:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-13 12:40 <DIR> --d----- c:\program files\common files\LogiShared
==================== Find3M ====================
2009-03-14 11:41 139,152 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-14 11:41 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-02-09 11:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-30 19:16 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-30 19:16 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-20 23:15 826,368 a------- c:\windows\system32\wininet.dll
2008-06-06 07:55 22,328 a------- c:\docume~1\martins\applic~1\PnkBstrK.sys
2008-02-02 13:37 1,435 a------- c:\docume~1\martins\applic~1\SAS7_000.DAT
2007-02-18 09:57 5,687,840 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-02-18 09:57 260,384 a--sh--- c:\windows\system32\drivers\fidbox2.dat
============= FINISH: 12:40:08.90 ===============
Followed intructions and pasted all scans below: Thank you for your help with this, it is very much appreciated.
DDS (Ver_09-02-01.01) - NTFSx86
Run by Martins at 12:39:44.76 on 15/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1375 [GMT 0:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\spnsrvnt.exe
D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
D:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\JAVA\JRE16~1.0_0\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Martins\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://uk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://bt.software.yahoo.com/getbrowser?.src=yum
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [System settings protector] e:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Malwarebytes' Anti-Malware] "d:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\martins\startm~1\programs\startup\memeoa~1.lnk - c:\docume~1\martins\applic~1\microsoft\installer\{bd1f8143-c678-43cd-a296-a3a32a8c2976}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java
DPF: Yahoo! Blackjack - hxxp://download2.games.yahoo.com/games/clients/y/jt0_x.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/n042p/EN/install/gtdownlr.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.5.107.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170942508906
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171800943046
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab
DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader4.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://help.broadbandassist.com/prequal/MotivePreQual.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://flashpoker.ladbrokes.com/ladbrokes/FlashAX.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15031/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: ShellExecuteHook class: {fe24cd78-7c63-465d-8787-4edf7fc79895} - c:\program files\logitech\easy synchronization\shellexecutehook.dll
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-13 11840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-3 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-3 27656]
R1 FolderProtectDriver;FolderProtectDriver;c:\program files\spotmau wincare 2008\sub\fsdriver\FolderProtectDriver.sys [2009-3-1 15616]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-13 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-13 151297]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-30 298264]
R2 COSIDS_TB;COSIDS_TB;d:\progra~1\cosids\bin\TbMux32.exe [2007-6-21 165376]
R2 FolderProtectService;FolderProtectService;c:\program files\spotmau wincare 2008\sub\fsdriver\FolderProtectService.exe [2009-3-1 10240]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-13 52032]
R3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2009-3-5 17152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-2-21 15504]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S2 gupdate1c99378e8278052;Google Update Service (gupdate1c99378e8278052);c:\program files\google\update\GoogleUpdate.exe [2009-2-20 133104]
S2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-2-21 179856]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;f:\program files\magix\common\database\bin\fbserver.exe --> f:\program files\magix\common\database\bin\fbserver.exe [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-25 33752]
S3 SaiH0006;SaiH0006;c:\windows\system32\drivers\SaiH0006.sys [2004-7-26 56576]
=============== Created Last 30 ================
2009-03-15 11:01 <DIR> --d----- c:\program files\Trend Micro
2009-03-13 11:36 <DIR> --d----- c:\program files\Avira
2009-03-13 11:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-06 06:35 <DIR> --d----- c:\program files\common files\eSellerate
2009-03-06 06:35 <DIR> --d----- c:\program files\Memeo
2009-03-06 06:35 <DIR> --ds---- c:\docume~1\alluse~1\applic~1\Memeo
2009-03-05 16:56 17,152 a------- c:\windows\system32\drivers\bfturboh.sys
2009-03-05 16:56 <DIR> --d----- c:\program files\BUFFALO
2009-03-05 15:52 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-03-05 15:51 <DIR> --d----- c:\windows\ERUNT
2009-03-05 15:50 <DIR> --d----- C:\SDFix
2009-03-05 12:24 <DIR> a-dshr-- C:\cmdcons
2009-03-05 12:23 65,024 ac------ c:\windows\system32\dllcache\wextract.exe
2009-03-05 12:23 65,024 a------- c:\windows\system32\wextract.exe
2009-03-05 12:18 161,792 a------- c:\windows\SWREG.exe
2009-03-05 12:18 98,816 a------- c:\windows\sed.exe
2009-03-03 13:25 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-03-03 13:25 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-03-03 13:25 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-03 13:25 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-03-03 13:25 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-03-03 13:25 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-03-03 13:25 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-03-03 13:25 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-03 13:25 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-03-03 11:56 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-03 09:16 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-02 23:06 <DIR> --d----- c:\windows\system32\NtmsData
2009-03-01 11:12 <DIR> --d----- c:\docume~1\martins\applic~1\WinCare2008
2009-03-01 11:12 <DIR> --d----- c:\program files\Spotmau WinCare 2008
2009-02-21 17:03 <DIR> --d----- c:\docume~1\martins\applic~1\Malwarebytes
2009-02-21 17:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-21 17:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 17:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-13 12:40 <DIR> --d----- c:\program files\common files\LogiShared
==================== Find3M ====================
2009-03-14 11:41 139,152 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-14 11:41 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-02-09 11:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-30 19:16 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-30 19:16 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-20 23:15 826,368 a------- c:\windows\system32\wininet.dll
2008-06-06 07:55 22,328 a------- c:\docume~1\martins\applic~1\PnkBstrK.sys
2008-02-02 13:37 1,435 a------- c:\docume~1\martins\applic~1\SAS7_000.DAT
2007-02-18 09:57 5,687,840 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-02-18 09:57 260,384 a--sh--- c:\windows\system32\drivers\fidbox2.dat
============= FINISH: 12:40:08.90 ===============
#5
Posted 18 March 2009 - 12:59 AM
-
- Administrators
-
- 22,575 posts
Forum Deity
- Gender:Male
- Location:US
The logs are showing different results between scans. Please uninstall uTorrent, BitTorrent, and other P2P software as these programs can infect you faster than we can clean your system.
Once they have been removed then please delete the C:\Windows\ntbtlog.txt file, reboot the computer and run new DDS, Root Repeal, and post new C:\Windows\ntbtlog.txt file along with a new MBAM scan please.
Once they have been removed then please delete the C:\Windows\ntbtlog.txt file, reboot the computer and run new DDS, Root Repeal, and post new C:\Windows\ntbtlog.txt file along with a new MBAM scan please.
#6
Posted 23 March 2009 - 10:12 PM
-
- Administrators
-
- 22,575 posts
Forum Deity
- Gender:Male
- Location:US
Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.
Other members who need assistance please start your own topic in a new thread. Thanks!
The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Other members who need assistance please start your own topic in a new thread. Thanks!
The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
