PDA

View Full Version : Trojan problem


gsmer
2010-08-31, 07:32
I seem to have a problem with "Win32.Agent.deot" I used spybot to scan the problem and fix it but it just keeps coming back. I also notice a click sound in the background around 4-6 PM everyday (which is a clue that it's back).

I just don't know how to get rid of it forever. I have tried other programs but spybot search & destroy is the only one that finds it.


Win32.Agent.deot HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lac97inf is the location it shows from spybot

DDS LOG:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt at 21:18:54.09 on Mon 08/30/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1249 [GMT -7:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Matt\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\o4812a8q.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-21 64288]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-27 176128]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-16 1153368]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-5-27 5586432]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-5-27 209920]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-6-23 21504]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-7-1 34896]
RUnknown lac97inf;lac97inf; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1355416]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-08-30 03:15:34 0 d-----w- c:\program files\Valve
2010-08-26 02:57:17 0 d-----w- c:\users\matt\appdata\roaming\Screaming Bee
2010-08-26 02:56:29 0 d-----w- c:\programdata\Screaming Bee
2010-08-26 02:56:29 0 d-----w- c:\program files\Screaming Bee
2010-08-23 05:16:20 218 ----a-w- c:\users\matt\.recently-used.xbel
2010-08-21 03:31:26 0 d-----w- c:\users\matt\appdata\roaming\Armagetron
2010-08-21 03:31:22 0 d-----w- c:\programdata\Armagetron
2010-08-21 03:31:22 0 d-----w- c:\program files\Armagetron Advanced
2010-08-18 03:48:16 0 d-----w- c:\program files\ASC Games
2010-08-15 10:30:42 1908 ----a-w- c:\windows\diagwrn.xml
2010-08-15 10:30:42 1908 ----a-w- c:\windows\diagerr.xml
2010-08-15 04:38:53 0 d-----w- c:\program files\Lavalys
2010-08-14 12:01:57 52736 ----a-w- c:\windows\ipuninst.exe
2010-08-14 11:58:32 0 d-----w- c:\program files\BlackIsle
2010-08-12 07:47:04 0 d-----w- c:\users\matt\appdata\roaming\uTorrent
2010-08-10 21:33:53 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-10 21:33:52 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-10 21:33:48 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-10 21:33:47 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-10 21:33:46 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-10 21:33:43 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-08 01:12:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 01:12:03 0 d-----w- c:\programdata\Malwarebytes
2010-08-08 01:12:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 01:12:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-07 06:28:34 0 d-----w- c:\program files\VideoLAN
2010-08-07 06:09:29 0 d-----w- C:\Fraps
2010-08-07 05:25:10 26 ----a-w- c:\windows\system32\unregister.bat
2010-08-07 05:25:10 245760 ----a-w- c:\windows\system32\MADFilter.ax
2010-08-07 05:25:10 23 ----a-w- c:\windows\system32\register.bat
2010-08-06 22:28:17 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-08-06 20:17:19 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-08-06 20:17:19 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2010-08-06 20:16:50 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2010-08-06 19:57:18 0 d-----w- c:\windows\system32\xlive
2010-08-04 19:17:17 0 d-----w- c:\program files\common files\PX Storage Engine
2010-08-04 19:12:55 0 d-----w- c:\programdata\DivX
2010-08-04 05:28:04 0 d-----w- c:\program files\Bethesda Softworks

==================== Find3M ====================

2010-08-31 01:16:53 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-08-29 12:47:00 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-29 12:47:00 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-08-29 12:47:00 143360 ----a-w- c:\windows\inf\infstor.dat
2010-08-15 16:59:01 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-07-23 05:31:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-07-23 05:30:44 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-07-23 05:02:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-07-23 04:57:43 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-07-17 12:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 08:55:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-09 19:04:40 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-06-26 06:05:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02:15 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25:02 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-23 07:57:04 174 --sha-w- c:\program files\desktop.ini
2010-06-23 07:37:33 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-06-23 07:37:24 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-06-22 05:57:32 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-21 13:37:03 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-20 10:01:42 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-06-20 06:34:51 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-06-18 17:31:29 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 06:42:10 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-06-18 06:42:10 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-06-18 04:34:46 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-06-18 04:34:45 272896 ----a-w- c:\windows\system32\polstore.dll
2010-06-18 04:25:22 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-06-18 04:25:22 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-06-18 04:25:22 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-06-18 04:25:22 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-06-18 04:25:22 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-06-18 04:25:22 17920 ----a-w- c:\windows\system32\netevent.dll
2010-06-18 04:25:22 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-06-18 04:25:22 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-06-18 04:25:22 10240 ----a-w- c:\windows\system32\finger.exe
2010-06-18 04:20:03 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-06-18 04:20:02 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-06-18 04:20:02 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-06-18 04:20:02 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-06-18 04:20:02 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-06-18 04:20:02 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-06-18 04:19:59 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-06-18 04:18:15 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-06-18 04:17:45 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-06-18 04:17:44 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-06-18 04:15:54 23552 ----a-w- c:\windows\system32\lpk.dll
2010-06-18 04:15:54 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-06-18 04:14:15 72704 ----a-w- c:\windows\system32\secur32.dll
2010-06-18 04:14:15 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-06-18 04:14:15 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-06-18 04:14:14 9728 ----a-w- c:\windows\system32\lsass.exe
2010-06-18 04:14:14 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-06-18 04:10:47 98816 ----a-w- c:\windows\system32\mfps.dll
2010-06-18 04:10:47 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-06-18 04:10:47 2868224 ----a-w- c:\windows\system32\mf.dll
2010-06-18 04:10:46 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-06-18 04:10:46 2048 ----a-w- c:\windows\system32\mferror.dll
2010-06-18 03:58:50 71680 ----a-w- c:\windows\system32\atl.dll
2010-06-18 03:49:38 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-06-18 03:48:02 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-06-18 03:48:02 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-06-18 03:48:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-06-18 03:29:55 623616 ----a-w- c:\windows\system32\localspl.dll
2010-06-18 03:11:56 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-06-18 03:05:42 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-06-18 02:55:14 37888 ----a-w- c:\windows\system32\printcom.dll
2010-06-18 02:51:10 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-06-18 02:49:46 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-06-18 02:48:15 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-06-18 02:48:15 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-06-18 02:48:15 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-06-18 02:48:15 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-06-18 02:48:15 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-06-18 02:48:14 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-06-18 02:48:14 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-06-18 02:48:14 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-06-18 02:48:14 471552 ----a-w- c:\windows\system32\secproc.dll
2010-06-18 02:01:58 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-06-18 02:01:35 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-06-18 02:00:54 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-06-18 02:00:10 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-06-18 02:00:09 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-06-18 01:57:06 243712 ----a-w- c:\windows\system32\rastls.dll
2010-06-18 01:56:44 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-06-18 01:54:59 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-06-18 01:54:59 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-06-18 01:54:59 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-06-18 01:54:59 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-06-18 01:54:59 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-06-18 01:54:59 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-06-18 01:54:58 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-06-18 01:54:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-06-18 01:54:57 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-06-18 01:54:57 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-06-18 01:54:00 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-06-18 01:53:28 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-06-18 01:53:27 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-06-18 01:53:25 7680 ----a-w- c:\windows\system32\spwmp.dll
2007-08-11 14:07:20 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 21:19:23.71 ===============

Thanks.
Blade81
2010-09-03, 22:25
Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Blade81
2010-09-08, 20:06
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.