We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
waddler - second opinion on DDS log
GunJack
Posts: 11,864 Forumite
in Techie Stuff
waddler old chap 
...don't know if I've been working this one too long, or I'm tired, or both, but gis a second opinion on this DDS log,would you old bean ?? It'd be appreciated 
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.4.0
Run by admin at 22:52:48 on 2012-05-17
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3061.2330 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\SugarSync\SugarSyncManager.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Pioneer Software\ClinicOffice v5\edbsrvr.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\LMabcoms.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Fighters\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Fighters\FighterSuiteService.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\WINDOWS\srvany.exe
C:\Program Files\TSplus\UserDesktop\files\srvterminal.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\avgidsagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\TSplus\Clients\www\http\http.exe
C:\Program Files\TSplus\Clients\www\https\https.exe
C:\Program Files\TSplus\Clients\www\Software\java\httptuneling.exe
C:\Program Files\TSplus\Clients\www\Software\java\httpstuneling.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1081019
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
TB: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SugarSync] "c:\program files\sugarsync\SugarSyncManager.exe" -startInTray -usedelay=true
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1296D85B-DA7C-409F-A658-2BFF4BB509DF} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4DAAC997-C2C0-4A25-8AB5-10407BD3FFFC} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.0.2\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\emhbmzb7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bdff22058-d97a-48f7-b7fa-de83587e3d1c%7D&mid=74b371825c7e47d6a7e8d16836c88d68-feba2d14a4c7eac20a129894426affaffe52ec1b&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-04-27%2019%3A00%3A18&sap=ku&q=
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\11.0.2\npsitesafety.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 EDBSrvr;ClinicOffice EDB Server;c:\program files\pioneer software\clinicoffice v5\edbsrvr.exe [2012-2-6 2703488]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-30 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-6 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-27 654408]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\fighters\sfus.exe [2010-11-12 214664]
R2 Suite Service;Suite Service;c:\program files\fighters\FighterSuiteService.exe [2010-11-12 1145992]
R2 TerminalService;TSplus Application Publishing Service APS;c:\windows\srvany.exe [2010-12-10 8192]
R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\common files\avg secure search\vtoolbarupdater\11.0.2\ToolbarUpdater.exe [2012-4-27 932736]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-27 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-29 253088]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-10-19 30192]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 129976]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-05-17 21:34:56
d
w- c:\documents and settings\all users\application data\HitmanPro
2012-05-17 21:17:09 388096 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-05-17 21:17:08
d
w- c:\program files\Trend Micro
2012-05-15 05:47:27
d
w- c:\documents and settings\admin\application data\UltraVNC
2012-05-14 20:36:33
d
w- c:\documents and settings\admin\DoctorWeb
2012-05-02 13:08:31
d
w- c:\program files\Mozilla Maintenance Service
2012-05-02 13:08:24 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-02 13:08:24 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-05-02 01:37:26
d
w- c:\program files\SlikSvn
2012-05-02 01:35:20
d
w- c:\program files\apache-maven
2012-05-02 00:29:10
d
w- C:\server
2012-05-02 00:26:03
d
w- C:\WebServer
2012-05-02 00:21:48 1589248 ----a-w- c:\windows\system32\libmysql_d.dll
2012-05-02 00:21:43
d
w- c:\program files\PremiumSoft
2012-05-02 00:09:13
d
w- c:\program files\Sun
2012-05-02 00:06:32
d
w- c:\program files\VertrigoServ
2012-04-29 08:30:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-27 22:43:55
d
w- c:\documents and settings\admin\application data\GlarySoft
2012-04-27 22:42:24
d
w- c:\program files\Glary Utilities
2012-04-27 22:40:21
d
w- c:\program files\Defraggler
2012-04-27 22:26:21 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-04-27 19:16:58
d
w- c:\program files\CCleaner
2012-04-27 19:10:33
d
w- c:\documents and settings\admin\local settings\application data\PCHealth
2012-04-27 18:00:32
d
w- c:\documents and settings\admin\local settings\application data\AVG Secure Search
2012-04-27 18:00:19
d
w- c:\documents and settings\admin\application data\AVG Secure Search
2012-04-27 18:00:18
d
w- c:\documents and settings\all users\application data\AVG Secure Search
2012-04-27 18:00:14
d
w- c:\program files\common files\AVG Secure Search
2012-04-27 18:00:13
d
w- c:\program files\AVG Secure Search
2012-04-27 16:22:41
d
w- c:\documents and settings\admin\application data\Malwarebytes
2012-04-27 16:22:38
d
w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-27 16:22:37 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-27 16:22:37
d
w- c:\program files\Malwarebytes' Anti-Malware
2012-04-27 15:31:44
d-sha-r- C:\cmdcons
2012-04-27 15:08:32 98816 ----a-w- c:\windows\sed.exe
2012-04-27 15:08:32 518144 ----a-w- c:\windows\SWREG.exe
2012-04-27 15:08:32 256000 ----a-w- c:\windows\PEV.exe
2012-04-27 15:08:32 208896 ----a-w- c:\windows\MBR.exe
2012-04-27 15:03:36
d
w- C:\4fe9fb4cbd0020443f92bc366652f1b7
2012-04-27 14:54:54 347776 ----a-r- c:\windows\system32\drivers\rt73.sys
2012-04-24 16:28:22
d
w- C:\32a2f091dd4481468922cc
2012-04-24 16:09:13
d
w- C:\a7574bc3cdc0e820eb02bd6269d11408
2012-04-24 15:52:18
d
w- C:\
2012-04-24 09:46:17
d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-04-23 09:54:19
d
w- C:\72593fb0437d8d3e45f7c8
2012-04-22 15:52:38
d
w- C:\c5c1df32aa44052d11636cdfccd2
2012-04-22 00:17:08 126464 ----a-w- c:\windows\system32\madCHook.dll
2012-04-22 00:17:08
d
w- c:\program files\Anti CSDoS by Shocker
2012-04-21 16:56:20
d--h--w- c:\windows\system32\GroupPolicy
2012-04-21 16:07:52 317131 ----a-w- c:\windows\system32\drivers\avg\hellovnc\user.exe
2012-04-21 15:12:32 217088 ----a-w- c:\windows\system32\drivers\avg\hellovnc\vncParser.exe
2012-04-21 15:12:29 155 ----a-w- c:\windows\system32\drivers\avg\hellovnc\user.dat
2012-04-21 15:12:22 58 ----a-w- c:\windows\system32\drivers\avg\hellovnc\doit.bat
2012-04-21 15:12:17
d---a-w- c:\windows\system32\drivers\avg\HelloVNC
2012-04-21 14:54:53 196608 ----a-w- c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)\ssleay32.dll
2012-04-21 14:54:34 5595136 ----a-w- c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)\QtGui4.dll
2012-04-21 14:54:27 1617920 ----a-w- c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)\QtCore4.dll
2012-04-21 14:54:23 348160 ----a-w- c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)\msvcr71.dll
2012-04-21 14:54:18 1015808 ----a-w- c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)\libeay32.dll
2012-04-21 14:54:14
d---a-w- c:\windows\system32\drivers\avg\DUBrute 2.1 (UPDATE 03.03.12)
2012-04-21 07:25:26
d-s---w- c:\documents and settings\admin\UserData
2012-04-19 03:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
.
==================== Find3M ====================
.
2012-04-29 08:30:30 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-27 22:26:00 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-27 22:25:59 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-19 04:17:28 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-28 18:50:30 667136 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 18:50:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-02-28 18:50:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-02-28 13:50:54 369664 ----a-w- c:\windows\system32\html.iec
2012-02-22 04:25:32 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
============= FINISH: 22:53:42.70 ===============
so far I'm identifying a new trojan every scan
Have I missed something ??
...don't know if I've been working this one too long, or I'm tired, or both, but gis a second opinion on this DDS log,would you old bean ?? It'd be appreciated .
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.4.0
Run by admin at 22:52:48 on 2012-05-17
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3061.2330 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\SugarSync\SugarSyncManager.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Pioneer Software\ClinicOffice v5\edbsrvr.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\LMabcoms.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Fighters\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Fighters\FighterSuiteService.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\WINDOWS\srvany.exe
C:\Program Files\TSplus\UserDesktop\files\srvterminal.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\avgidsagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\TSplus\Clients\www\http\http.exe
C:\Program Files\TSplus\Clients\www\https\https.exe
C:\Program Files\TSplus\Clients\www\Software\java\httptuneling.exe
C:\Program Files\TSplus\Clients\www\Software\java\httpstuneling.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1081019
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
TB: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SugarSync] "c:\program files\sugarsync\SugarSyncManager.exe" -startInTray -usedelay=true
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1296D85B-DA7C-409F-A658-2BFF4BB509DF} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4DAAC997-C2C0-4A25-8AB5-10407BD3FFFC} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.0.2\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\emhbmzb7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bdff22058-d97a-48f7-b7fa-de83587e3d1c%7D&mid=74b371825c7e47d6a7e8d16836c88d68-feba2d14a4c7eac20a129894426affaffe52ec1b&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-04-27%2019%3A00%3A18&sap=ku&q=
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\11.0.2\npsitesafety.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 EDBSrvr;ClinicOffice EDB Server;c:\program files\pioneer software\clinicoffice v5\edbsrvr.exe [2012-2-6 2703488]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-30 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-6 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-27 654408]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\fighters\sfus.exe [2010-11-12 214664]
R2 Suite Service;Suite Service;c:\program files\fighters\FighterSuiteService.exe [2010-11-12 1145992]
R2 TerminalService;TSplus Application Publishing Service APS;c:\windows\srvany.exe [2010-12-10 8192]
R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\common files\avg secure search\vtoolbarupdater\11.0.2\ToolbarUpdater.exe [2012-4-27 932736]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-27 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-29 253088]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-10-19 30192]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 129976]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-05-17 21:34:56
d
w- c:\documents and settings\all users\application data\HitmanPro
2012-05-17 21:17:09 388096 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-05-17 21:17:08
d
w- c:\program files\Trend Micro
2012-05-15 05:47:27
d
w- c:\documents and settings\admin\application data\UltraVNC
2012-05-14 20:36:33
d
w- c:\documents and settings\admin\DoctorWeb
2012-05-02 13:08:31
d
w- c:\program files\Mozilla Maintenance Service
2012-05-02 13:08:24 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-02 13:08:24 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-05-02 01:37:26
d
w- c:\program files\SlikSvn
2012-05-02 01:35:20
d
w- c:\program files\apache-maven
2012-05-02 00:29:10
d
w- C:\server
2012-05-02 00:26:03
d
w- C:\WebServer
2012-05-02 00:21:48 1589248 ----a-w- c:\windows\system32\libmysql_d.dll
2012-05-02 00:21:43
d
w- c:\program files\PremiumSoft
2012-05-02 00:09:13
d
w- c:\program files\Sun
2012-05-02 00:06:32
d
w- c:\program files\VertrigoServ
2012-04-29 08:30:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-27 22:43:55
d
w- c:\documents and settings\admin\application data\GlarySoft
2012-04-27 22:42:24
d
w- c:\program files\Glary Utilities
2012-04-27 22:40:21
d
w- c:\program files\Defraggler
2012-04-27 22:26:21 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-04-27 19:16:58
d
w- c:\program files\CCleaner
2012-04-27 19:10:33
d
w- c:\documents and settings\admin\local settings\application data\PCHealth
2012-04-27 18:00:32
d
w- c:\documents and settings\admin\local settings\application data\AVG Secure Search
2012-04-27 18:00:19
d
w- c:\documents and settings\admin\application data\AVG Secure Search
2012-04-27 18:00:18
d
w- c:\documents and settings\all users\application data\AVG Secure Search
2012-04-27 18:00:14
d
w- c:\program files\common files\AVG Secure Search
2012-04-27 18:00:13
d
w- c:\program files\AVG Secure Search
2012-04-27 16:22:41
d
w- c:\documents and settings\admin\application data\Malwarebytes
2012-04-27 16:22:38
d
w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-27 16:22:37 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-27 16:22:37
d
w- c:\program files\Malwarebytes' Anti-Malware
2012-04-27 15:31:44
d-sha-r- C:\cmdcons
2012-04-27 15:08:32 98816 ----a-w- c:\windows\sed.exe
2012-04-27 15:08:32 518144 ----a-w- c:\windows\SWREG.exe
2012-04-27 15:08:32 256000 ----a-w- c:\windows\PEV.exe
2012-04-27 15:08:32 208896 ----a-w- c:\windows\MBR.exe
2012-04-27 15:03:36
d
w- C:\4fe9fb4cbd0020443f92bc366652f1b7
2012-04-27 14:54:54 347776 ----a-r- c:\windows\system32\drivers\rt73.sys
2012-04-24 16:28:22
d
w- C:\32a2f091dd4481468922cc
2012-04-24 16:09:13
d
w- C:\a7574bc3cdc0e820eb02bd6269d11408
2012-04-24 15:52:18
d
w- C:\
2012-04-24 09:46:17
d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-04-23 09:54:19
d
w- C:\72593fb0437d8d3e45f7c8
2012-04-22 15:52:38
d
w- C:\c5c1df32aa44052d11636cdfccd2
2012-04-22 00:17:08 126464 ----a-w- c:\windows\system32\madCHook.dll
2012-04-22 00:17:08
d
w- c:\program files\Anti CSDoS by Shocker
2012-04-21 16:56:20
d--h--w- c:\windows\system32\GroupPolicy
2012-04-21 16:07:52 317131 ----a-w- c:\windows\system32\drivers\avg\hellovnc\user.exe
2012-04-21 15:12:32 217088 ----a-w- c:\windows\system32\drivers\avg\hellovnc\vncParser.exe
2012-04-21 15:12:29 155 ----a-w- c:\windows\system32\drivers\avg\hellovnc\user.dat
2012-04-21 15:12:22 58 ----a-w- c:\windows\system32\drivers\avg\hellovnc\doit.bat
2012-04-21 15:12:17
d---a-w- c:\windows\system32\drivers\avg\HelloVNC
2012-04-21 14:54:53 196608 ----a-w- c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)\ssleay32.dll
2012-04-21 14:54:34 5595136 ----a-w- c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)\QtGui4.dll
2012-04-21 14:54:27 1617920 ----a-w- c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)\QtCore4.dll
2012-04-21 14:54:23 348160 ----a-w- c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)\msvcr71.dll
2012-04-21 14:54:18 1015808 ----a-w- c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)\libeay32.dll
2012-04-21 14:54:14
d---a-w- c:\windows\system32\drivers\avg\DUBrute 2.1 (UPDATE 03.03.12)
2012-04-21 07:25:26
d-s---w- c:\documents and settings\admin\UserData
2012-04-19 03:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
.
==================== Find3M ====================
.
2012-04-29 08:30:30 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-27 22:26:00 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-27 22:25:59 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-19 04:17:28 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-28 18:50:30 667136 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 18:50:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-02-28 18:50:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-02-28 13:50:54 369664 ----a-w- c:\windows\system32\html.iec
2012-02-22 04:25:32 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
============= FINISH: 22:53:42.70 ===============
so far I'm identifying a new trojan every scan
Have I missed something ??
......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple
0
Comments
-
Post me combofix.txt
Are you aware of these folders and what they are?
c:\windows\system32\drivers\avg\HelloVNC
c:\windows\system32\drivers\avg\dubrute 2.1 (update 03.03.12)
Can you get a aswMBR log. Just the ARK scan, no avast scan needed.
http://public.avast.com/~gmerek/aswMBR.exe0 -
Cheers mate, well spotted....HelloVNC does look dodgy, initially thought it was part of UltraVNC, which they do use, now it looks decidedly unsafe. dubrute looks to be part of their online filesharing (will have do some more digging).
Avira bootcd just picked up TR/Crypt.XPACK.Gen7 and ATRAPS.Gen
Currently on a Dr Web livecd run, it won't finish until I'm back from work lunchtime but it's picked up a couple of bits so far...
aswMBR and TDSSkiller come back clean, last CF log:-
ComboFix 12-05-17.05 - admin 17/05/2012 23:02:36.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3061.2287 [GMT 1:00]
Running from: c:\documents and settings\admin\Desktop\Security and Maintenance\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
\Legacy_6TO4
\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2012-04-17 to 2012-05-17 )))))))))))))))))))))))))))))))
.
.
2012-05-17 21:34 . 2012-05-17 21:38
d
w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-05-17 21:17 . 2012-05-17 21:17 388096 ----a-r- c:\documents and settings\admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-17 21:17 . 2012-05-17 21:17
d
w- c:\program files\Trend Micro
2012-05-15 05:47 . 2012-05-15 05:47
d
w- c:\documents and settings\admin\Application Data\UltraVNC
2012-05-14 20:36 . 2012-05-14 20:36
d
w- c:\documents and settings\admin\DoctorWeb
2012-05-13 10:12 . 2012-05-13 10:12
d
w- c:\documents and settings\console
2012-05-02 13:08 . 2012-05-02 13:08
d
w- c:\program files\Mozilla Maintenance Service
2012-05-02 13:08 . 2012-05-02 13:08 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-02 13:08 . 2012-05-02 13:08 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-02 01:37 . 2012-05-02 01:37
d
w- c:\program files\SlikSvn
2012-05-02 01:35 . 2012-01-17 08:47
d
w- c:\program files\apache-maven
2012-05-02 00:29 . 2012-05-02 00:30
d
w- C:\server
2012-05-02 00:26 . 2012-05-02 01:37
d
w- C:\WebServer
2012-05-02 00:21 . 2011-11-24 09:48 1589248 ----a-w- c:\windows\system32\libmysql_d.dll
2012-05-02 00:21 . 2012-05-02 00:21
d
w- c:\program files\PremiumSoft
2012-05-02 00:09 . 2012-05-02 00:09
d
w- c:\program files\Sun
2012-05-02 00:06 . 2012-05-02 00:07
d
w- c:\program files\VertrigoServ
2012-04-29 08:30 . 2012-04-29 08:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-27 22:43 . 2012-04-27 22:43
d
w- c:\documents and settings\admin\Application Data\GlarySoft
2012-04-27 22:42 . 2012-04-27 22:42
d
w- c:\program files\Glary Utilities
2012-04-27 22:40 . 2012-04-27 22:40
d
w- c:\program files\Defraggler
2012-04-27 22:26 . 2012-04-27 22:25 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-04-27 19:16 . 2012-04-27 19:17
d
w- c:\program files\CCleaner
2012-04-27 19:10 . 2012-04-27 19:10
d
w- c:\documents and settings\admin\Local Settings\Application Data\PCHealth
2012-04-27 18:00 . 2012-04-27 18:00
d
w- c:\documents and settings\admin\Local Settings\Application Data\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00
d
w- c:\documents and settings\admin\Application Data\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00
d
w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00
d
w- c:\program files\Common Files\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00
d
w- c:\program files\AVG Secure Search
2012-04-27 16:22 . 2012-04-27 16:22
d
w- c:\documents and settings\admin\Application Data\Malwarebytes
2012-04-27 16:22 . 2012-04-27 16:22
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-27 16:22 . 2012-04-27 16:22
d
w- c:\program files\Malwarebytes' Anti-Malware
2012-04-27 16:22 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-27 15:03 . 2012-04-27 15:03
d
w- C:\4fe9fb4cbd0020443f92bc366652f1b7
2012-04-27 14:54 . 2007-06-11 09:37 347776 ----a-r- c:\windows\system32\drivers\rt73.sys
2012-04-24 16:28 . 2012-04-24 16:28
d
w- C:\32a2f091dd4481468922cc
2012-04-24 16:09 . 2012-04-24 16:09
d
w- C:\a7574bc3cdc0e820eb02bd6269d11408
2012-04-24 15:52 . 2012-04-24 15:52
d
w- C:\5db9852cd7605d55b1d805e79d9a
2012-04-24 09:46 . 2012-04-24 11:46
d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-04-23 09:54 . 2012-04-23 09:54
d
w- C:\72593fb0437d8d3e45f7c8
2012-04-22 15:52 . 2012-04-22 15:53
d
w- C:\c5c1df32aa44052d11636cdfccd2
2012-04-22 00:17 . 2012-04-22 00:17
d
w- c:\program files\Anti CSDoS by Shocker
2012-04-22 00:17 . 2006-01-31 15:27 126464 ----a-w- c:\windows\system32\madCHook.dll
2012-04-21 16:56 . 2012-04-21 16:56
d--h--w- c:\windows\system32\GroupPolicy
2012-04-21 16:28 . 2012-04-21 16:28
d
w- c:\documents and settings\LocalAdmin1
2012-04-21 16:08 . 2012-04-21 16:08
d
w- c:\documents and settings\HelpSupport
2012-04-21 15:12 . 2012-05-17 20:30
d---a-w- c:\windows\system32\drivers\AVG\HelloVNC
2012-04-21 14:54 . 2012-04-24 09:16
d---a-w- c:\windows\system32\drivers\AVG\DUBrute 2.1 (UPDATE 03.03.12)
2012-04-21 07:25 . 2012-05-17 21:32
d-s---w- c:\documents and settings\admin\UserData
2012-04-19 03:50 . 2012-04-19 03:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-29 08:30 . 2011-05-16 07:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-27 22:26 . 2008-10-19 14:06 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-27 22:25 . 2010-07-01 07:54 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-21 13:50 . 2012-03-09 15:10 664 ----a-w- c:\documents and settings\temp\Local Settings\Application Data\d3d9caps.tmp
2012-04-11 13:14 . 2008-04-25 16:16 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2008-04-25 16:16 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-19 04:17 . 2012-03-19 04:17 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-02-29 14:10 . 2008-04-25 16:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-25 16:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-28 18:50 . 2008-04-25 16:16 667136 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 18:50 . 2008-04-25 16:16 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-02-28 18:50 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-02-28 13:50 . 2008-04-25 16:16 369664 ----a-w- c:\windows\system32\html.iec
2012-02-22 04:25 . 2012-02-22 04:25 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-05-02 13:08 . 2011-05-26 17:13 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-09-08 08:20 . 2010-02-11 08:56 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-27 18:00 2067328 ----a-w- c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-04-27 2067328]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2012-03-19 9413712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2007-07-18 20480]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-04-27 1116544]
"ScreenPrint32"="c:\program files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-15 446464]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
winvnc.exe [2006-6-18 712704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-02-07 08:31 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-04-05 04:12 2587008 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-11 22:00 864256
w- c:\program files\Brother\ControlCenter2\brctrcen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-05-21 10:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 11:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-09-08 08:20 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-06-14 02:21 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-06-14 02:21 142104 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 09:57 128296
w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-06-14 02:21 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 10:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-06-14 03:41 16132608 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
2003-05-15 19:36 446464 ----a-w- c:\program files\ScreenPrint32 v3\ScreenPrint32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sfagent]
2010-11-12 09:31 821384 ----a-w- c:\program files\Fighters\sfagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 09:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 10:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lmabcoms.exe"=
"c:\\Program Files\\Lexmark\\Scanback\\scanwiz.exe"=
"c:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\winvnc.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\HLDS By freeshmanny\\hlds.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\VertrigoServ\\Mysql\\bin\\v_mysqld.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5432:TCP"= 5432:TCP:ClinicOffice PGSQL Server
"12010:TCP"= 12010:TCP:ClinicOffice EDB Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:TCP"= 443:TCP:HTTPS
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 04:50 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [31/01/2012 04:46 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [22/02/2012 05:25 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [19/03/2012 05:17 301248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [30/04/2012 09:44 5106744]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [14/02/2012 04:53 193288]
R2 EDBSrvr;ClinicOffice EDB Server;c:\program files\Pioneer Software\ClinicOffice v5\edbsrvr.exe [06/02/2012 17:37 2703488]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [30/09/2010 09:19 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [27/04/2012 17:22 654408]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\Fighters\sfus.exe [12/11/2010 10:31 214664]
R2 Suite Service;Suite Service;c:\program files\Fighters\FighterSuiteService.exe [12/11/2010 10:31 1145992]
R2 TerminalService;TSplus Application Publishing Service APS;c:\windows\srvany.exe [10/12/2010 20:18 8192]
R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe [27/04/2012 19:00 932736]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 13:32 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 13:32 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 13:32 17232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [27/04/2012 17:22 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [29/04/2012 09:30 253088]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/10/2008 15:11 30192]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [02/05/2012 14:08 129976]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 08:30]
.
2012-05-17 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-04-27 20:06]
.
.
Supplementary Scan
.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1081019
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\AVG\AVG2012\avgdtiex.dll
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\emhbmzb7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bdff22058-d97a-48f7-b7fa-de83587e3d1c%7D&mid=74b371825c7e47d6a7e8d16836c88d68-feba2d14a4c7eac20a129894426affaffe52ec1b&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-04-27%2019%3A00%3A18&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-17 23:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(4528)
c:\program files\SugarSync\SugarSyncShellExt.dll
.
Other Running Processes
.
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\LMabcoms.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\TSplus\UserDesktop\files\srvterminal.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\TSplus\Clients\www\http\http.exe
c:\program files\TSplus\Clients\www\https\https.exe
c:\program files\TSplus\Clients\www\Software\java\httptuneling.exe
c:\program files\TSplus\Clients\www\Software\java\httpstuneling.exe
.
**************************************************************************
.
Completion time: 2012-05-17 23:13:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-17 22:13
ComboFix2.txt 2012-04-28 15:53
ComboFix3.txt 2012-04-27 21:57
ComboFix4.txt 2012-04-27 18:40
ComboFix5.txt 2012-05-14 18:58
.
Pre-Run: 206,072,774,656 bytes free
Post-Run: 206,052,421,632 bytes free
.
- - End Of File - - 25B0C770F1986D862D6F747AAD7C7F8B
I deffo haven't got to the bottom of it yet and it's driving me nuts...darn thing keeps dropping a password onto the user account and creating extra users........Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
Cheers mate, well spotted....HelloVNC does look dodgy, initially thought it was part of UltraVNC, which they do use, now it looks decidedly unsafe. dubrute looks to be part of their online filesharing (will have do some more digging).
Have you seen these?
Link1 , link2
c:\windows\system32\drivers\AVG definately isn't a default install location - looks more like they have tried to hide them there?
What's the full path to file\filename? Generic detections can be prone to false positives.Avira bootcd just picked up TR/Crypt.XPACK.Gen7 and ATRAPS.Gen0 -
Oh, and post me combofix4.txt & combofix5.txt found in c:\qoobox % & post me aswMBR.txt anyway.0
-
Found the helloVNC one but not t'other...
The avira detections - one in restore point, sure the other was in that same avg/drivers folder...beginning to look very suss, and gives me somewhere to aim when I get home ......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
Oh, and post me combofix4.txt & combofix5.txt found in c:\qoobox % & post me aswMBR.txt anyway.
they'll have to wait 'till s'afternoon when I'm in front of it ......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
CF-4 log:-
ComboFix 12-04-27.02 - admin 27/04/2012 19:31:17.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3061.2189 [GMT 1:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
c:\windows\system32\sens32.dll
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
.
.
2012-04-27 18:00 . 2012-04-27 18:00
d
w- c:\documents and settings\admin\Local Settings\Application Data\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00
d
w- c:\documents and settings\admin\Application Data\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00
d
w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00
d
w- c:\program files\Common Files\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00
d
w- c:\program files\AVG Secure Search
2012-04-27 17:59 . 2012-04-27 17:59
d
w- c:\windows\LastGood
2012-04-27 16:22 . 2012-04-27 16:22
d
w- c:\documents and settings\admin\Application Data\Malwarebytes
2012-04-27 16:22 . 2012-04-27 16:22
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-27 16:22 . 2012-04-27 16:22
d
w- c:\program files\Malwarebytes' Anti-Malware
2012-04-27 16:22 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-27 15:03 . 2012-04-27 15:03
d
w- C:\4fe9fb4cbd0020443f92bc366652f1b7
2012-04-27 14:54 . 2007-06-11 09:37 347776 ----a-r- c:\windows\system32\drivers\rt73.sys
2012-04-24 16:28 . 2012-04-24 16:28
d
w- C:\32a2f091dd4481468922cc
2012-04-24 16:09 . 2012-04-24 16:09
d
w- C:\a7574bc3cdc0e820eb02bd6269d11408
2012-04-24 15:52 . 2012-04-24 15:52
d
w- C:\5db9852cd7605d55b1d805e79d9a
2012-04-24 09:46 . 2012-04-24 11:46
d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-04-23 09:54 . 2012-04-23 09:54
d
w- C:\72593fb0437d8d3e45f7c8
2012-04-22 15:52 . 2012-04-22 15:53
d
w- C:\c5c1df32aa44052d11636cdfccd2
2012-04-22 00:17 . 2012-04-22 00:17
d
w- c:\program files\Anti CSDoS by Shocker
2012-04-22 00:17 . 2006-01-31 15:27 126464 ----a-w- c:\windows\system32\madCHook.dll
2012-04-21 16:56 . 2012-04-21 16:56
d--h--w- c:\windows\system32\GroupPolicy
2012-04-21 16:28 . 2012-04-21 16:28
d
w- c:\documents and settings\LocalAdmin1
2012-04-21 16:08 . 2012-04-21 16:08
d
w- c:\documents and settings\HelpSupport
2012-04-21 15:12 . 2012-04-24 09:16
d---a-w- c:\windows\system32\drivers\AVG\HelloVNC
2012-04-21 14:54 . 2012-04-24 09:16
d---a-w- c:\windows\system32\drivers\AVG\DUBrute 2.1 (UPDATE 03.03.12)
2012-04-21 07:25 . 2012-04-21 07:25
d-s---w- c:\documents and settings\admin\UserData
2012-04-19 03:50 . 2012-04-19 03:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-17 10:37 . 2012-04-17 10:37
d
w- c:\documents and settings\temp\Local Settings\Application Data\Mozilla
2012-04-10 13:03 . 2012-04-10 13:03
d
w- c:\documents and settings\Administrator\Application Data\MyPDFprinting
2012-04-05 07:59 . 2012-04-05 07:59
d
w- c:\documents and settings\temp\Application Data\CyberLink
2012-04-05 07:59 . 2012-04-05 07:59
d
w- c:\documents and settings\Guest\Application Data\CyberLink
2012-04-02 15:07 . 2012-04-02 15:07 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-04-02 15:07 . 2012-04-02 15:07 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-31 11:23 . 2012-03-31 11:23
d
w- c:\documents and settings\temp\Local Settings\Application Data\Identities
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-21 13:50 . 2012-03-09 15:10 664 ----a-w- c:\documents and settings\temp\Local Settings\Application Data\d3d9caps.tmp
2012-03-19 04:17 . 2012-03-19 04:17 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-03-05 09:34 . 2011-05-16 07:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-29 14:10 . 2008-04-25 16:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-25 16:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-22 04:25 . 2012-02-22 04:25 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-02-07 08:31 . 2008-11-06 09:48 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-02-07 08:31 . 2008-11-06 09:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-02-07 08:31 . 2008-11-06 09:48 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-02-07 08:31 . 2008-11-06 09:48 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-01-31 03:46 . 2012-01-31 03:46 31952 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2012-04-02 15:07 . 2011-05-26 17:13 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-09-08 08:20 . 2010-02-11 08:56 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-27_16.04.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-27 17:18 . 2012-04-27 17:18 16384 c:\windows\Temp\Perflib_Perfdata_51c.dat
+ 2011-12-23 12:32 . 2011-12-23 12:32 41040 c:\windows\system32\drivers\avgmfx86.sys
+ 2011-12-23 12:32 . 2011-12-23 12:32 17232 c:\windows\system32\drivers\avgidsshimx.sys
+ 2011-12-23 12:32 . 2011-12-23 12:32 24144 c:\windows\system32\drivers\avgidsfilterx.sys
+ 2010-09-22 09:43 . 2010-09-22 09:43 30544 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2011-12-23 12:32 . 2011-12-23 12:32 139856 c:\windows\system32\drivers\avgidsdriverx.sys
+ 2010-09-22 09:43 . 2010-09-22 09:43 435024 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2010-09-22 09:44 . 2010-09-22 09:44 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2012-04-27 18:00 . 2012-04-27 18:00 5163520 c:\windows\Installer\253c7f.msi
+ 2012-04-27 17:58 . 2012-04-27 17:58 2208768 c:\windows\Installer\253c7b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-27 18:00 2067328 ----a-w- c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-04-27 2067328]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"LMab1err"="c:\program files\Lexmark\ErrorApp\LMab1err.exe" [2009-01-16 573440]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2012-03-19 9413712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2007-07-18 20480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-04-27 1116544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
winvnc.exe [2006-6-18 712704]
.
c:\documents and settings\admin\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-02-07 08:31 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-04-05 04:12 2587008 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-11 22:00 864256
w- c:\program files\Brother\ControlCenter2\brctrcen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-09-08 08:20 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
2003-05-15 19:36 446464 ----a-w- c:\program files\ScreenPrint32 v3\ScreenPrint32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sfagent]
2010-11-12 09:31 821384 ----a-w- c:\program files\Fighters\sfagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 09:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\WINDOWS\\system32\\lmabcoms.exe"=
"c:\\Program Files\\Lexmark\\Scanback\\scanwiz.exe"=
"c:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\winvnc.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\HLDS By freeshmanny\\hlds.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5432:TCP"= 5432:TCP:ClinicOffice PGSQL Server
"12010:TCP"= 12010:TCP:ClinicOffice EDB Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:TCP"= 443:TCP:HTTPS
.
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [31/01/2012 04:46 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [22/02/2012 05:25 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [19/03/2012 05:17 301248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [14/02/2012 04:53 193288]
R2 EDBSrvr;ClinicOffice EDB Server;c:\program files\Pioneer Software\ClinicOffice v5\edbsrvr.exe [06/02/2012 17:37 2703488]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [30/09/2010 09:19 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [27/04/2012 17:22 654408]
R2 PS_AutoBackup;PS Auto Backup;c:\ps_autobackup\PS_AutoBackup.exe [02/11/2010 10:38 1502208]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\Fighters\sfus.exe [12/11/2010 10:31 214664]
R2 Suite Service;Suite Service;c:\program files\Fighters\FighterSuiteService.exe [12/11/2010 10:31 1145992]
R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe [27/04/2012 19:00 932736]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 13:32 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 13:32 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 13:32 17232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [27/04/2012 17:22 22344]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 04:50 24896]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [08/04/2012 11:27 5158992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S2 Iprip;Iprip;c:\windows\system32\svchost.exe -k netsvcs [25/04/2008 17:16 14336]
S2 TerminalService;TSplus Application Publishing Service APS;c:\windows\srvany.exe [10/12/2010 20:18 8192]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/10/2008 15:11 30192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGIDSDRIVER
*NewlyCreated* - AVGIDSFILTER
*NewlyCreated* - AVGIDSSHIM
*NewlyCreated* - AVGWD
*NewlyCreated* - VTOOLBARUPDATER11.0.2
.
.
Supplementary Scan
.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1081019
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\AVG\AVG2012\avgdtiex.dll
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\emhbmzb7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B23c427c8-01d8-48ed-87cf-618103f024b6%7D&mid=74b371825c7e47d6a7e8d16836c88d68-feba2d14a4c7eac20a129894426affaffe52ec1b&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-04-27%2019%3A00%3A18&sap=ku&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-27 19:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iprip]
"ServiceDll"="c:\windows\Temp\ntshrui.dll."
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Irmon]
"ServiceDll"="c:\windows\Temp\ntshrui.dll."
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NWCWorkstation]
"ServiceDll"="c:\windows\Temp\ntshrui.dll."
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-04-27 19:40:38
ComboFix-quarantined-files.txt 2012-04-27 18:40
ComboFix2.txt 2012-04-27 16:08
.
Pre-Run: 199,953,690,624 bytes free
Post-Run: 199,963,234,304 bytes free
.
- - End Of File - - C00C6FDE6DD218EF8B8B501858063307......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
CF-5:-
ComboFix 12-04-27.01 - admin 27/04/2012 16:38:40.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3061.2477 [GMT 1:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\win32update.exe
c:\program files\TSplus\UserDesktop\files\runwconsole.exe
c:\windows\system32\urttemp
c:\windows\system32\urttemp\fusion.dll
c:\windows\system32\urttemp\mscoree.dll
c:\windows\system32\urttemp\mscoree.dll.local
c:\windows\system32\urttemp\mscorsn.dll
c:\windows\system32\urttemp\mscorwks.dll
c:\windows\system32\urttemp\msvcr71.dll
c:\windows\system32\urttemp\regtlib.exe
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
\Legacy_6TO4
\Legacy_IAS
\Legacy_NWSAPAGENT
\Service_6to4
\Service_Ias
\Service_Nwsapagent
.
.
((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
.
.
2012-04-27 15:13 . 2012-04-27 15:13
d
w- c:\windows\LastGood.Tmp
2012-04-27 15:03 . 2012-04-27 15:03
d
w- C:\4fe9fb4cbd0020443f92bc366652f1b7
2012-04-27 14:54 . 2007-06-11 09:37 347776 ----a-r- c:\windows\system32\drivers\rt73.sys
2012-04-24 16:28 . 2012-04-24 16:28
d
w- C:\32a2f091dd4481468922cc
2012-04-24 16:09 . 2012-04-24 16:09
d
w- C:\a7574bc3cdc0e820eb02bd6269d11408
2012-04-24 15:52 . 2012-04-24 15:52
d
w- C:\5db9852cd7605d55b1d805e79d9a
2012-04-24 09:46 . 2012-04-24 11:46
d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-04-23 09:54 . 2012-04-23 09:54
d
w- C:\72593fb0437d8d3e45f7c8
2012-04-22 15:52 . 2012-04-22 15:53
d
w- C:\c5c1df32aa44052d11636cdfccd2
2012-04-22 00:17 . 2012-04-22 00:17
d
w- c:\program files\Anti CSDoS by Shocker
2012-04-22 00:17 . 2006-01-31 15:27 126464 ----a-w- c:\windows\system32\madCHook.dll
2012-04-21 16:56 . 2012-04-21 16:56
d--h--w- c:\windows\system32\GroupPolicy
2012-04-21 16:28 . 2012-04-21 16:28
d
w- c:\documents and settings\LocalAdmin1
2012-04-21 16:08 . 2012-04-21 16:08
d
w- c:\documents and settings\HelpSupport
2012-04-21 15:12 . 2012-04-24 09:16
d---a-w- c:\windows\system32\drivers\AVG\HelloVNC
2012-04-21 14:54 . 2012-04-24 09:16
d---a-w- c:\windows\system32\drivers\AVG\DUBrute 2.1 (UPDATE 03.03.12)
2012-04-21 07:25 . 2012-04-21 07:25
d-s---w- c:\documents and settings\admin\UserData
2012-04-17 10:37 . 2012-04-17 10:37
d
w- c:\documents and settings\temp\Local Settings\Application Data\Mozilla
2012-04-10 13:03 . 2012-04-10 13:03
d
w- c:\documents and settings\Administrator\Application Data\MyPDFprinting
2012-04-05 07:59 . 2012-04-05 07:59
d
w- c:\documents and settings\temp\Application Data\CyberLink
2012-04-05 07:59 . 2012-04-05 07:59
d
w- c:\documents and settings\Guest\Application Data\CyberLink
2012-04-02 15:07 . 2012-04-02 15:07 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-04-02 15:07 . 2012-04-02 15:07 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-31 11:23 . 2012-03-31 11:23
d
w- c:\documents and settings\temp\Local Settings\Application Data\Identities
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-21 13:50 . 2012-03-09 15:10 664 ----a-w- c:\documents and settings\temp\Local Settings\Application Data\d3d9caps.tmp
2012-03-05 09:34 . 2011-05-16 07:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-29 14:10 . 2008-04-25 16:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-25 16:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-07 08:31 . 2008-11-06 09:48 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-02-07 08:31 . 2008-11-06 09:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-02-07 08:31 . 2008-11-06 09:48 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-02-07 08:31 . 2008-11-06 09:48 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-04-02 15:07 . 2011-05-26 17:13 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-09-08 08:20 . 2010-02-11 08:56 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"LMab1err"="c:\program files\Lexmark\ErrorApp\LMab1err.exe" [2009-01-16 573440]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2012-03-19 9413712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2007-07-18 20480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
winvnc.exe [2006-6-18 712704]
.
c:\documents and settings\admin\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-02-07 08:31 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-01-24 17:24 2416480 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-11 22:00 864256
w- c:\program files\Brother\ControlCenter2\brctrcen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-09-08 08:20 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
2003-05-15 19:36 446464 ----a-w- c:\program files\ScreenPrint32 v3\ScreenPrint32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sfagent]
2010-11-12 09:31 821384 ----a-w- c:\program files\Fighters\sfagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 09:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\WINDOWS\\system32\\lmabcoms.exe"=
"c:\\Program Files\\Lexmark\\Scanback\\scanwiz.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\winvnc.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\HLDS By freeshmanny\\hlds.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5432:TCP"= 5432:TCP:ClinicOffice PGSQL Server
"12010:TCP"= 12010:TCP:ClinicOffice EDB Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:TCP"= 443:TCP:HTTPS
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [22/02/2011 08:13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [19/01/2011 04:32 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/01/2011 06:41 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [10/02/2011 07:54 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
R2 EDBSrvr;ClinicOffice EDB Server;c:\program files\Pioneer Software\ClinicOffice v5\edbsrvr.exe [06/02/2012 17:37 2703488]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [30/09/2010 09:19 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856]
R2 PS_AutoBackup;PS Auto Backup;c:\ps_autobackup\PS_AutoBackup.exe [02/11/2010 10:38 1502208]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\Fighters\sfus.exe [12/11/2010 10:31 214664]
R2 Suite Service;Suite Service;c:\program files\Fighters\FighterSuiteService.exe [12/11/2010 10:31 1145992]
R2 TerminalService;TSplus Application Publishing Service APS;c:\windows\srvany.exe [10/12/2010 20:18 8192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S2 Iprip;Iprip;c:\windows\system32\svchost.exe -k netsvcs [25/04/2008 17:16 14336]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 07:25 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [30/03/2011 17:17 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [10/02/2011 07:53 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/02/2011 07:53 16720]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/10/2008 15:11 30192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
.
Supplementary Scan
.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1081019
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\emhbmzb7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-walogon - c:\program files\TSplus\UserDesktop\files\runwconsole.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-27 17:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iprip]
"ServiceDll"="c:\windows\Temp\ntshrui.dll."
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Irmon]
"ServiceDll"="c:\windows\Temp\ntshrui.dll."
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NWCWorkstation]
"ServiceDll"="c:\windows\Temp\ntshrui.dll."
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(4476)
c:\program files\SugarSync\SugarSyncShellExt.dll
.
Other Running Processes
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LMabcoms.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\TSplus\UserDesktop\files\srvterminal.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\TSplus\Clients\www\http\http.exe
c:\program files\TSplus\Clients\www\https\https.exe
c:\program files\TSplus\Clients\www\Software\java\httptuneling.exe
c:\program files\TSplus\Clients\www\Software\java\httpstuneling.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2012-04-27 17:08:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-27 16:08
.
Pre-Run: 195,979,419,648 bytes free
Post-Run: 199,240,978,432 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 5AD1BAA5DA57F711F47D7ACD81661F00......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
c:\windows\system32\urttemp
c:\windows\system32\urttemp\fusion.dll
c:\windows\system32\urttemp\mscoree.dll
c:\windows\system32\urttemp\mscoree.dll.local
c:\windows\system32\urttemp\mscorsn.dll
c:\windows\system32\urttemp\mscorwks.dll
c:\windows\system32\urttemp\msvcr71.dll
c:\windows\system32\urttemp\regtlib.exe
Interestingly, I've seen these before (on one of my machines after mini-Gun #2's been faffing on it)......but no re-occurrence of these since the first CF run.........Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.1K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards