Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Internet connectivity gone.


  • This topic is locked This topic is locked
9 replies to this topic

#1 janetsmith

janetsmith

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 15 October 2009 - 11:57 PM

Hi guys, My system: 1. OS: WinXP SP2 2. Antivirus: TrendMicro, AntiVir, MBAM, SuperAntiSpyware, hijackthis Symptom: 1. When PC connects to internet, after some time, the screen flash and changeto win2000 theme momentary, and change it back to xp theme, and after that, internet connection gone. 2. If click on the network icon, the dialog simply open and close immediately. 3. some time it become unbearable slow after restart computer, which i have to hard-reset it. (I am not sure it's after i run virus scan, or due to i install too many anti-virus software) History: 1. previously my PC also demonstrate connection problem, and I found :C\windows\fonts\_unwise.exe, and after deleting the file, it backs to normal. Side Info I think it may/may not related to my home PC problem: 1. My Office PC can connect to internet and I always share infomation between my home pc and office pc using thumbdrive. 2. My Office PC detected BV:AutoRun-S [Wrm] (avast!) and conficker.h (trend micro) in my thumbdrive. 3. each time after I deleted autorun.inf & Recycler, It will regenerate autorun.inf & Recycler. 4. However my home pc doesn't detect or display the autorun.inf & recycler bin (I have unhide the hidden file). 5. I have tried Flash_Disinfector.exe, but the files still there. 6. currently I manually created autorun.inf Folder to prevent autorun.inf file being regenerated. So my focus now is get the home pc able to connect to internet first, so I can access this forum to clean the thumbdrive problem. Thanks a million!

    Advertisements

Register to Remove


#2 janetsmith

janetsmith

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 16 October 2009 - 07:13 AM

[HJT]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:00 PM, on 10/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\green-programs\WinSplit Revolution\WinSplit.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\xampp\xampp-control.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\green-programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EasyTuneVI] C:\Program Files\GIGABYTE\ET6\ETcall.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12L~1\imesc\IMSCMig.exe /INSTALL
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Winsplit] C:\green-programs\WinSplit Revolution\WinSplit.exe
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [QvodPlayer] C:\Program Files\QvodPlayer\QvodTerminal.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [QvodPlayer] C:\Program Files\QvodPlayer\QvodTerminal.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7412DDD1-C327-4BE3-9D41-6A3FC6F9A4C3}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\filezillaftp\filezillaserver.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Apache Tomcat 6 (Tomcat6) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe

--
End of file - 11622 bytes

Edited by janetsmith, 16 October 2009 - 08:49 AM.


#3 janetsmith

janetsmith

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 16 October 2009 - 07:18 AM

My latest sympton: 1. I cann't connect to www.microsoft.com, windowsupdate.microsoft.com, free.avg.com,/www.trendmicro.com 2. I can access to google.com and other site, including whatthetech.com 3. At first the connection is ok, but after awhile, none of the website is accessible. 4. I need to disconnect and reconnect to the internet. After reconnection, I can access the internet again. once in awhile, out of sudden, AVG email scanner notify me that something is trying to connect to 210-58-100-42.cm.static.apol.com.tw, in a list. All the entries in the list connect to the foremention url.

Edited by janetsmith, 16 October 2009 - 08:19 AM.


#4 janetsmith

janetsmith

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 16 October 2009 - 08:51 AM

ComboFix 09-10-15.04 - Janet 10/16/2009 19:41.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3061.2449 [GMT 8:00]
Running from: c:\documents and settings\Janet\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_HOSTS_CONTROLLER


((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-16 10:44 . 2009-10-16 10:44 -------- d-----w- c:\windows\ERUNT
2009-10-16 10:38 . 2009-10-16 11:13 -------- d-----w- C:\SDFix
2009-10-15 21:59 . 2009-10-15 21:59 -------- d-----w- C:\$AVG
2009-10-15 21:59 . 2009-10-15 21:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-15 21:59 . 2009-10-15 21:59 356616 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-15 21:59 . 2009-10-15 21:59 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-15 21:59 . 2009-10-15 21:59 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-15 21:59 . 2009-10-16 08:29 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-15 21:59 . 2009-10-15 21:59 -------- d-----w- c:\program files\AVG
2009-10-15 21:59 . 2009-10-15 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-14 15:59 . 2009-10-14 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-14 15:58 . 2009-10-16 08:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 15:58 . 2009-10-14 15:58 -------- d-----w- c:\documents and settings\Janet\Application Data\SUPERAntiSpyware.com
2009-10-14 13:10 . 2009-10-14 13:10 10752 ----a-w- c:\windows\DCEBoot.exe
2009-10-14 09:29 . 2009-10-14 09:29 -------- d-----w- c:\documents and settings\Janet\Application Data\Malwarebytes
2009-10-14 09:29 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 09:29 . 2009-10-14 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 09:29 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 09:29 . 2009-10-14 09:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 10:42 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-10-13 10:42 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-10-13 10:42 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-13 10:42 . 2009-10-13 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-10-13 10:41 . 2009-10-13 10:42 -------- d-----w- c:\program files\Trend Micro
2009-10-13 10:36 . 2009-10-13 10:36 335376 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2009-10-13 10:36 . 2009-05-22 08:02 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-10-13 10:36 . 2009-05-22 07:45 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-10-13 10:36 . 2009-10-13 10:36 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-10-13 10:36 . 2009-05-22 08:00 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-10-10 05:26 . 2009-10-10 05:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-10 05:24 . 2009-07-28 08:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-05 08:55 . 2009-10-05 12:41 -------- d-----w- c:\documents and settings\Janet\.yed3
2009-10-03 00:45 . 2009-10-03 00:45 -------- d-----w- c:\program files\Paint.NET
2009-10-02 15:49 . 2009-10-02 15:49 -------- d-----w- c:\program files\MSXML 6.0
2009-09-26 16:46 . 2009-09-26 16:46 -------- d-----w- c:\documents and settings\Janet\Application Data\Media Player Classic
2009-09-23 16:17 . 2009-09-23 16:17 -------- d-----r- c:\documents and settings\Janet\Application Data\Brother
2009-09-23 15:58 . 2009-09-23 15:58 -------- d-----w- c:\documents and settings\Janet\Local Settings\Application Data\Scansoft
2009-09-23 15:53 . 2009-09-23 15:53 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-09-23 15:53 . 2008-03-18 14:35 1522176 ----a-w- c:\windows\system32\BrWia08a.dll
2009-09-23 15:53 . 2007-12-24 14:24 45056 ----a-w- c:\windows\system32\BrUsi08a.dll
2009-09-23 15:53 . 2004-10-15 04:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2009-09-23 15:52 . 2007-12-13 14:16 73728 ------w- c:\windows\system32\BrDctF2.dll
2009-09-23 15:52 . 2007-12-13 14:16 5120 ------w- c:\windows\system32\BrDctF2L.dll
2009-09-23 15:52 . 2007-12-13 14:16 3072 ------w- c:\windows\system32\BrDctF2S.dll
2009-09-23 15:52 . 2006-12-28 05:39 176128 ------w- c:\windows\system32\BroSNMP.dll
2009-09-23 15:52 . 2008-01-25 07:21 167936 ------w- c:\windows\system32\NSSearch.dll
2009-09-23 15:52 . 2009-09-23 15:53 -------- d-----w- c:\program files\Brother
2009-09-23 15:52 . 2009-09-23 15:52 -------- d-----w- c:\documents and settings\Janet\Application Data\InstallShield
2009-09-23 15:51 . 2009-09-23 15:51 -------- d-----w- c:\program files\Nuance
2009-09-23 15:50 . 2009-09-23 15:50 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-23 15:50 . 2009-09-23 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-09-23 15:50 . 2009-09-23 15:50 -------- d-----w- c:\program files\ScanSoft
2009-09-23 15:49 . 2009-09-23 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-09-23 15:45 . 2004-08-03 15:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-09-23 15:45 . 2004-08-03 15:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-09-23 15:45 . 2004-08-03 15:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-09-23 15:45 . 2004-08-03 15:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-09-21 17:13 . 2009-09-21 17:13 -------- d-----w- c:\documents and settings\Janet\Application Data\Charles
2009-09-21 17:13 . 2009-09-21 17:13 -------- d-----w- c:\program files\Charles
2009-09-19 13:55 . 2009-10-13 12:27 -------- d-----w- c:\documents and settings\Janet\Application Data\FileZilla
2009-09-19 13:55 . 2009-10-11 11:44 -------- d-----w- c:\program files\FileZilla FTP Client
2009-09-18 13:36 . 2009-09-18 14:14 -------- d-----w- c:\documents and settings\Janet\.VirtualBox
2009-09-18 13:33 . 2009-07-10 09:51 115856 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2009-09-18 13:33 . 2009-07-10 09:51 91472 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2009-09-18 13:33 . 2009-07-10 09:51 41424 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 11:46 . 2009-07-12 02:24 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-10-16 11:45 . 2009-07-12 04:11 16608 ----a-w- c:\windows\gdrv.sys
2009-10-13 21:44 . 2009-07-12 04:54 -------- d-----w- c:\program files\BitComet
2009-10-13 10:39 . 2009-07-12 05:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-13 10:38 . 2009-07-12 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-10 06:34 . 2009-07-12 02:13 29768 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 04:47 . 2009-07-12 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-10 04:47 . 2009-07-12 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-10-04 06:22 . 2009-07-22 13:31 -------- d-----w- c:\documents and settings\Janet\Application Data\Orbit
2009-10-04 05:12 . 2009-07-15 10:36 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-02 15:52 . 2009-10-02 15:52 113024 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-02 15:51 . 2009-10-02 15:51 -------- d-----w- c:\program files\MSBuild
2009-10-02 15:51 . 2009-10-02 15:51 -------- d-----w- c:\program files\Reference Assemblies
2009-09-23 15:52 . 2009-07-12 01:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-20 09:01 . 2009-08-31 11:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-09-18 13:33 . 2009-07-12 04:21 -------- d-----w- c:\program files\Sun
2009-09-18 13:27 . 2009-08-23 03:11 -------- d-----w- c:\program files\EmfPrinter
2009-09-18 13:25 . 2009-08-23 03:20 -------- d-----w- c:\program files\ImagePrinter
2009-09-15 14:56 . 2009-07-12 02:10 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-15 10:23 . 2009-09-15 10:23 29332 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-13 10:41 . 2009-09-13 10:41 -------- d-----w- c:\program files\Graphviz2.24
2009-09-13 10:28 . 2009-09-10 21:47 -------- d-----w- c:\documents and settings\Janet\Application Data\JGoodies
2009-09-12 17:55 . 2009-07-12 07:06 -------- d-----w- c:\program files\QvodPlayer
2009-09-11 16:11 . 2009-09-10 13:13 -------- d-----w- c:\documents and settings\Janet\Application Data\Download Manager
2009-09-11 13:29 . 2009-09-11 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-09-11 13:20 . 2009-09-11 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-09-11 13:17 . 2009-09-11 13:17 -------- d-----w- c:\program files\Adobe Media Player
2009-09-11 13:12 . 2009-09-11 13:12 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-09-10 13:28 . 2009-09-10 13:28 -------- d-----w- c:\documents and settings\Janet\Application Data\inkscape
2009-08-31 11:25 . 2009-08-31 11:25 -------- d-----w- c:\documents and settings\Janet\Application Data\Talkback
2009-08-31 11:25 . 2009-08-31 11:25 -------- d-----w- c:\documents and settings\Janet\Application Data\Thunderbird
2009-08-31 09:01 . 2009-07-12 06:28 -------- d-----w- c:\documents and settings\Janet\Application Data\MySQL
2009-08-29 02:34 . 2009-08-29 00:42 -------- d-----w- c:\documents and settings\Janet\Application Data\ICAClient
2009-08-29 01:29 . 2009-07-14 10:50 -------- d-----w- c:\program files\Google
2009-08-29 00:32 . 2009-08-29 00:32 -------- d-----w- c:\program files\Citrix
2009-08-23 04:55 . 2009-08-23 04:55 -------- d-----w- c:\program files\PDFCreator
2009-08-23 02:20 . 2009-08-23 02:15 -------- d-----w- c:\program files\JPEG Printer
2009-08-23 02:03 . 2009-08-23 02:03 -------- d-----w- c:\program files\MSECache
2009-08-20 10:13 . 2009-08-20 10:13 -------- d-----w- c:\documents and settings\Janet\Application Data\.visualvm
2006-02-28 12:00 . 2006-02-28 12:00 80300 --sha-r- c:\windows\system32\lsrycr.dll
.

------- Sigcheck -------

[7] 2006-02-28 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2006-02-28 . C1783498EDB152656303B5D5BCABD86C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Winsplit"="c:\green-programs\WinSplit Revolution\WinSplit.exe" [2009-02-27 3958784]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-10-13 492808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-12 148888]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12L~1\imesc\IMSCMig.exe" [2008-04-11 38432]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2009-03-24 606208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-15 2007320]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-01-13 18084864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"QvodPlayer"="c:\program files\QvodPlayer\QvodTerminal.exe" [2009-07-10 542088]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-10-13 492808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-7-19 221247]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-15 21:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20226:TCP"= 20226:TCP:BitComet 20226 TCP
"20226:UDP"= 20226:UDP:BitComet 20226 UDP
"3306:TCP"= 3306:TCP:MySQL Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"9991:TCP"= 9991:TCP:PORT2
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:BS
"33180:TCP"= 33180:TCP:FD
"58848:TCP"= 58848:TCP:FD
"17093:TCP"= 17093:TCP:FD
"29532:TCP"= 29532:TCP:FD
"22577:TCP"= 22577:TCP:FD
"16491:TCP"= 16491:TCP:FD
"1262:TCP"= 1262:TCP:pnusa

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/16/2009 5:59 AM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/16/2009 5:59 AM 356616]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [9/18/2009 9:33 PM 115856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [9/18/2009 9:33 PM 41424]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/16/2009 5:59 AM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/16/2009 5:59 AM 285392]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [7/12/2009 9:52 AM 68136]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [7/12/2009 10:22 AM 22016]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/13/2009 6:42 PM 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [10/13/2009 6:42 PM 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [10/13/2009 6:36 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [10/13/2009 6:42 PM 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [10/13/2009 6:36 PM 335376]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [7/10/2009 5:51 PM 99472]
S2 esawkbbw;Helper System;c:\windows\system32\svchost.exe -k netsvcs [2/28/2006 8:00 PM 14336]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [7/12/2009 10:22 AM 28800]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [7/12/2009 10:22 AM 17408]
S3 Tomcat6;Apache Tomcat 6;c:\program files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [5/14/2009 7:15 AM 57344]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [9/18/2009 9:33 PM 91472]
SUnknown GVTDrv;GVTDrv; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ESAWKBBW

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ffxkxky
gtjny
esawkbbw

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
FF - ProfilePath - c:\documents and settings\Janet\Application Data\Mozilla\Firefox\Profiles\u6if2y4k.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 19:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\janet\LOCALS~1\Temp\~DFB4B5.tmp 311296 bytes
c:\windows\system32\GVTunner.ref 4 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\esawkbbw]
"ServiceDll"="c:\windows\system32\lsrycr.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3576)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2009-10-16 19:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-16 11:48

Pre-Run: 84,572,975,104 bytes free
Post-Run: 84,491,968,512 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

318

Edited by janetsmith, 16 October 2009 - 08:58 AM.


#5 janetsmith

janetsmith

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 16 October 2009 - 08:53 AM

DDS (Ver_09-10-13.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3061.2267 [GMT 8:00] AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Trend Micro\Internet Security\TmPfw.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\Brother\ControlCenter3\brccMCtl.exe C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\green-programs\WinSplit Revolution\WinSplit.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\green-programs\TCPView\Tcpview.exe C:\Documents and Settings\Janet\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [Winsplit] c:\green-programs\winsplit revolution\WinSplit.exe uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe mRun: [Microsoft Pinyin IME Migration] c:\progra~1\common~1\micros~1\ime12l~1\imesc\IMSCMig.exe /INSTALL mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe" mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe" mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini" mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k dRun: [QvodPlayer] c:\program files\qvodplayer\QvodTerminal.exe dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204 IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202 IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab TCP: {7412DDD1-C327-4BE3-9D41-6A3FC6F9A4C3} = 202.188.0.133 202.188.1.5 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\janet\applic~1\mozilla\firefox\profiles\u6if2y4k.default\ FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-16 333192] R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-16 356616] R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-9-18 115856] R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-9-18 41424] R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-10-16 906520] R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-16 285392] R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-7-12 68136] R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-7-12 22016] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-10-13 50192] R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-10-13 497008] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-10-13 36368] R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-10-13 677128] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-10-13 335376] R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-7-10 99472] S2 esawkbbw;Helper System;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336] S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?] S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-7-12 28800] S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-7-12 17408] S3 Tomcat6;Apache Tomcat 6;c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6.exe [2009-5-14 57344] S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-9-18 91472] SUnknown GVTDrv;GVTDrv; [x] =============== Created Last 30 ================ 2009-10-16 19:37 <DIR> a-dshr-- C:\cmdcons 2009-10-16 19:36 236,544 a------- c:\windows\PEV.exe 2009-10-16 19:36 161,792 a------- c:\windows\SWREG.exe 2009-10-16 19:36 98,816 a------- c:\windows\sed.exe 2009-10-16 18:44 <DIR> --d----- c:\windows\ERUNT 2009-10-16 18:38 <DIR> --d----- C:\SDFix 2009-10-16 05:59 <DIR> --d----- C:\$AVG 2009-10-16 05:59 12,464 a------- c:\windows\system32\avgrsstx.dll 2009-10-16 05:59 356,616 a------- c:\windows\system32\drivers\avgtdix.sys 2009-10-16 05:59 333,192 a------- c:\windows\system32\drivers\avgldx86.sys 2009-10-16 05:59 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-10-16 05:59 <DIR> --d----- c:\program files\AVG 2009-10-16 05:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg9 2009-10-15 18:20 <DIR> --d----- c:\windows\pss 2009-10-14 23:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-10-14 23:58 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-10-14 23:58 <DIR> --d----- c:\docume~1\janet\applic~1\SUPERAntiSpyware.com 2009-10-14 21:10 10,752 a------- c:\windows\DCEBoot.exe 2009-10-14 17:29 <DIR> --d----- c:\docume~1\janet\applic~1\Malwarebytes 2009-10-14 17:29 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-14 17:29 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-14 17:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-10-14 17:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-13 18:42 153,104 a------- c:\windows\system32\drivers\tmcomm.sys 2009-10-13 18:42 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys 2009-10-13 18:42 50,192 a------- c:\windows\system32\drivers\tmactmon.sys 2009-10-13 18:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro 2009-10-13 18:41 <DIR> --d----- c:\program files\Trend Micro 2009-10-13 18:36 661,808 a------- c:\windows\system32\UfWSC.cpl 2009-10-13 18:36 1,220,120 a------- c:\windows\system32\drivers\vsapint.sys 2009-10-13 18:36 335,376 a------- c:\windows\system32\drivers\TM_CFW.sys 2009-10-13 18:36 225,296 a------- c:\windows\system32\drivers\tmxpflt.sys 2009-10-13 18:36 80,400 a------- c:\windows\system32\drivers\tmtdi.sys 2009-10-13 18:36 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys 2009-10-10 13:24 55,656 a------- c:\windows\system32\drivers\avgntflt.sys 2009-10-10 12:18 81 a------- c:\windows\system32\asr_bffpe 2009-10-05 16:55 <DIR> --d----- c:\documents and settings\Janet\.yed3 2009-10-03 08:45 <DIR> --d----- c:\program files\Paint.NET 2009-10-02 23:51 <DIR> --d----- c:\windows\system32\XPSViewer 2009-10-02 23:50 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-10-02 23:50 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll 2009-10-02 23:50 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-10-02 23:50 575,488 -------- c:\windows\system32\xpsshhdr.dll 2009-10-02 23:50 117,760 -------- c:\windows\system32\prntvpt.dll 2009-10-02 23:50 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll 2009-10-02 23:50 1,676,288 -------- c:\windows\system32\xpssvcs.dll 2009-10-02 23:49 <DIR> --d----- c:\program files\MSXML 6.0 2009-09-24 00:17 <DIR> --d--r-- c:\docume~1\janet\applic~1\Brother 2009-09-23 23:55 419 a------- c:\windows\BRWMARK.INI 2009-09-23 23:55 27 a------- c:\windows\BRPP2KA.INI 2009-09-23 23:53 50 a------- c:\windows\system32\bridf08b.dat 2009-09-23 23:53 1,522,176 a------- c:\windows\system32\BrWia08a.dll 2009-09-23 23:53 45,056 a------- c:\windows\system32\BrUsi08a.dll 2009-09-23 23:53 15,295 a------- c:\windows\system32\drivers\BrScnUsb.sys 2009-09-23 23:52 176,128 -------- c:\windows\system32\BroSNMP.dll 2009-09-23 23:52 73,728 -------- c:\windows\system32\BrDctF2.dll 2009-09-23 23:52 5,120 -------- c:\windows\system32\BrDctF2L.dll 2009-09-23 23:52 3,072 -------- c:\windows\system32\BrDctF2S.dll 2009-09-23 23:52 167,936 -------- c:\windows\system32\NSSearch.dll 2009-09-23 23:52 <DIR> --d----- c:\program files\Brother 2009-09-23 23:51 <DIR> --d----- c:\program files\Nuance 2009-09-23 23:50 31,567 a------- c:\windows\maxlink.ini 2009-09-23 23:50 <DIR> --d----- c:\program files\common files\ScanSoft Shared 2009-09-23 23:50 <DIR> --d----- c:\program files\ScanSoft 2009-09-23 23:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Brother 2009-09-23 23:45 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys 2009-09-23 23:45 25,856 a------- c:\windows\system32\drivers\usbprint.sys 2009-09-23 23:45 31,616 ac------ c:\windows\system32\dllcache\usbccgp.sys 2009-09-23 23:45 31,616 a------- c:\windows\system32\drivers\usbccgp.sys 2009-09-22 01:13 <DIR> --d----- c:\docume~1\janet\applic~1\Charles 2009-09-22 01:13 <DIR> --d----- c:\program files\Charles 2009-09-18 21:36 <DIR> --d----- c:\documents and settings\Janet\.VirtualBox 2009-09-18 21:33 115,856 a------- c:\windows\system32\drivers\VBoxDrv.sys 2009-09-18 21:33 91,472 a------- c:\windows\system32\drivers\VBoxNetAdp.sys 2009-09-18 21:33 41,424 a------- c:\windows\system32\drivers\VBoxUSBMon.sys ==================== Find3M ==================== 2009-10-16 22:04 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys 2009-10-16 22:04 16,608 a------- c:\windows\gdrv.sys 2009-09-15 18:23 29,332 a---h--- c:\windows\system32\mlfcache.dat 2006-02-28 20:00 80,300 a--shr-- c:\windows\system32\lsrycr.dll ============= FINISH: 22:21:01.00 ===============

Edited by janetsmith, 16 October 2009 - 09:00 AM.


#6 janetsmith

janetsmith

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 16 October 2009 - 08:54 AM

[DDS attach.txt] UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-10-13.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 7/12/2009 9:44:24 AM System Uptime: 10/16/2009 10:03:20 PM (0 hours ago) Motherboard: Gigabyte Technology Co., Ltd. | | G31M-S2L Processor: Intel Pentium III Xeon processor | Socket 775 | 2800/266mhz Processor: Intel Pentium III Xeon processor | Socket 775 | 2800/266mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 98 GiB total, 78.695 GiB free. D: is FIXED (NTFS) - 98 GiB total, 86.352 GiB free. E: is FIXED (NTFS) - 98 GiB total, 90.067 GiB free. F: is FIXED (NTFS) - 98 GiB total, 26.706 GiB free. G: is FIXED (NTFS) - 59 GiB total, 58.528 GiB free. H: is CDROM () I: is FIXED (NTFS) - 98 GiB total, 0.426 GiB free. J: is FIXED (NTFS) - 98 GiB total, 4.299 GiB free. K: is FIXED (NTFS) - 103 GiB total, 97.709 GiB free. L: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: VirtualBox Host-Only Ethernet Adapter Device ID: ROOT\NET\0000 Manufacturer: Sun Microsystems, Inc. Name: VirtualBox Host-Only Ethernet Adapter PNP Device ID: ROOT\NET\0000 Service: VBoxNetAdp ==== System Restore Points =================== RP1: 10/16/2009 7:45:44 PM - System Checkpoint ==== Installed Programs ====================== ???????2007 Adobe AIR Adobe Anchor Service CS4 Adobe Bridge CS4 Adobe CMaps CS4 Adobe Color - Photoshop Specific CS4 Adobe Color EU Extra Settings CS4 Adobe Color JA Extra Settings CS4 Adobe Color NA Recommended Settings CS4 Adobe Color Video Profiles CS CS4 Adobe CSI CS4 Adobe Default Language CS4 Adobe Device Central CS4 Adobe Drive CS4 Adobe ExtendScript Toolkit CS4 Adobe Extension Manager CS4 Adobe Flash Player 10 Plugin Adobe Fonts All Adobe Illustrator CS4 Adobe Linguistics CS4 Adobe Media Player Adobe Output Module Adobe PDF Library Files CS4 Adobe Photoshop CS4 Adobe Photoshop CS4 Support Adobe Reader 8 Adobe Search for Help Adobe Service Manager Extension Adobe Setup Adobe SVG Viewer 3.0 Adobe Type Support CS4 Adobe Update Manager CS4 Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS4 AdobeColorCommonSetCMYK AdobeColorCommonSetRGB Apache Tomcat 6.0 (remove only) APC PowerChute Personal Edition AVG 9.0 Balsamiq Mockups BitComet 1.13 Brother MFL-Pro Suite DCP-165C Charles Choice Guard Citrix Web Client Connect Diagnostic Utility DMIView B8.0717.01 Easy Tune 6 B09.0304.1 EasySaver B9.0410.1 eMule FileZilla Client 3.2.8.1 Google Talk (remove only) Graphviz High Definition Audio Driver Package - KB888111 HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Windows XP (KB942288-v3) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB954708) Intel® Graphics Media Accelerator Driver IrfanView (remove only) Java DB 10.4.2.1 Java™ 6 Update 13 Java™ 6 Update 14 Java™ SE Development Kit 6 Update 14 JGoodies Forms Demo JGoodies Looks Demo Junk Mail filter update K-Lite Codec Pack 5.0.0 (Full) KC Softwares VideoInspector kuler Malwarebytes' Anti-Malware Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Office PowerPoint Viewer 2007 (English) Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Mozilla Firefox (3.5.3) Mozilla Thunderbird (2.0.0.23) MSVCRT MSXML 6.0 Parser (KB933579) MySQL Tools for 5.0 Nero 7 Essentials neroxml OpenOffice.org 3.1 Orbit Downloader Paint.NET v3.36 PaperPort Image Printer PDF Settings CS4 PDFCreator pdfFactory Pro Photoshop Camera Raw Picasa 3 QvodPlayer v3.0 REALTEK GbE & FE Ethernet PCI-E NIC Driver Realtek High Definition Audio Driver ScanSoft PaperPort 11 Segoe UI Skeleton Skeleton Pro StarUML 5.0.2.1570 Suite Shared Configuration CS4 Sun xVM VirtualBox Trend Micro Internet Security Unlocker 1.8.7 Update for Windows XP (KB911164) Update for Windows XP (KB932823-v3) WebFldrs XP Windows Imaging Component Windows Internet Explorer 8 Windows Live Call Windows Live Communications Platform Windows Live Essentials Windows Live Mail Windows Live Messenger Windows Live Photo Gallery Windows Live Sign-in Assistant Windows Live Sync Windows Live Upload Tool Windows Media Format Runtime WinRAR archiver XAMPP 1.7.1 ==== Event Viewer Messages From Past Week ======== 10/16/2009 7:45:39 PM, error: Service Control Manager [7023] - The Helper System service terminated with the following error: A dynamic link library (DLL) initialization routine failed. 10/16/2009 7:43:46 PM, error: PlugPlayManager [11] - The device Root\LEGACY_UNLOCKERDRIVER5\0000 disappeared from the system without first being prepared for removal. 10/16/2009 7:41:44 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect. 10/16/2009 7:36:39 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s). 10/16/2009 7:32:13 PM, error: System Error [1003] - Error code 1000000a, parameter1 0000001c, parameter2 00000002, parameter3 00000001, parameter4 806e4a16. 10/16/2009 7:28:25 PM, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service. 10/16/2009 7:28:15 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s). 10/16/2009 6:44:17 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip tmtdi VBoxDrv VBoxUSBMon 10/16/2009 6:44:17 PM, error: Service Control Manager [7001] - The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error: A device attached to the system is not functioning. 10/16/2009 6:44:17 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning. 10/16/2009 6:44:17 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 10/16/2009 6:44:17 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 10/16/2009 6:44:17 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 10/16/2009 6:43:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 10/16/2009 6:43:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 10/16/2009 5:39:01 PM, error: Service Control Manager [7034] - The Trend Micro Unauthorized Change Prevention Service service terminated unexpectedly. It has done this 1 time(s). 10/16/2009 5:36:51 PM, error: Service Control Manager [7034] - The Trend Micro Proxy Service service terminated unexpectedly. It has done this 1 time(s). 10/16/2009 5:35:36 PM, error: Service Control Manager [7034] - The Trend Micro Personal Firewall service terminated unexpectedly. It has done this 1 time(s). 10/16/2009 4:39:12 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found. 10/15/2009 8:12:38 PM, error: Service Control Manager [7000] - The Nero Registry InCD Service service failed to start due to the following error: The system cannot find the file specified. 10/15/2009 6:08:43 PM, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting. 10/14/2009 9:22:41 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 0075006e, parameter3 a7e8f390, parameter4 00000000. 10/14/2009 9:10:35 PM, error: Service Control Manager [7028] - The ffxkxky Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key. 10/14/2009 5:40:10 PM, error: Service Control Manager [7023] - The Helper Time service terminated with the following error: A dynamic link library (DLL) initialization routine failed. 10/14/2009 5:39:43 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 10/10/2009 11:28:01 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00241D543E7B has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message). 10/10/2009 1:29:13 PM, error: Service Control Manager [7031] - The Windows Hosts Controller service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service. ==== End Of File ===========================

#7 janetsmith

janetsmith

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 16 October 2009 - 05:18 PM

Root Reveal seems like having problem scanning my external harddisk, so I exclude them from the scan. I only scan my internal harddisk. [root reveal] ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/16 23:47 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xA88C1000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA624000 Size: 8192 File Visible: No Signed: - Status: - Name: IsDrv122.sys Image Path: C:\WINDOWS\System32\Drivers\IsDrv122.sys Address: 0x9F3DB000 Size: 211840 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA77C7000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "<unknown>" at address 0x8975ccc0 #: 047 Function Name: NtCreateProcess Status: Hooked by "<unknown>" at address 0x8975c1c0 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "<unknown>" at address 0x8975c480 #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0x8975db20 #: 063 Function Name: NtDeleteKey Status: Hooked by "<unknown>" at address 0x8975d240 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "<unknown>" at address 0x8975d500 #: 097 Function Name: NtLoadDriver Status: Hooked by "<unknown>" at address 0x8975dcc0 #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0x8975c740 #: 247 Function Name: NtSetValueKey Status: Hooked by "<unknown>" at address 0x8975cf80 #: 257 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0x8975ca00 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "<unknown>" at address 0x8975d980 Hidden Services ------------------- Service Name: esawkbbw Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs Shadow SSDT ------------------- #: 548 Function Name: NtUserSetWindowsHookAW Status: Hooked by "<unknown>" at address 0x8975e2e0 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "<unknown>" at address 0x8975e100 ==EOF==

Edited by janetsmith, 16 October 2009 - 05:21 PM.


#8 janetsmith

janetsmith

    New Member

  • Authentic Member
  • Pip
  • 9 posts

Posted 16 October 2009 - 06:30 PM

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-17 08:29:16
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\janet\LOCALS~1\Temp\uxldrpog.sys


---- System - GMER 1.0.15 ----

SSDT 8975CCC0 ZwCreateKey
SSDT 8975C1C0 ZwCreateProcess
SSDT 8975C480 ZwCreateProcessEx
SSDT 8975DB20 ZwCreateThread
SSDT 8975D240 ZwDeleteKey
SSDT 8975D500 ZwDeleteValueKey
SSDT 8975DCC0 ZwLoadDriver
SSDT 8975C740 ZwOpenProcess
SSDT 8975CF80 ZwSetValueKey
SSDT 8975CA00 ZwTerminateProcess
SSDT 8975D980 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv122.sys
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device InCDFs.sys (InCD File System Driver/Nero AG)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] esawkbbw <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@DisplayName Helper System
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@Description Prefetches JRE files for faster startup of Java applets and applications
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw\Parameters@ServiceDll C:\WINDOWS\system32\lsrycr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@DisplayName Helper System
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@Description Prefetches JRE files for faster startup of Java applets and applications
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw\Parameters@ServiceDll C:\WINDOWS\system32\lsrycr.dll

---- EOF - GMER 1.0.15 ----

#9 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 18 October 2009 - 05:13 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Internet_connectivity_gone_t107656.html

collect::
c:\windows\system32\lsrycr.dll

KillAll::

Driver::
esawkbbw

NetSvc::
ffxkxky
gtjny
esawkbbw

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\esawkbbw]

FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB}

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.




NEXT

What can you tell me about all these open ports?
What do you use them for?

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9991:TCP"= 9991:TCP:PORT2
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:BS
"33180:TCP"= 33180:TCP:FD
"58848:TCP"= 58848:TCP:FD
"17093:TCP"= 17093:TCP:FD
"29532:TCP"= 29532:TCP:FD
"22577:TCP"= 22577:TCP:FD
"16491:TCP"= 16491:TCP:FD
"1262:TCP"= 1262:TCP:pnusa

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 24 October 2009 - 01:09 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users