PDA

View Full Version : WIN32.TDSS.rtk


dibbles00
2009-08-30, 14:01
Hello,
I am new to this forum although I joined quite some time ago I have been so far fortunate to not get any viruses until...

I have now got a root kit installed on my works laptop and can't get rid of it. After running spybot search and destroy it found it to be based in


Win32.TDSS.rtk: [SBI $4568377B] File (File, nothing done)
C:\Windows\System32\drivers\kbiwkmorpwvvdh.sys
Properties.size=0
Properties.md5=0678BC19F51CEEE13254B4F2B52A090E
Win32.TDSS.rtk: [SBI $4568377B] File (File, nothing done)
C:\Windows\System32\drivers\kbiwkmxnphynrh.sys
Properties.size=0
Properties.md5=0678BC19F51CEEE13254B4F2B52A090E
Win32.TDSS.rtk: [SBI $6BF0B3E5] File (File, nothing done)
C:\Windows\System32\kbiwkmctttcpxp.dll
Properties.size=0
Properties.md5=686C6457694856BA8157A1E872D5E7E5
Win32.TDSS.rtk: [SBI $6BF0B3E5] File (File, nothing done)
C:\Windows\System32\kbiwkmcubfqpqt.dll
Properties.size=0
Properties.md5=782C1797DE394BC972D3585C0906A4C8
Win32.TDSS.rtk: [SBI $6BF0B3E5] File (File, nothing done)
C:\Windows\System32\kbiwkmnsqiiorm.dll
Properties.size=0
Properties.md5=686C6457694856BA8157A1E872D5E7E5
Win32.TDSS.rtk: [SBI $6BF0B3E5] File (File, nothing done)
C:\Windows\System32\kbiwkmpiqprxyp.dll
Properties.size=0
Properties.md5=782C1797DE394BC972D3585C0906A4C8
Win32.TDSS.rtk: [SBI $D8151B64] File (File, nothing done)
C:\Windows\System32\kbiwkmdpxqjrpo.dat
Properties.size=0
Properties.md5=F3662C3083335C2DF35F01CB443AAD6C
Win32.TDSS.rtk: [SBI $D8151B64] File (File, nothing done)
C:\Windows\System32\kbiwkmfvoqstsn.dat
Properties.size=0
Properties.md5=DCF9DDEF0CC0EED24F970B815DD4D311
Win32.TDSS.rtk: [SBI $D8151B64] File (File, nothing done)
C:\Windows\System32\kbiwkmowdwicej.dat
Properties.size=0
Properties.md5=17F8886F213CB644385DBACCC5709027
Win32.TDSS.rtk: [SBI $D8151B64] File (File, nothing done)
C:\Windows\System32\kbiwkmxtdlhttv.dat
Properties.size=0
Properties.md5=17F8886F213CB644385DBACCC5709027
Win32.TDSS.rtk: [SBI $D8151B64] File (File, nothing done)
C:\Windows\System32\kbiwkmyeaxjvud.dat
Properties.size=0
Properties.md5=17F8886F213CB644385DBACCC5709027
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-08-30 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-08-25 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-08-25 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-08-04 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-30 Includes\KeyloggersC.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-08-25 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-08-25 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-07-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-08-11 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-25 Includes\Trojans.sbi (*)
2009-08-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

:sick:

I have been trying to follow the guides on this great forum, but can't move onto the next step as it says

ComboFix SHOULD NOT be used unless requested by a forum helper

This is my highjackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:41, on 30/08/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Windows\Explorer.EXE
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\www.samsungcomputer.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = eduproxy.bgfl.org:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = learninggateway.greatbarr.bham.sch.uk;greatbarr.misportal.net;mysite.greatbarr.bham.sch.uk;*.gbit.local;exchange01.gbit.local;ocs01.gbit.local;ocs01;exchange01;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O3 - Toolbar: SynchronEyes - {8E1233B3-485A-4E51-B77E-9E075A68C588} - C:\Program Files\SynchronEyes Teacher 7.0\SEyesIeToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.exchange01
O15 - Trusted Zone: http://exchange01.gbit.local
O15 - Trusted Zone: http://ocs01.gbit.local
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-gb/wlscctrl2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GBIT.local
O17 - HKLM\Software\..\Telephony: DomainName = GBIT.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GBIT.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GBIT.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL,avgrsstx.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 9942 bytes

Any help would be appreciated as the problem laptop isn't even connecting to the Internet anymore?!

I am using my old XP laptop, which still is, so I know my connection is working etc...

Please help!!! Many thanks.

PS I Have downloaded all of the tools on this computer from this post:

http://forums.spybot.info/showthread.php?t=50755

to my portable hard drive and am swapping it between computers to get all of this up. I cannot use the Trendmicro scan as suggested in a nother post due to the Internet connection issue.

Many thanks,
Dee
dibbles00
2009-08-30, 20:43
I have been working at this all day and have followed a number of leads and have used ComboFix too. I will now post this log as it has just been completed.

Here is a list of files that SpyBot picked up to be harmful if this is any help?

c:\windows\system32\drivers\kbiwkmorpwvvdh.sys
c:\windows\system32\drivers\kbiwkmxnphynrh.sys
c:\windows\system32\kbiwkmctttcpxp.dll
c:\windows\system32\kbiwkmcubfqpqt.dll
c:\windows\system32\kbiwkmdpxqjrpo.dat
c:\windows\system32\kbiwkmfvoqstsn.dat
c:\windows\system32\kbiwkmnsqiiorm.dll
c:\windows\system32\kbiwkmowdwicej.dat
c:\windows\system32\kbiwkmpiqprxyp.dll
c:\windows\system32\kbiwkmxtdlhttv.dat
c:\windows\system32\kbiwkmyeaxjvud.dat

Many thanks in advance,
Deepak

ComboFix 09-08-29.01 - D.Aggarwal 30/08/2009 13:28.1.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.1789.999 [GMT 1:00]
Running from: c:\users\d.aggarwal\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2906639505-3138198470-1606661687-1003
c:\$recycle.bin\S-1-5-21-2906639505-3138198470-1606661687-500
c:\$recycle.bin\S-1-5-21-3658118854-581356511-1599329786-500
c:\windows\msetup
c:\windows\msetup\BASW-00503A63\data1.cab
c:\windows\msetup\BASW-00503A63\data1.hdr
c:\windows\msetup\BASW-00503A63\data2.cab
c:\windows\msetup\BASW-00503A63\engine32.cab
c:\windows\msetup\BASW-00503A63\layout.bin
c:\windows\msetup\BASW-00503A63\PlayCamera\CameraOn.wav
c:\windows\msetup\BASW-00503A63\PlayCamera\Click.wav
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_chs_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_cht_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_deu_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_eng_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_esp_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_fra_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_ita_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_kor_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_ptg_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_rus_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\Help\PlayCamera_ukr_s.chm
c:\windows\msetup\BASW-00503A63\PlayCamera\HookDllPS2.dll
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\Back_Big.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\Back_Small.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\gbCancel.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\gbHelp.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\gbOk.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\gbOpen.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\gbPreviewOff.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\gbPreviewOn.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\gbRecordOff.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\gbRecordOn.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\gbSnap.bmp
c:\windows\msetup\BASW-00503A63\PlayCamera\Images\PlayCamera.ico
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_chs.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_cht.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_deu.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_eng.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_esp.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_fra.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_ita.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_kor.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_ptg.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_rus.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\Language\PlayCamera_ukr.txt
c:\windows\msetup\BASW-00503A63\PlayCamera\PlayCamera.exe
c:\windows\msetup\BASW-00503A63\PlayCamera\SSHook.dll
c:\windows\msetup\BASW-00503A63\PlayCamera\Uninst.ico
c:\windows\msetup\BASW-00503A63\setup.exe
c:\windows\msetup\BASW-00503A63\setup.ibt
c:\windows\msetup\BASW-00503A63\setup.ini
c:\windows\msetup\BASW-00503A63\setup.iss
c:\windows\msetup\BASW-00503A63\SWDesc.txt
c:\windows\msetup\BASW-01038A02\ChgWLANSettings.exe
c:\windows\msetup\MSetup.exe
c:\windows\msetup\MSetupLog.log
c:\windows\system32\drivers\kbiwkmorpwvvdh.sys
c:\windows\system32\drivers\kbiwkmxnphynrh.sys
c:\windows\system32\kbiwkmctttcpxp.dll
c:\windows\system32\kbiwkmcubfqpqt.dll
c:\windows\system32\kbiwkmdpxqjrpo.dat
c:\windows\system32\kbiwkmfvoqstsn.dat
c:\windows\system32\kbiwkmnsqiiorm.dll
c:\windows\system32\kbiwkmowdwicej.dat
c:\windows\system32\kbiwkmpiqprxyp.dll
c:\windows\system32\kbiwkmxtdlhttv.dat
c:\windows\system32\kbiwkmyeaxjvud.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmqxcprkro
-------\Service_kbiwkmwgbbwwno
-------\Legacy_kbiwkmqxcprkro
-------\Legacy_kbiwkmwgbbwwno


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-30 12:36 . 2009-08-30 18:02 -------- d-----w- c:\users\d.aggarwal\AppData\Local\temp
2009-08-30 12:36 . 2009-08-30 12:36 -------- d-----w- c:\users\user\AppData\Local\temp
2009-08-30 12:36 . 2009-08-30 12:36 -------- d-----w- c:\users\owner\AppData\Local\temp
2009-08-30 12:36 . 2009-08-30 12:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-30 11:32 . 2009-08-30 11:32 -------- d-----w- c:\program files\Trend Micro
2009-08-30 01:04 . 2009-08-30 01:09 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-30 01:04 . 2009-08-30 01:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 15:07 . 2009-08-29 15:08 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-28 15:39 . 2009-08-30 10:29 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-28 09:50 . 2009-07-24 08:56 1062144 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll
2009-08-28 02:13 . 2009-08-28 02:13 -------- d-----w- c:\users\d.aggarwal\AppData\Local\AVG Security Toolbar
2009-08-28 02:06 . 2009-08-28 02:06 -------- d-----w- c:\programdata\Downloaded Installations
2009-08-28 02:06 . 2009-08-28 02:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 02:06 . 2009-08-28 02:06 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-08-28 02:06 . 2009-08-28 02:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-28 02:06 . 2009-08-28 09:52 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-28 02:06 . 2009-08-28 02:06 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 02:06 . 2009-08-28 02:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 02:06 . 2009-08-28 09:50 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-08-28 02:05 . 2009-08-30 00:22 -------- d-----w- c:\programdata\avg8
2009-08-28 02:05 . 2009-08-28 02:05 23832 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-08-28 02:05 . 2009-08-28 02:05 -------- d-----w- c:\program files\AVG
2009-08-28 02:02 . 2009-08-28 02:02 -------- d-----w- c:\users\d.aggarwal\AppData\Roaming\Malwarebytes
2009-08-28 02:02 . 2009-08-28 02:02 -------- d-----w- c:\programdata\Malwarebytes
2009-08-28 00:48 . 2009-08-28 00:48 -------- d-----w- c:\users\d.aggarwal\AppData\Local\Sophos
2009-08-27 23:45 . 2009-08-27 23:57 -------- d-----w- c:\programdata\SITEguard
2009-08-27 23:44 . 2009-08-27 23:44 -------- d-----w- c:\program files\Common Files\iS3
2009-08-27 23:44 . 2009-08-28 00:01 -------- d-----w- c:\programdata\STOPzilla!
2009-08-27 23:41 . 2009-08-27 23:41 -------- d-----w- c:\users\d.aggarwal\AppData\Roaming\AVG8
2009-08-27 07:40 . 2009-08-27 07:40 -------- d-----w- c:\programdata\WindowsSearch
2009-08-26 23:42 . 2009-08-26 23:42 -------- d-----w- c:\programdata\FLEXnet
2009-08-26 23:41 . 2009-08-26 23:41 -------- d-----w- c:\programdata\Macrovision
2009-08-25 00:30 . 2009-08-07 11:44 30400 ----a-w- c:\users\d.aggarwal\AppData\Roaming\Mozilla\Firefox\Profiles\nq40gys2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-08-25 00:30 . 2009-08-07 11:44 22848 ----a-w- c:\users\d.aggarwal\AppData\Roaming\Mozilla\Firefox\Profiles\nq40gys2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-08-25 00:30 . 2009-08-07 11:44 19792 ----a-w- c:\users\d.aggarwal\AppData\Roaming\Mozilla\Firefox\Profiles\nq40gys2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-08-25 00:26 . 2009-08-25 00:26 0 ----a-w- c:\windows\nsreg.dat
2009-08-25 00:26 . 2009-08-25 00:26 -------- d-----w- c:\users\d.aggarwal\AppData\Local\Mozilla
2009-08-24 23:40 . 2009-08-24 23:40 -------- d-----w- c:\users\d.aggarwal\AppData\Local\Google
2009-08-24 23:39 . 2009-08-24 23:40 -------- d-----w- c:\program files\Google
2009-08-24 23:39 . 2009-08-25 00:55 -------- d-----w- c:\programdata\NOS
2009-08-24 23:39 . 2009-08-24 23:39 -------- d-----w- c:\program files\NOS
2009-08-18 23:55 . 2009-08-18 23:55 -------- d-----w- c:\windows\Sun
2009-08-18 20:53 . 2009-08-18 20:53 -------- d-----w- c:\program files\MSXML 4.0
2009-08-18 20:53 . 2009-08-18 20:53 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2009-08-18 20:44 . 2009-08-18 20:44 -------- d-----w- c:\program files\ATI
2009-08-18 20:39 . 2009-08-18 20:39 -------- d-----w- c:\programdata\LightScribe
2009-08-18 20:14 . 2009-08-18 20:14 -------- d-----w- c:\program files\Apple Software Update
2009-08-18 20:14 . 2009-08-18 20:14 -------- d-----w- c:\programdata\Apple
2009-08-18 20:14 . 2009-08-18 20:14 -------- d-----w- c:\users\d.aggarwal\AppData\Local\Apple
2009-08-18 19:57 . 2009-08-18 19:57 -------- d-----w- c:\program files\Microsoft
2009-08-18 19:57 . 2009-08-18 19:57 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-18 19:56 . 2009-08-18 19:57 -------- d-----w- c:\program files\Windows Live
2009-08-18 19:54 . 2009-08-18 19:54 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-18 19:44 . 2009-02-15 23:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-18 19:44 . 2009-02-15 23:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-18 19:44 . 2009-02-15 23:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-08-18 19:44 . 2009-08-18 19:44 -------- d-----w- c:\program files\Zone Labs
2009-08-18 19:43 . 2009-08-18 19:44 -------- d-----w- c:\windows\system32\ZoneLabs
2009-08-18 19:43 . 2009-02-15 23:11 293528 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2009-08-18 19:42 . 2009-08-18 19:42 -------- d-----w- c:\programdata\CheckPoint
2009-08-18 19:42 . 2009-08-30 12:39 -------- d-----w- c:\windows\Internet Logs
2009-08-18 19:21 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-08-18 19:05 . 2008-10-16 21:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-18 19:05 . 2008-10-16 21:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-08-18 19:05 . 2008-10-16 20:56 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-08-18 19:05 . 2008-10-16 21:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-18 19:04 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-08-18 19:04 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-08-18 19:04 . 2008-10-16 20:55 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-08-18 19:04 . 2008-10-16 13:08 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-08-18 19:04 . 2008-10-16 12:56 31232 ----a-w- c:\windows\system32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 12:38 . 2009-08-18 19:43 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-08-30 12:36 . 2008-07-26 23:22 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-28 03:59 . 2009-08-28 04:01 1431040 ----a-w- c:\windows\Internet Logs\xDBE7A1.tmp
2009-08-28 03:22 . 2009-08-28 03:24 1431040 ----a-w- c:\windows\Internet Logs\xDB30.tmp
2009-08-27 23:47 . 2009-08-27 23:52 162304 ----a-w- c:\windows\Internet Logs\xDBEDD9.tmp
2009-08-27 23:47 . 2009-08-27 23:52 1424384 ----a-w- c:\windows\Internet Logs\xDBEF31.tmp
2009-08-21 20:23 . 2008-07-26 08:01 -------- d-----w- c:\programdata\Microsoft Help
2009-08-18 22:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-18 22:46 . 2009-07-07 11:13 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-18 20:17 . 2009-07-07 09:11 -------- d-----w- c:\programdata\Apple Computer
2009-07-21 21:52 . 2009-08-18 19:22 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-18 19:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-18 19:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-18 19:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 16:19 . 2009-07-21 16:19 0 ----a-w- c:\windows\system32\atiicdxx.dat
2009-07-21 13:03 . 2009-07-21 13:03 -------- d-----w- c:\program files\GPLGS
2009-07-21 12:56 . 2009-07-21 12:56 -------- d-----w- c:\program files\Acro Software
2009-07-21 12:51 . 2009-07-21 12:51 -------- d-----w- c:\programdata\CyberLink
2009-07-21 12:51 . 2009-07-21 12:51 -------- d-----w- c:\users\d.aggarwal\AppData\Roaming\CyberLink
2009-07-21 12:46 . 2009-07-21 12:46 -------- d-----w- c:\users\d.aggarwal\AppData\Roaming\SMART Technologies Inc
2009-07-21 12:04 . 2009-07-21 12:04 101432 ----a-w- c:\users\d.aggarwal\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-21 11:13 . 2009-07-07 08:13 -------- d-----w- c:\programdata\Sophos
2009-07-21 11:13 . 2009-07-07 08:13 -------- d-----w- c:\program files\Sophos
2009-07-21 10:12 . 2009-07-21 09:13 101432 ----a-w- c:\users\a.lakin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-21 10:00 . 2009-07-21 10:00 -------- d-----w- c:\program files\Common Files\SMART Technologies Inc
2009-07-21 10:00 . 2009-07-21 10:00 -------- d-----w- c:\program files\SynchronEyes Teacher 7.0
2009-07-21 09:54 . 2009-07-21 09:49 -------- d-----w- c:\program files\Common Files\Macromedia
2009-07-21 09:53 . 2009-07-21 09:48 -------- d-----w- c:\program files\Macromedia
2009-07-21 09:53 . 2008-07-26 07:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-21 09:49 . 2009-07-21 09:49 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2009-07-21 09:32 . 2008-07-26 07:36 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-21 09:23 . 2009-07-21 09:23 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-21 09:20 . 2009-07-21 09:20 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-21 09:05 . 2009-07-21 09:05 101040 ----a-w- c:\users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-17 13:54 . 2009-08-18 19:22 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-18 19:22 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-18 19:22 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-18 19:22 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-18 19:22 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-07 13:33 . 2009-07-07 13:33 -------- d-----w- c:\program files\VideoLAN
2009-07-07 12:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-07-07 12:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-07-07 12:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-07-07 12:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-07-07 12:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-07 12:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-07-07 12:10 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-07-07 11:14 . 2009-07-07 11:13 -------- d-----w- c:\program files\Java
2009-07-07 11:13 . 2009-07-07 11:13 -------- d-----w- c:\program files\Common Files\Java
2009-07-07 11:09 . 2009-07-07 11:09 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-07 11:09 . 2009-07-07 11:08 -------- d-----w- c:\program files\Common Files\Real
2009-07-07 11:08 . 2009-07-07 11:08 -------- d-----w- c:\program files\Real
2009-07-07 10:26 . 2009-07-07 10:26 -------- d-----w- c:\program files\IT Vision
2009-07-07 10:23 . 2009-07-07 08:10 101040 ----a-w- c:\users\administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-07 10:09 . 2008-07-26 08:04 -------- d-----w- c:\program files\Microsoft Works
2009-07-07 09:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2009-07-07 09:53 . 2009-07-07 09:53 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-07-07 09:30 . 2009-07-07 09:30 -------- d-----w- c:\program files\Microsoft Office Communicator
2009-07-07 09:10 . 2009-07-07 09:10 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-07 08:38 . 2009-07-07 08:38 -------- d-----w- c:\program files\Greatbarr School
2009-07-07 08:15 . 2009-07-07 08:15 -------- d-----w- c:\program files\Common Files\Cisco Systems
2009-07-07 08:14 . 2009-07-07 08:15 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2009-07-07 08:14 . 2009-07-07 08:15 23552 ----a-w- c:\windows\system32\sophosboottasks.exe
2009-07-07 08:14 . 2009-07-07 08:14 20288 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2009-07-07 08:14 . 2009-07-07 08:14 93192 ----a-w- c:\windows\system32\drivers\savonaccess.sys
2009-07-07 08:14 . 2009-07-07 08:14 82432 ----a-w- c:\windows\system32\msxml4r.dll
2009-07-07 07:48 . 2008-07-26 08:09 -------- d-----w- c:\programdata\McAfee
2009-07-06 14:57 . 2009-07-06 14:57 101040 ----a-w- c:\users\owner\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-06 14:55 . 2008-07-26 07:35 -------- d-----w- c:\program files\Samsung
2009-07-01 15:28 . 2009-07-21 11:13 90112 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\instlmgr.dll
2009-07-01 15:28 . 2009-07-21 11:13 253952 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\sauconfigdll.dll
2009-07-01 15:28 . 2009-07-21 11:13 663552 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\alupdate.exe
2009-07-01 15:28 . 2009-07-21 11:13 69632 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\ispsheet.dll
2009-07-01 15:28 . 2009-07-21 11:13 245760 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\almon.exe
2009-07-01 15:28 . 2009-07-21 11:13 184320 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\eecustomactions.dll
2009-07-01 15:28 . 2009-07-21 11:13 172032 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\channelupdater.dll
2009-07-01 15:28 . 2009-07-21 11:13 172032 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\alsvc.exe
2009-07-01 15:28 . 2009-07-21 11:13 499712 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\auadapter.dll
2009-07-01 15:28 . 2009-07-21 11:13 208896 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\setup.dll
2009-06-15 23:15 . 2009-08-18 19:22 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-15 14:54 . 2009-08-18 19:22 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-06-15 14:53 . 2009-08-18 19:22 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:53 . 2009-08-18 19:22 72704 ----a-w- c:\windows\system32\secur32.dll
2009-06-15 14:53 . 2009-08-18 19:22 270848 ----a-w- c:\windows\system32\schannel.dll
2009-06-15 14:53 . 2009-08-18 19:22 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-15 14:52 . 2009-08-18 19:22 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-15 14:52 . 2009-08-18 19:22 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-08-18 19:22 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-06-15 14:52 . 2009-08-18 19:22 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-08-18 19:22 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:48 . 2009-08-18 19:22 9728 ----a-w- c:\windows\system32\lsass.exe
2009-06-15 12:42 . 2009-08-18 19:22 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-10 11:42 . 2009-08-18 19:22 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 11:38 . 2009-08-18 19:22 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-06-04 12:07 . 2009-08-18 19:22 2066432 ----a-w- c:\windows\system32\mstscax.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:56 1062144 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-17 6111232]

c:\users\d.aggarwal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-2-12 723496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2894738058-2075597108-2183462035-1650\Scripts\Logon\0\0]
"Script"=\\dc01\netlogon\Staff\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2894738058-2075597108-2183462035-5682\Scripts\Logon\0\0]
"Script"=\\dc01\netlogon\Staff\logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):9b,4b,ae,c3,fc,fe,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [28/08/2009 03:06 12552]
R1 Avgfwfd;AVG network filter service;c:\windows\System32\drivers\avgfwd6x.sys [28/08/2009 03:05 23832]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [28/08/2009 03:06 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [28/08/2009 03:06 108552]
R1 SAVOnAccess;SAVOnAccess;c:\windows\System32\drivers\savonaccess.sys [07/07/2009 09:14 93192]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\System32\drivers\KMDFMEMIO.sys [26/07/2008 08:41 13312]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [14/04/2006 02:07 28933976]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [07/07/2009 09:14 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [07/07/2009 09:14 98304]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 05:46 284016]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [21/01/2008 03:24 21504]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [20/05/2008 20:36 3663360]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/08/2009 03:05 297752]
S4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [28/08/2009 03:05 1370488]
S4 SophosBootDriver;SophosBootDriver;c:\windows\System32\drivers\SophosBootDriver.sys [07/07/2009 09:14 20288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\User_Feed_Synchronization-{35688AC2-8E9A-41CF-BA1E-D80C6637403C}.job
- c:\windows\system32\msfeedssync.exe [2009-08-18 20:13]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
Toolbar-Locked - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp:\\www.samsungcomputer.com
mStart Page = hxxp:\\www.samsungcomputer.com
uInternet Settings,ProxyServer = eduproxy.bgfl.org:80
uInternet Settings,ProxyOverride = learninggateway.greatbarr.bham.sch.uk;greatbarr.misportal.net;mysite.greatbarr.b
ham.sch.uk;*.gbit.local;exchange01.gbit.local;ocs01.gbit.local;ocs01;exchange01;<local>
Trusted Zone: bgfl.org\assyst
Trusted Zone: exchange01
Trusted Zone: gbit.local\exchange01
Trusted Zone: gbit.local\ocs01
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\users\d.aggarwal\AppData\Roaming\Mozilla\Firefox\Profiles\nq40gys2.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\users\d.aggarwal\AppData\Roaming\Mozilla\Firefox\Profiles\nq40gys2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 19:02
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\DFE64~1.AGG\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(640)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'Explorer.exe'(3680)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\ZoneLabs\vsmon.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
.
**************************************************************************
.
Completion time: 2009-08-30 19:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 18:06

Pre-Run: 125,483,229,184 bytes free
Post-Run: 125,353,168,896 bytes free

485 --- E O F --- 2009-08-24 20:10


Now that this has been completed I'm really stuck as I don;t know what to do next. Have read a lot and still I'm unsure. One thing is that my work laptop will not even connect to the Internet anymore and I go back on Thursday and am really worried.
dibbles00
2009-08-30, 21:13
Is anyone actually on this planet? Doesn't seem that way :(
dibbles00
2009-08-31, 00:19
Well I'm giving up for today. I hope that Shabba is on hand tomorrow as I could really do with your assistance in helping to rid this VISUS\BUG\TROJAN :spider:

Thanks,
Dee