waddler - second opinion on DDS log

GunJack · 20 May 2012 at 7:24PM

ok, as discussed...new CF and DDS logs for your expert eye

ComboFix 12-05-20.06 - admin 20/05/2012 18:36:49.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3061.2300 [GMT 1:00]
Running from: c:\documents and settings\admin\Desktop\Security and Maintenance\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-04-20 to 2012-05-20 )))))))))))))))))))))))))))))))
.
.
2012-05-18 17:50 . 2012-05-20 16:17

d

w- c:\windows\system32\drivers\avg
2012-05-17 22:21 . 2012-05-17 22:21 149272 ----a-w- c:\windows\system32\drivers\dwprot.sys
2012-05-17 21:34 . 2012-05-17 21:38

d

w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-05-17 21:17 . 2012-05-17 21:17 388096 ----a-r- c:\documents and settings\admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-17 21:17 . 2012-05-17 21:17

d

w- c:\program files\Trend Micro
2012-05-15 05:47 . 2012-05-15 05:47

d

w- c:\documents and settings\admin\Application Data\UltraVNC
2012-05-14 20:36 . 2012-05-14 20:36

d

w- c:\documents and settings\admin\DoctorWeb
2012-05-13 10:12 . 2012-05-13 10:12

d

w- c:\documents and settings\console
2012-05-02 13:08 . 2012-05-02 13:08

d

w- c:\program files\Mozilla Maintenance Service
2012-05-02 13:08 . 2012-05-02 13:08 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-02 13:08 . 2012-05-02 13:08 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-02 00:21 . 2011-11-24 09:48 1589248 ----a-w- c:\windows\system32\libmysql_d.dll
2012-05-02 00:21 . 2012-05-02 00:21

d

w- c:\program files\PremiumSoft
2012-05-02 00:09 . 2012-05-02 00:09

d

w- c:\program files\Sun
2012-04-29 08:30 . 2012-04-29 08:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-27 22:43 . 2012-04-27 22:43

d

w- c:\documents and settings\admin\Application Data\GlarySoft
2012-04-27 22:42 . 2012-04-27 22:42

d

w- c:\program files\Glary Utilities
2012-04-27 22:40 . 2012-04-27 22:40

d

w- c:\program files\Defraggler
2012-04-27 22:26 . 2012-04-27 22:25 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-04-27 19:16 . 2012-04-27 19:17

d

w- c:\program files\CCleaner
2012-04-27 19:10 . 2012-04-27 19:10

d

w- c:\documents and settings\admin\Local Settings\Application Data\PCHealth
2012-04-27 18:00 . 2012-04-27 18:00

d

w- c:\documents and settings\admin\Local Settings\Application Data\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00

d

w- c:\documents and settings\admin\Application Data\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00

d

w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00

d

w- c:\program files\Common Files\AVG Secure Search
2012-04-27 18:00 . 2012-04-27 18:00

d

w- c:\program files\AVG Secure Search
2012-04-27 16:22 . 2012-04-27 16:22

d

w- c:\documents and settings\admin\Application Data\Malwarebytes
2012-04-27 16:22 . 2012-04-27 16:22

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-27 16:22 . 2012-04-27 16:22

d

w- c:\program files\Malwarebytes' Anti-Malware
2012-04-27 16:22 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-27 15:03 . 2012-04-27 15:03

d

w- C:\4fe9fb4cbd0020443f92bc366652f1b7
2012-04-27 14:54 . 2007-06-11 09:37 347776 ----a-r- c:\windows\system32\drivers\rt73.sys
2012-04-24 16:28 . 2012-04-24 16:28

d

w- C:\32a2f091dd4481468922cc
2012-04-24 16:09 . 2012-04-24 16:09

d

w- C:\a7574bc3cdc0e820eb02bd6269d11408
2012-04-24 15:52 . 2012-04-24 15:52

d

w- C:\5db9852cd7605d55b1d805e79d9a
2012-04-24 09:46 . 2012-04-24 11:46

d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-04-23 09:54 . 2012-04-23 09:54

d

w- C:\72593fb0437d8d3e45f7c8
2012-04-22 15:52 . 2012-04-22 15:53

d

w- C:\c5c1df32aa44052d11636cdfccd2
2012-04-21 16:56 . 2012-04-21 16:56

d--h--w- c:\windows\system32\GroupPolicy
2012-04-21 16:28 . 2012-04-21 16:28

d

w- c:\documents and settings\LocalAdmin1
2012-04-21 16:08 . 2012-04-21 16:08

d

w- c:\documents and settings\HelpSupport
2012-04-21 07:25 . 2012-05-20 12:17

d-s---w- c:\documents and settings\admin\UserData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-29 08:30 . 2011-05-16 07:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-27 22:26 . 2008-10-19 14:06 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-27 22:25 . 2010-07-01 07:54 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-21 13:50 . 2012-03-09 15:10 664 ----a-w- c:\documents and settings\temp\Local Settings\Application Data\d3d9caps.tmp
2012-04-19 03:50 . 2012-04-19 03:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-11 13:14 . 2008-04-25 16:16 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2008-04-25 16:16 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-19 04:17 . 2012-03-19 04:17 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-02-29 14:10 . 2008-04-25 16:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-25 16:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-28 18:50 . 2008-04-25 16:16 667136 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 18:50 . 2008-04-25 16:16 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-02-28 18:50 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-02-28 13:50 . 2008-04-25 16:16 369664 ----a-w- c:\windows\system32\html.iec
2012-02-22 04:25 . 2012-02-22 04:25 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-05-02 13:08 . 2011-05-26 17:13 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-09-08 08:20 . 2010-02-11 08:56 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-27 18:00 2067328 ----a-w- c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-04-27 2067328]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-03-19 20:29 365648 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2012-03-19 9413712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2007-07-18 20480]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-04-27 1116544]
"ScreenPrint32"="c:\program files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-15 446464]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
winvnc.exe [2006-6-18 712704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-04-04 05:53 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-04-05 04:12 2587008 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-11 22:00 864256

w- c:\program files\Brother\ControlCenter2\brctrcen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-05-21 10:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 11:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-09-08 08:20 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-06-14 02:21 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-06-14 02:21 142104 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 09:57 128296

w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-06-14 02:21 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 10:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-06-14 03:41 16132608 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
2003-05-15 19:36 446464 ----a-w- c:\program files\ScreenPrint32 v3\ScreenPrint32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sfagent]
2010-11-12 09:31 821384 ----a-w- c:\program files\Fighters\sfagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 09:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 10:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lmabcoms.exe"=
"c:\\Program Files\\Lexmark\\Scanback\\scanwiz.exe"=
"c:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\winvnc.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5432:TCP"= 5432:TCP:ClinicOffice PGSQL Server
"12010:TCP"= 12010:TCP:ClinicOffice EDB Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:TCP"= 443:TCP:HTTPS
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 04:50 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [31/01/2012 04:46 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [22/02/2012 05:25 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [19/03/2012 05:17 301248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [14/02/2012 04:53 193288]
R2 EDBSrvr;ClinicOffice EDB Server;c:\program files\Pioneer Software\ClinicOffice v5\edbsrvr.exe [06/02/2012 17:37 2703488]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [27/04/2012 17:22 654408]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\Fighters\sfus.exe [12/11/2010 10:31 214664]
R2 Suite Service;Suite Service;c:\program files\Fighters\FighterSuiteService.exe [12/11/2010 10:31 1145992]
R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe [27/04/2012 19:00 932736]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 13:32 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 13:32 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 13:32 17232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [27/04/2012 17:22 22344]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [17/05/2012 23:21 149272]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [30/04/2012 09:44 5106744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S2 TerminalService;TSplus Application Publishing Service APS;c:\windows\srvany.exe [10/12/2010 20:18 8192]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [29/04/2012 09:30 253088]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/10/2008 15:11 30192]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [02/05/2012 14:08 129976]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MODEM
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-29 08:30]
.
2012-05-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-04-27 20:06]
.
.

Supplementary Scan

.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1081019
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\AVG\AVG2012\avgdtiex.dll
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\emhbmzb7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bdff22058-d97a-48f7-b7fa-de83587e3d1c%7D&mid=74b371825c7e47d6a7e8d16836c88d68-feba2d14a4c7eac20a129894426affaffe52ec1b&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-04-27%2019%3A00%3A18&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-20 18:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.

DLLs Loaded Under Running Processes

.
- - - - - - - > 'explorer.exe'(4712)
c:\program files\SugarSync\SugarSyncShellExt.dll
.
Completion time: 2012-05-20 18:44:50
ComboFix-quarantined-files.txt 2012-05-20 17:44
ComboFix2.txt 2012-05-20 12:30
ComboFix3.txt 2012-05-18 13:26
ComboFix4.txt 2012-05-17 22:13
ComboFix5.txt 2012-05-20 17:35
.
Pre-Run: 206,683,631,616 bytes free
Post-Run: 206,662,537,216 bytes free
.
- - End Of File - - A13DC392980F8800BC1577FD97D21428

GunJack · 20 May 2012 at 7:25PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.4.0
Run by admin at 19:02:32 on 2012-05-20
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.3061.2314 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\SugarSync\SugarSyncManager.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Pioneer Software\ClinicOffice v5\edbsrvr.exe
C:\WINDOWS\system32\LMabcoms.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Fighters\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Fighters\FighterSuiteService.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\WINDOWS\srvany.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\TSplus\UserDesktop\files\srvterminal.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe
C:\Program Files\AVG\AVG2012\avgidsagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\TSplus\Clients\www\http\http.exe
C:\Program Files\TSplus\Clients\www\https\https.exe
C:\Program Files\TSplus\Clients\www\Software\java\httptuneling.exe
C:\Program Files\TSplus\Clients\www\Software\java\httpstuneling.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=1081019
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SugarSync] "c:\program files\sugarsync\SugarSyncManager.exe" -startInTray -usedelay=true
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1296D85B-DA7C-409F-A658-2BFF4BB509DF} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4DAAC997-C2C0-4A25-8AB5-10407BD3FFFC} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.0.2\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\emhbmzb7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bdff22058-d97a-48f7-b7fa-de83587e3d1c%7D&mid=74b371825c7e47d6a7e8d16836c88d68-feba2d14a4c7eac20a129894426affaffe52ec1b&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-04-27%2019%3A00%3A18&sap=ku&q=
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 EDBSrvr;ClinicOffice EDB Server;c:\program files\pioneer software\clinicoffice v5\edbsrvr.exe [2012-2-6 2703488]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-27 654408]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\fighters\sfus.exe [2010-11-12 214664]
R2 Suite Service;Suite Service;c:\program files\fighters\FighterSuiteService.exe [2010-11-12 1145992]
R2 TerminalService;TSplus Application Publishing Service APS;c:\windows\srvany.exe [2010-12-10 8192]
R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\common files\avg secure search\vtoolbarupdater\11.0.2\ToolbarUpdater.exe [2012-4-27 932736]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-27 22344]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [2012-5-17 149272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-29 253088]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-10-19 30192]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 129976]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-05-18 17:50:08

d

w- c:\windows\system32\drivers\avg
2012-05-17 22:21:46 149272 ----a-w- c:\windows\system32\drivers\dwprot.sys
2012-05-17 21:34:56

d

w- c:\documents and settings\all users\application data\HitmanPro
2012-05-17 21:17:09 388096 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-05-17 21:17:08

d

w- c:\program files\Trend Micro
2012-05-15 05:47:27

d

w- c:\documents and settings\admin\application data\UltraVNC
2012-05-14 20:36:33

d

w- c:\documents and settings\admin\DoctorWeb
2012-05-02 13:08:31

d

w- c:\program files\Mozilla Maintenance Service
2012-05-02 13:08:24 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-02 13:08:24 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-05-02 00:21:48 1589248 ----a-w- c:\windows\system32\libmysql_d.dll
2012-05-02 00:21:43

d

w- c:\program files\PremiumSoft
2012-05-02 00:09:13

d

w- c:\program files\Sun
2012-04-29 08:30:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-27 22:43:55

d

w- c:\documents and settings\admin\application data\GlarySoft
2012-04-27 22:42:24

d

w- c:\program files\Glary Utilities
2012-04-27 22:40:21

d

w- c:\program files\Defraggler
2012-04-27 22:26:21 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-04-27 19:16:58

d

w- c:\program files\CCleaner
2012-04-27 19:10:33

d

w- c:\documents and settings\admin\local settings\application data\PCHealth
2012-04-27 18:00:32

d

w- c:\documents and settings\admin\local settings\application data\AVG Secure Search
2012-04-27 18:00:19

d

w- c:\documents and settings\admin\application data\AVG Secure Search
2012-04-27 18:00:18

d

w- c:\documents and settings\all users\application data\AVG Secure Search
2012-04-27 18:00:14

d

w- c:\program files\common files\AVG Secure Search
2012-04-27 18:00:13

d

w- c:\program files\AVG Secure Search
2012-04-27 16:22:41

d

w- c:\documents and settings\admin\application data\Malwarebytes
2012-04-27 16:22:38

d

w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-27 16:22:37 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-27 16:22:37

d

w- c:\program files\Malwarebytes' Anti-Malware
2012-04-27 15:31:44

d-sha-r- C:\cmdcons
2012-04-27 15:08:32 98816 ----a-w- c:\windows\sed.exe
2012-04-27 15:08:32 518144 ----a-w- c:\windows\SWREG.exe
2012-04-27 15:08:32 256000 ----a-w- c:\windows\PEV.exe
2012-04-27 15:08:32 208896 ----a-w- c:\windows\MBR.exe
2012-04-27 15:03:36

d

w- C:\4fe9fb4cbd0020443f92bc366652f1b7
2012-04-27 14:54:54 347776 ----a-r- c:\windows\system32\drivers\rt73.sys
2012-04-24 16:28:22

d

w- C:\32a2f091dd4481468922cc
2012-04-24 16:09:13

d

w- C:\a7574bc3cdc0e820eb02bd6269d11408
2012-04-24 15:52:18

d

w- C:\5db9852cd7605d55b1d805e79d9a
2012-04-24 09:46:17

d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-04-23 09:54:19

d

w- C:\72593fb0437d8d3e45f7c8
2012-04-22 15:52:38

d

w- C:\c5c1df32aa44052d11636cdfccd2
2012-04-21 16:56:20

d--h--w- c:\windows\system32\GroupPolicy
2012-04-21 07:25:26

d-s---w- c:\documents and settings\admin\UserData
.
==================== Find3M ====================
.
2012-04-29 08:30:30 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-27 22:26:00 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-27 22:25:59 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-19 03:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-19 04:17:28 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-28 18:50:30 667136 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 18:50:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-02-28 18:50:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-02-28 13:50:54 369664 ----a-w- c:\windows\system32\html.iec
2012-02-22 04:25:32 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
============= FINISH: 19:03:32.93 ===============

waddler_8 · 20 May 2012 at 7:50PM

They look good.

C:\Program Files\TSplus\Clients\www\http\http.exe
C:\Program Files\TSplus\Clients\www\https\https.exe
C:\Program Files\TSplus\Clients\www\Software\java\httptuneling.exe
C:\Program Files\TSplus\Clients\www\Software\java\httpstuneling.exe

Something they've installed?
http://www.tsplus.net/

c:\windows\system32\drivers\i8042prt.sys . . . is missing!!

PS/2 Mouse Port driver. Are you replacing that or do you want Combofix to search for a replacement?

GunJack · 20 May 2012 at 9:02PM

It's a Dell pc with no PS/2 port, no need for a driver hence why I've left that, not worried about it. Been told their sw package guys use TSPlus as part of the system....not found anything bad about it ....yet....

waddler_8 · 20 May 2012 at 9:10PM

OK, no worries.

One thing, do they realise they're in violation of the terms of the EULA in using AVG free in a business environment?

http://free.avg.com/us-en/eula

Most free AV's only allow personal use. MSE is allowed on up to 10 pc's for business use.

http://www.microsoft.com/business/en-gb/products/Pages/Essentials.aspx

GunJack · 20 May 2012 at 9:15PM

I had pointed this out, but am going to have to press the point...end of the day, it's not me that's leaving myself open to prosecution for violation of terms.....

GunJack · 20 May 2012 at 9:42PM

what d'ya think about the logs now ???

waddler_8 · 20 May 2012 at 9:46PM

The last ones above? They look good. Post the contents of:
c:\qoobox\ComboFix-quarantined-files.txt

GunJack · 20 May 2012 at 10:00PM

cool...took some flippin' effort to get them like that

CF quarantine log:-

2012-05-14 19:08:30 . 2012-05-14 19:08:30 176 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-UpdateSvchost.reg.dat
2012-04-27 21:56:37 . 2012-05-20 17:44:05 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}.reg.dat
2012-04-27 16:07:37 . 2012-04-27 16:07:37 156 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-walogon.reg.dat
2012-04-27 15:44:06 . 2012-04-27 15:44:06 3,284 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Nwsapagent.reg.dat
2012-04-27 15:44:06 . 2012-04-27 15:44:06 3,200 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Ias.reg.dat
2012-04-27 15:44:06 . 2012-05-17 22:06:56 3,212 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_6to4.reg.dat
2012-04-27 15:44:06 . 2012-04-27 15:44:06 1,062 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NWSAPAGENT.reg.dat
2012-04-27 15:44:06 . 2012-04-27 15:44:06 978 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_IAS.reg.dat
2012-04-27 15:44:06 . 2012-05-17 22:06:55 990 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_6TO4.reg.dat
2012-04-27 15:43:53 . 2012-05-20 17:41:55 8,007 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-04-27 15:03:59 . 2012-05-20 17:35:38 714 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-04-24 12:10:39 . 2012-04-24 12:10:40 8,582 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\EventSystem.log.vir
2012-03-26 02:28:45 . 2012-02-16 10:15:23 79,630 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\win32update.exe.vir
2012-03-08 22:52:52 . 2008-04-14 12:00:00 39,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sens32.dll.vir
2010-11-03 06:07:22 . 2012-02-21 10:17:04 912,727 ----a-w- C:\Qoobox\Quarantine\C\Program Files\TSplus\UserDesktop\files\runwconsole.exe.vir
2008-04-25 21:34:24 . 2008-04-25 21:34:24 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.local.vir
2008-04-25 21:34:24 . 2003-03-05 17:02:08 348,160 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\msvcr71.dll.vir
2008-04-25 21:34:24 . 2003-03-05 16:58:02 155,648 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscoree.dll.vir
2008-04-25 21:34:24 . 2003-03-05 16:57:46 77,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorsn.dll.vir
2008-04-25 21:34:24 . 2003-03-05 16:57:46 2,482,176 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\mscorwks.dll.vir
2008-04-25 21:34:24 . 2003-03-05 16:57:44 282,624 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\fusion.dll.vir
2003-03-05 16:58:48 . 2003-03-05 16:58:48 49,152 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp\regtlib.exe.vir

waddler_8 · 20 May 2012 at 10:17PM

Run this combofix script to dequarantine those false positives. If it tells you there is a newer version available, update it.

Open Notepad
Copy and paste the text present inside the code box below (Don't include Code:)

DeQuarantine::
C:\Qoobox\Quarantine\C\Program Files\TSplus\UserDesktop\files\runwconsole.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\URTTemp
Quit::

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Temporarily disable AVG before following the steps below

Drag CFScript.txt into ComboFix.exe as the screenshot above shows.
ComboFix will run. DeQuarantine_log.txt will open.
Copy and paste the contents here.

waddler - second opinion on DDS log

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free