PDA

View Full Version : Unwanted music and advertisments playing on laptop


bwaise
2010-10-17, 08:03
Hello there,

I have for the last for weeks had advertisment and music play on my computer randomly. The material is audio and plays without warning when am using either Firefox or IE.
My laptop is runing on a Windows XP Sp 3 and has Symantec Antivirus ver. 10.1.4.400.
I have aslo tried Spybot, Malwarebytes, Super Antiware, MS Windows Malicious Software Removal Tool, Norton Malware removal tool and none have been able to remove or stop the audio playing.
Can you please help?

DDs.TXT


DDS (Ver_10-10-10.03) - NTFSx86
Run by fred.sadiiki at 13:38:50.68 on Sun 17/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3582.1425 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe 4
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
svchost.exe 4
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Softrock\Autosync\Autosync.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DWRCS.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Softrock\Autosync\AutosyncController.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Mindjet\MindManager\MMReminderService.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\VULCAN~1\bin\exe\VWorkbench.exe
C:\PROGRA~1\VULCAN~1\bin\exe\envis_gui.exe
C:\PROGRA~1\VULCAN~1\bin\exe\authcache.exe
C:\PROGRA~1\VULCAN~1\bin\exe\authcache.exe
C:\PROGRA~1\VULCAN~1\bin\exe\authcache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\fred.sadiiki\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://rtio.riotinto.org
uDefault_Page_URL = hxxp://rtio.riotinto.org
mDefault_Page_URL = hxxp://rtio.riotinto.org
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: CmjBrowserHelperObject Object: {07a11d74-9d25-4fea-a833-8b0d76a5577a} - c:\program files\mindjet\mindmanager\Mm7InternetExplorer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [BGInfo] "c:\program files\sysinternals\bginfo\bginfo.exe" /ic:\data\sysinternals\rtwa.bgi /timer:0
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [COMMUNICATOR] "c:\program files\microsoft office communicator\Communicator.exe" /silentRetrials /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] C:\SUPERAntiSpyware.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [TaskExecute] "c:\program files\rio tinto\task executer\ExecuteWithDelay.vbs"
mRun: [PIinductionTraining] "\\corp.riotinto.org\netlogon\AU\IT Induction\InductionTraining.vbs"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe
mRun: [Screen Saver] "c:\program files\rio tinto\screen saver\ScreenSaver.vbs"
mRun: [Obligations Updater] "c:\program files\rio tinto\obligations updater\ObligationsUpdate.vbs"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Create_ISScript10.50_HKCU_Keys] c:\program files\installshield\isscript\10.50\HKCU_Keys.vbe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [lphcv6dj0ev2e] c:\windows\system32\lphcv6dj0ev2e.exe
mRun: [LogitechCommunicationsManager] "[#Communications_Helper.exe.22336CAD_2A70_41B5_B405_8C437783C62B]"
mRun: [UpdateDiscoverIni.exe] c:\program files\mapinfo\professional\discover\UpdateDiscoverIni.exe
mRun: [PackageRepair] "c:\windows\system32\wscript.exe" /nologo "c:\program files\rio tinto\package repair\PackageRepair.vbs"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe
mRun: [MMReminderService] c:\program files\mindjet\mindmanager\MMReminderService.exe
mRun: [pdfSaver3]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [pdfSaver3] "c:\program files\mindjet\mindmanager\pdf-xchange\pdfsaver\pdfSaver3.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\fred~1.sad\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\fred~1.sad\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\checkm~1.lnk - c:\windows\installer\{93ba33fb-7dc1-413e-bce7-b884879ea19e}\IconB5501E45.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\checkr~1.lnk - c:\windows\installer\{8ff1cf19-8bcf-4424-8b73-7d77721c7dda}\IconTmpl.709A3834_52C3_49D1_9CDD_5640BAC4DA17.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 8\SnagIt32.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-system: HideLogonScripts = 0 (0x0)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - {07A11D74-9D25-4fea-A833-8B0D76A5577A} - c:\program files\mindjet\mindmanager\Mm7InternetExplorer.dll
Trusted Zone: 0.0.0.0
Trusted Zone: argylediamonds.com.au\www
Trusted Zone: bolero.net\es
Trusted Zone: boleroserve.net\boleroconnect
Trusted Zone: boleroserve.net\boleroconnect.test
Trusted Zone: boleroserve.net\cert-management
Trusted Zone: boleroserve.net\cert-management.test
Trusted Zone: kbr.com\au-documents
Trusted Zone: kbr.com\au-remote
Trusted Zone: msgfocus.com\*.riotinto
Trusted Zone: msgfocus.com\riotinto
Trusted Zone: online
Trusted Zone: procuri.com
Trusted Zone: riotinto.com
Trusted Zone: riotinto.org
Trusted Zone: riotinto.org\*.gsc
Trusted Zone: riotinto.org\hi
Trusted Zone: riotinto.org\sbsyaap01.corp
Trusted Zone: rtpportal.net
Trusted Zone: rtpportal.net\www
Trusted Zone: sbsyaap01
Trusted Zone: taleo.net
Trusted Zone: taleo.net\riotinto
Trusted Zone: riotinto.com\eroom
Trusted Zone: riotinto.org
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0a454840-7232-11d5-b63d-00c04faedb18}
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: !SASWinLogon - C:\SASWINLO.DLL
Notify: MarconiEvtRpt - c:\program files\marconi\lgnevnt\LgnEvnt.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - C:\SASSEH.DLL
mASetup: {03522506-11CE-42CF-86A1-1BE43F443E9A} 21/12/2007 8:36:57 - "c:\program files\enterprise vault\evclient\VaultFix.vbs"
mASetup: {25E022FB-9D6B-4B07-83F1-8D590A13556F} - "c:\program files\eroom\RemSC.exe"
mASetup: {364EC092-93CF-4DDC-9D7A-7278452028E0} - msiexec /fup {364EC092-93CF-4DDC-9D7A-7278452028E0} /qn
mASetup: {60BF256E-1A16-41EF-9FAD-E96570C357C1} - "c:\documents and settings\seavus\SeavusActiveSetUp.vbs"
mASetup: {62B74257-2E1B-48FB-843C-0FBA43FE1327} - msiexec /fu {62B74257-2E1B-48FB-843C-0FBA43FE1327} /qn
mASetup: {9BFCB02F-139C-4DC8-8B8D-7394ADEFC017} - msiexec /fup {9BFCB02F-139C-4DC8-8B8D-7394ADEFC017} /qn
mASetup: {B425CCBF-4129-44F7-BC53-BDB99644C239} - msiexec /fu {BE1AF71C-3EEB-413D-8B21-D7E3F30CFEC1} /qn
mASetup: {B98CDA49-37DB-4F0B-93A0-9B7C7FF6A032} - msiexec /fu {B98CDA49-37DB-4F0B-93A0-9B7C7FF6A032} /qn
mASetup: {BE1AF71C-3EEB-413D-8B21-D7E3F30CFEC1} - c:\program files\acquire\acQuireSync.vbe
mASetup: {C63E7C60-25EB-11D3-8EDA-00A0C911E8E5} - c:\program files\microsoft office\office11\addins\RemoveHKCUOutbakReg.vbs
mASetup: {CD95F661-A5C4-44F5-A6AA-ECDD91C240B5} 27/05/2008 10:02:40 - cscript "c:\program files\winzip\EditRegistry.vbe"
mASetup: {DA0BF7AB-88EB-4675-8FA1-531EAD938821} - msiexec /fu {DA0BF7AB-88EB-4675-8FA1-531EAD938821} /qn
mASetup: {DC4D2E87-7E9D-4CBD-A0E7-62CEECAAB291} - c:\program files\sap\frontend\sapgui\SNC_LIBHKCUUpdate.EXE
mASetup: MAPINFO-XCOPY - c:\documents and settings\all users\application data\mapinfo\mapinfo\pi\CopyFiles.vbe
mASetup: MAPINFO - msiexec /fup {6653F8EB-AE75-45F0-9DC1-456A3C745F57} /qn
mASetup: Remove acQuire Run key 18/04/2008 - c:\program files\acquire\acQuireSync_Silent.vbe
mASetup: Remove acQuire Run key 25/06/2008 - c:\program files\acquire\acQuireSync_Silent.vbe
mASetup: Remove acQuire Run key 3/05/2008 - c:\program files\acquire\acQuireSync_Silent.vbe
mASetup: RemoveDiscover - c:\documents and settings\all users\rio tinto\scripts\Delete_HKCU_Keys.vbe
uASetup: {F32E269F-3FDE-46D2-949D-2F86600DB992} - msiexec /fup {F32E269F-3FDE-46D2-949D-2F86600DB992} /qn

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fred~1.sad\applic~1\mozilla\firefox\profiles\mlkqdmwz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.vidohe.com/sites.php
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;C:\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;C:\SASKUTIL.SYS [2010-5-11 67656]
R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 Autosync;Softrock Autosync;c:\softrock\autosync\Autosync.exe [2009-12-23 28672]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-3-24 202400]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 Controller;Softrock Controller;c:\softrock\autosync\AutosyncController.exe [2009-12-23 28672]
R2 DWRCS;DameWare Mini Remote Control;c:\windows\system32\dwrcs.exe -service --> c:\windows\system32\DWRCS.exe -service [?]
R2 FAD;FAD;c:\program files\broadcom\bacs\FADXP32.sys [2007-1-14 16352]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2006-6-15 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101016.003\naveng.sys [2010-10-17 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101016.003\navex15.sys [2010-10-17 1371184]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-1-28 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-1-28 14336]
S3 RTBalloon;RTBalloon;c:\program files\rio tinto\balloon\Rio Tinto Balloon.exe [2010-8-19 21504]
S3 SWNC8U52;Sierra Wireless MUX NDIS Driver (UMTS52);c:\windows\system32\drivers\swnc8u52.sys [2007-9-21 164480]
S3 SWUMX52;Sierra Wireless USB MUX Driver (UMTS52);c:\windows\system32\drivers\swumx52.sys [2007-9-21 140672]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-11-27 14336]

=============== Created Last 30 ================

2010-10-17 05:38:49 98816 ----a-w- c:\temp\2b99.tmp\SED.DAT
2010-10-17 05:38:49 518144 ----a-w- c:\temp\2b99.tmp\SWREG.DAT
2010-10-17 05:38:49 256512 ----a-w- c:\temp\2b99.tmp\PEV.DAT
2010-10-17 02:40:45 164864 ----a-w- c:\temp\GLB1A2B.EXE
2010-10-16 13:16:37 355056 ----a-w- c:\temp\SSUPDATE.EXE
2010-10-16 11:45:24 -------- d-----w- c:\docume~1\fred~1.sad\applic~1\SUPERAntiSpyware.com
2010-10-16 11:45:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-16 11:45:09 -------- d-----w- C:\Language
2010-10-16 11:45:08 -------- d-----w- C:\Plugins
2010-10-16 10:55:18 -------- d-----w- c:\docume~1\fred~1.sad\applic~1\Malwarebytes
2010-10-16 10:54:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-16 10:54:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-16 10:54:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-16 10:54:17 -------- d-----w- C:\Malwarebytes' Anti-Malware
2010-10-13 14:24:05 -------- d-----w- C:\tmp
2010-10-13 14:12:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-13 14:10:00 -------- d-----w- c:\docume~1\fred~1.sad\locals~1\applic~1\Sunbelt Software
2010-10-13 13:54:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-10-13 13:54:38 -------- d-----w- c:\docume~1\fred~1.sad\locals~1\applic~1\NPE
2010-10-13 13:29:59 97280 ----a-w- c:\temp\mia10f5.tmp\data\microsoft visual c++ runtime 9.0 (includes atl and mfc) service pack 1\mfilebagide.dll\mFileBagEXE.dll
2010-10-13 11:56:13 -------- d-----w- c:\program files\Nymgo4.0
2010-10-13 11:54:44 -------- d-----w- c:\documents and settings\fred.sadiiki\Nymgo4.0
2010-10-13 11:53:31 -------- d-----w- C:\Nymgo4.0
2010-10-13 04:13:16 -------- d-----w- c:\windows\ms
2010-09-29 14:46:18 -------- d-----w- c:\docume~1\fred~1.sad\locals~1\applic~1\Mindjet
2010-09-29 01:21:58 -------- d-----w- c:\program files\Enterprise Vault
2010-09-28 14:04:57 2424560 ----a-w- C:\SUPERAntiSpyware.exe
2010-09-28 05:27:05 -------- d-----w- c:\program files\Blast Management International
2010-09-24 14:07:12 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2010-09-24 14:07:12 406016 -c----w- c:\windows\system32\dllcache\usp10.dll
2010-09-24 14:07:12 293376 -c----w- c:\windows\system32\dllcache\winsrv.dll
2010-09-20 22:02:41 -------- d-----w- c:\program files\MGS
2010-09-20 22:02:31 -------- d-----w- c:\program files\MPQ
2010-09-19 12:29:41 3750400 ----a-w- c:\windows\system32\hasplms.exe
2010-09-19 12:29:41 3750400 ----a-w- c:\windows\system32\aksllmtp.exe
2010-09-19 12:29:40 356864 ----a-w- c:\windows\system32\drivers\aksfridge.sys
2010-09-19 12:29:39 588800 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-09-19 12:27:55 9216 ----a-w- c:\windows\system32\akshsp51.dll
2010-09-19 12:27:55 46336 ----a-w- c:\windows\system32\drivers\akshhl.sys
2010-09-19 12:27:55 39936 ----a-w- c:\windows\system32\aksusb3.dll
2010-09-19 12:27:55 36864 ----a-w- c:\windows\system32\akshhl28.dll
2010-09-19 12:27:55 238208 ----a-w- c:\windows\system32\drivers\akshasp.sys
2010-09-17 13:16:09 -------- d-----w- c:\docume~1\fred~1.sad\applic~1\NVIDIA

==================== Find3M ====================

2010-09-16 05:43:50 73 ----a-w- c:\windows\system32\ssprs.dll
2010-09-16 05:43:50 205 ----a-w- c:\windows\system32\lsprst7.dll
2010-09-13 19:04:24 300544 ----a-w- C:\RUNSAS.EXE
2010-09-10 11:37:27 1409 ----a-w- c:\windows\QTFont.for
2010-08-23 07:13:48 29929472 ----a-w- C:\BLASTPlanSetup.msi
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2006-12-29 05:15:42 3100672 -c--a-w- c:\program files\common files\sapxlhelper.dll
2006-12-29 05:15:40 626688 -c--a-w- c:\program files\common files\sapconsaccess.dll
2006-12-29 05:15:40 40960 -c--a-w- c:\program files\common files\DigitalSignature.ocx
2006-12-29 05:15:40 192512 -c--a-w- c:\program files\common files\sapconsr3.dll

============= FINISH: 13:40:26.09 ===============
shelf life
2010-10-21, 00:00
hi bwaise,

Looks like a work place computer, is that the case? You should inform who every is responsible for the machines.
bwaise
2010-10-27, 13:01
Thanks for the reply, but the reason am here is because the unwanted malware does not work when am at work hence the IT person is not inclined to help. The issue arises when I connect the computer back in my hotel room or any other network with probably a less robust firewall. That said, can you at least give me some idea on what I need todo to get rid of this annoying malware; honestly I can't use voip.

Cheers
shelf life
2010-10-27, 23:14
to help show all files do this;

on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok.

Navigate to the system32 directory and see if you can locate this file:

c:\windows\system32\lphcv6dj0ev2e.exe

If you find it you can upload it to my channel, at the site browse for the file again and click the send file button to upload it.

Channel (http://www.bleepingcomputer.com/submit-malware.php?channel=67)

You can also look for it using msconfig.
go to start>run and type in msconfig. The utility will open. Under the start up tab Look on the left hand side and see if you see lphcv6dj0ev2e.exe listed. If so uncheck the box, click apply and close and restart at the prompt.
You may not see it listed and this is only a temporary solution which may or may not prevent the .exe from running at start up.
Since its a work place machine msconfig may also be disabled and you wont be able to open it up.
bwaise
2010-10-29, 11:00
I appreciate all your help, I followed through with either option and found the file via the "msconfig" process, but could't see it in the folder after several restarts.
So given this was a virus (or I was made to believe by some information off google), I used regedit to find the file and made a backup of the file registry and deleted the file. Re-started the computer and for now am yet to go back home to find out whether this worked or not. I will let you know by tomorrow.
Once again thanks for your help.

Peace