Win32.TDSS.rtk

Bluesbeat · Jun 23, 2009

Spybot found a couple of files in my Windows|system32 folder that identified as Win32.TDSS.rtk
I have already run comboFix (before I realized I should have waited)
Is there anything in my HJT log below that I should fix? I currently have windows update turned off.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:37 PM, on 23/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\D-Link\AirPlus XtremeG DWL-G122\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG DWL-G122] C:\Program Files\D-Link\AirPlus XtremeG DWL-G122\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1226360786977
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sa.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = sa.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = sa.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sa.bigpond.net.au
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7402 bytes

ken545 · Jun 24, 2009

Hello Bluesbeat

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Your log looks fine but there could be more we cant see. Keep in mind that all infections and all systems are different, Combofix is not to be taken lightly, what if fixes on one system it could damage another, if you run it on your own, this forum, myself and sUbs will not be responsible for any damage you may cause.

C:\ComboFix.txt <-- go here and post the log please

Bluesbeat · Jun 25, 2009

Not sure if you wanted the log I did two days ago or the one I've just done, so I'll post both.
----------
ComboFix 09-06-22.04 - User 23/06/2009 13:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.236 [GMT 9.5:30]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1229272821-1202660629-1060284298-500
c:\recycler\S-1-5-21-1229272821-1202660629-1060284298-500\desktop.ini
c:\recycler\S-1-5-21-1229272821-1202660629-1060284298-500\INFO2

.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.

2009-06-22 23:44 . 2009-06-22 23:44 -------- d-----w- c:\windows\LastGood
2009-06-22 23:39 . 2009-06-22 23:39 -------- d-----w- c:\program files\Common Files\PCSuite
2009-06-22 23:37 . 2008-08-26 00:56 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-06-22 23:37 . 2009-06-22 23:37 -------- d-----w- c:\program files\PC Connectivity Solution
2009-06-22 23:36 . 2009-02-08 23:07 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-06-22 23:36 . 2009-02-08 23:07 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-06-22 23:36 . 2009-02-08 23:07 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-06-22 23:36 . 2009-02-08 23:07 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-06-22 23:36 . 2009-02-08 23:07 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-06-22 23:36 . 2009-02-08 23:02 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-06-22 23:35 . 2009-06-22 23:33 33775224 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Nokia_PC_Suite_7_1_30_8_eng.exe
2009-06-22 23:35 . 2009-06-22 23:35 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\pcswpcsi.exe
2009-06-22 23:35 . 2009-06-22 23:35 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstCCD.exe
2009-06-22 23:35 . 2009-06-22 23:35 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-06-22 23:35 . 2009-06-22 23:35 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCS.exe
2009-06-20 07:24 . 2009-06-17 00:14 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-17 00:14 . 2009-06-11 00:23 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-17 00:14 . 2009-06-11 00:23 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-17 00:14 . 2009-06-11 00:23 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-15 01:31 . 2009-06-15 01:31 -------- d-----w- c:\program files\SIW
2009-06-14 23:32 . 2009-06-14 23:32 -------- d-----w- c:\program files\Winamp
2009-06-14 11:58 . 2009-06-14 11:58 -------- d-----w- c:\documents and settings\User\Application Data\COWON
2009-06-14 11:52 . 2009-06-14 11:52 -------- d-----w- c:\program files\Common Files\COWON
2009-06-14 11:52 . 2009-06-14 11:52 -------- d-----w- c:\program files\JetAudio
2009-06-11 00:22 . 2009-06-11 00:22 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-10 00:28 . 2009-06-10 00:28 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 02:48 . 2009-03-11 06:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 02:38 . 2009-04-22 03:29 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-23 01:10 . 2007-10-07 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-22 23:50 . 2007-10-07 01:15 -------- d-----w- c:\documents and settings\User\Application Data\MailWasherPro
2009-06-22 23:45 . 2009-06-22 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-06-22 23:45 . 2009-06-22 23:45 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-06-22 23:44 . 2008-02-10 08:26 -------- d-----w- c:\documents and settings\User\Application Data\Nokia
2009-06-22 23:38 . 2008-08-22 00:29 -------- d-----w- c:\program files\Common Files\Nokia
2009-06-22 23:37 . 2008-02-10 08:26 -------- d-----w- c:\program files\DIFX
2009-06-22 23:36 . 2008-02-10 08:25 -------- d-----w- c:\program files\Nokia
2009-06-22 23:35 . 2008-02-10 08:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-06-17 01:57 . 2009-03-11 06:17 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 01:57 . 2009-03-11 06:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 00:14 . 2009-01-12 07:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-14 11:52 . 2003-05-21 21:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-11 00:23 . 2009-01-12 07:19 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-10 00:30 . 2007-10-07 03:15 -------- d-----w- c:\program files\Java
2009-05-21 02:03 . 2009-02-09 23:03 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-15 13:15 . 2009-05-15 13:15 -------- d-----w- c:\program files\ANI
2009-05-15 13:14 . 2009-05-15 13:14 -------- d-----w- c:\program files\D-Link
2009-05-15 13:11 . 2009-05-15 13:11 -------- d-----w- c:\documents and settings\User\Application Data\InstallShield
2009-05-15 12:54 . 2009-05-15 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-05-12 23:34 . 2009-05-12 23:34 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-05-12 23:34 . 2009-05-12 23:34 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-05-12 23:34 . 2009-05-12 23:34 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-05-12 23:33 . 2009-05-12 23:34 34396584 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-05-11 03:17 . 2009-05-11 03:17 1302600 ----a-w- c:\windows\system32\WUDFUpdate_01007.dll
2009-04-27 00:16 . 2009-01-12 07:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-04-27 00:16 . 2009-01-12 07:19 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-04-27 00:15 . 2009-01-12 07:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-26 05:14 . 2009-04-26 05:14 -------- d-----w- c:\program files\CCleaner
2009-04-26 04:34 . 2009-04-26 04:34 -------- d-----w- c:\documents and settings\User\Application Data\TrojanHunter
2009-04-02 23:37 . 2009-04-02 23:37 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

------- Sigcheck -------

[7] 2004-08-03 15:26 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-13 20:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-13 20:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe
[7] 2008-04-13 20:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\svchost.exe

[7] 2004-08-03 15:26 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2008-04-13 20:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-13 20:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[7] 2004-08-03 15:26 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2008-04-13 20:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-13 20:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[7] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
[7] 2004-08-03 15:26 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2008-04-13 20:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\$NtUninstallKB956390$\wininet.dll
[7] 2008-04-13 20:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\system32\wininet.dll
[7] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\system32\dllcache\wininet.dll

[7] 2004-08-03 13:44 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 15:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 15:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\system32\drivers\tcpip.sys

[7] 2004-08-03 15:26 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-13 20:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-13 20:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[7] 2004-08-03 13:44 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 15:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 15:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[7] 2004-08-03 13:30 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-13 14:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 14:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[7] 2008-08-14 05:09 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2004-08-03 13:29 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2008-04-13 14:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 14:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\dllcache\ntkrnlpa.exe

[7] 2008-08-14 05:41 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2004-08-03 13:50 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2008-04-13 15:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 15:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2008-04-13 20:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[7] 2004-08-03 15:26 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-13 20:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2004-08-03 15:26 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-13 20:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[7] 2008-04-13 20:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\system32\services.exe

[7] 2004-08-03 15:26 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-13 20:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-13 20:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[7] 2004-08-03 15:26 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-13 20:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-13 20:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[7] 2004-08-03 15:26 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2008-04-13 20:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-13 20:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[7] 2004-08-03 15:26 111104 4126D27CECE4471E00E425411F7306B5 c:\windows\$NtServicePackUninstall$\wuauclt.exe
[7] 2008-04-13 20:12 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2007-07-30 08:49 53080 F3E9065EB617A7E3A832A7976BFA021B c:\windows\system32\wuauclt.exe
[7] 2007-07-30 08:49 53080 F3E9065EB617A7E3A832A7976BFA021B c:\windows\system32\dllcache\wuauclt.exe

[7] 2004-08-03 15:26 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-13 20:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-13 20:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[7] 2004-08-03 15:26 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-13 20:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-13 20:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[7] 2004-08-03 15:26 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2008-04-13 20:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2008-04-13 20:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\kernel32.dll

[7] 2004-08-03 15:26 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-13 20:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-13 20:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[7] 2004-08-03 15:26 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-13 20:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-13 20:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[7] 2004-08-03 15:26 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-13 20:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-13 20:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[7] 2004-08-03 15:26 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\$NtServicePackUninstall$\appmgmts.dll
[7] 2008-04-13 20:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\ServicePackFiles\i386\appmgmts.dll
[7] 2008-04-13 20:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\appmgmts.dll

[7] 2004-08-03 13:28 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-13 14:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-13 14:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-06 114688]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 40960]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-16 258048]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-28 286720]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2005-04-12 368726]
"D-Link AirPlus XtremeG DWL-G122"="c:\program files\D-Link\AirPlus XtremeG DWL-G122\AirGCFG.exe" [2008-12-18 1556480]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-03 73728]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-5-22 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-27 00:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
2005-04-12 15:02 233558 ----a-w- c:\windows\system32\PRISMGNA.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpeedTouch 121g Wireless USB Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpeedTouch 121g Wireless USB Monitor.lnk
backup=c:\windows\pss\SpeedTouch 121g Wireless USB Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [12/01/2009 4:49 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/01/2009 4:49 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/01/2009 4:49 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/01/2009 4:48 PM 298776]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [13/04/2005 12:30 AM 61526]
S3 BT4501G;SpeedTouch 121g Wireless USB Adapter Driver;c:\windows\system32\drivers\BT4501G.sys [21/03/2009 12:06 PM 357568]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.SYS [24/11/2007 10:46 AM 17149]
S3 NETGEAR NETGEAR MA101 USB Adapter(A);NETGEAR NETGEAR MA101 USB Adapter(A) Service for NETGEAR MA101 USB Adapter;c:\windows\system32\DRIVERS\ma1012ka.sys --> c:\windows\system32\DRIVERS\ma1012ka.sys [?]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SERVICELAYER
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 04:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-23 13:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\PRISMGNA.DLL
.
Completion time: 2009-06-23 13:09
ComboFix-quarantined-files.txt 2009-06-23 03:39

Pre-Run: 66,062,737,408 bytes free
Post-Run: 66,165,772,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

268

Bluesbeat · Jun 25, 2009

today's
------------------
ComboFix 09-06-23.01 - User 25/06/2009 9:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.166 [GMT 9.5:30]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 04:25 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-23 04:25 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-23 04:25 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-23 04:25 . 2009-02-06 10:39 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-06-23 04:24 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-23 04:24 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-23 04:24 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-23 04:24 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-23 04:24 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-23 04:24 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-23 04:23 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-23 04:19 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-06-23 04:18 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-23 04:18 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-23 03:59 . 2009-06-23 03:59 -------- d-----w- c:\program files\Trend Micro
2009-06-23 03:38 . 2009-06-23 03:38 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-22 23:39 . 2009-06-22 23:39 -------- d-----w- c:\program files\Common Files\PCSuite
2009-06-22 23:37 . 2008-08-26 00:56 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-06-22 23:37 . 2009-06-22 23:37 -------- d-----w- c:\program files\PC Connectivity Solution
2009-06-22 23:36 . 2009-02-08 23:07 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-06-22 23:36 . 2009-02-08 23:07 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-06-22 23:36 . 2009-02-08 23:07 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-06-22 23:36 . 2009-02-08 23:07 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-06-22 23:36 . 2009-02-08 23:07 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-06-22 23:36 . 2009-02-08 23:02 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-06-22 23:35 . 2009-06-22 23:33 33775224 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Nokia_PC_Suite_7_1_30_8_eng.exe
2009-06-22 23:35 . 2009-06-22 23:35 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\pcswpcsi.exe
2009-06-22 23:35 . 2009-06-22 23:35 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstCCD.exe
2009-06-22 23:35 . 2009-06-22 23:35 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-06-22 23:35 . 2009-06-22 23:35 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCS.exe
2009-06-20 07:24 . 2009-06-17 00:14 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-17 00:14 . 2009-06-11 00:23 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-17 00:14 . 2009-06-11 00:23 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-17 00:14 . 2009-06-11 00:23 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-15 01:31 . 2009-06-15 01:31 -------- d-----w- c:\program files\SIW
2009-06-14 23:32 . 2009-06-14 23:32 -------- d-----w- c:\program files\Winamp
2009-06-14 11:58 . 2009-06-14 11:58 -------- d-----w- c:\documents and settings\User\Application Data\COWON
2009-06-14 11:52 . 2009-06-14 11:52 -------- d-----w- c:\program files\Common Files\COWON
2009-06-14 11:52 . 2009-06-14 11:52 -------- d-----w- c:\program files\JetAudio
2009-06-11 00:22 . 2009-06-11 00:22 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-10 00:28 . 2009-06-10 00:28 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 23:19 . 2007-10-07 01:15 -------- d-----w- c:\documents and settings\User\Application Data\MailWasherPro
2009-06-23 02:48 . 2009-03-11 06:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 02:38 . 2009-04-22 03:29 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-23 01:10 . 2007-10-07 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-22 23:45 . 2009-06-22 23:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-06-22 23:45 . 2009-06-22 23:45 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-06-22 23:44 . 2008-02-10 08:26 -------- d-----w- c:\documents and settings\User\Application Data\Nokia
2009-06-22 23:38 . 2008-08-22 00:29 -------- d-----w- c:\program files\Common Files\Nokia
2009-06-22 23:37 . 2008-02-10 08:26 -------- d-----w- c:\program files\DIFX
2009-06-22 23:36 . 2008-02-10 08:25 -------- d-----w- c:\program files\Nokia
2009-06-22 23:35 . 2008-02-10 08:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-06-17 01:57 . 2009-03-11 06:17 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 01:57 . 2009-03-11 06:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 00:14 . 2009-01-12 07:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-14 11:52 . 2003-05-21 21:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-11 00:23 . 2009-01-12 07:19 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-10 00:30 . 2007-10-07 03:15 -------- d-----w- c:\program files\Java
2009-05-21 02:03 . 2009-02-09 23:03 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-15 13:15 . 2009-05-15 13:15 -------- d-----w- c:\program files\ANI
2009-05-15 13:14 . 2009-05-15 13:14 -------- d-----w- c:\program files\D-Link
2009-05-15 13:11 . 2009-05-15 13:11 -------- d-----w- c:\documents and settings\User\Application Data\InstallShield
2009-05-15 12:54 . 2009-05-15 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-05-12 23:34 . 2009-05-12 23:34 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-05-12 23:34 . 2009-05-12 23:34 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-05-12 23:34 . 2009-05-12 23:34 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-05-12 23:33 . 2009-05-12 23:34 34396584 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-05-11 03:17 . 2009-05-11 03:17 1302600 ----a-w- c:\windows\system32\WUDFUpdate_01007.dll
2009-05-07 15:32 . 2003-05-21 19:03 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2003-05-21 19:04 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2007-10-07 00:23 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-27 00:16 . 2009-01-12 07:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-04-27 00:16 . 2009-01-12 07:19 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-04-27 00:15 . 2009-01-12 07:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-26 05:14 . 2009-04-26 05:14 -------- d-----w- c:\program files\CCleaner
2009-04-26 04:34 . 2009-04-26 04:34 -------- d-----w- c:\documents and settings\User\Application Data\TrojanHunter
2009-04-17 12:26 . 2003-05-21 19:04 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2003-05-21 19:04 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-02 23:37 . 2009-04-02 23:37 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-23_03.37.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-30 07:15 . 2008-09-30 07:15 91656 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2009-06-24 23:09 . 2009-06-24 23:09 16384 c:\windows\Temp\Perflib_Perfdata_e0.dat
+ 2008-11-10 23:47 . 2008-10-16 04:39 43544 c:\windows\system32\wups2.dll
+ 2007-10-07 00:23 . 2008-10-16 04:38 34328 c:\windows\system32\wups.dll
+ 2003-05-21 19:16 . 2008-10-16 04:39 51224 c:\windows\system32\wuauclt.exe
+ 2008-04-24 01:28 . 2008-10-23 10:06 62976 c:\windows\system32\tzchange.exe
- 2008-04-24 01:28 . 2008-07-11 12:42 62976 c:\windows\system32\tzchange.exe
+ 2007-10-07 00:17 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2007-10-07 00:17 . 2007-08-10 11:16 26488 c:\windows\system32\spupdsvc.exe
+ 2009-04-08 02:19 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2009-06-23 04:16 . 2008-10-16 04:39 43544 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
+ 2009-06-23 04:16 . 2008-10-16 04:38 34328 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2003-05-21 19:04 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2003-05-21 19:04 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe
+ 2003-05-21 19:04 . 2009-06-24 00:20 59900 c:\windows\system32\perfc009.dat
- 2003-05-21 19:04 . 2009-05-21 11:51 59900 c:\windows\system32\perfc009.dat
- 2003-05-21 19:16 . 2008-04-13 20:12 91648 c:\windows\system32\mtxoci.dll
+ 2003-05-21 19:16 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
+ 2003-05-21 19:03 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
- 2003-05-21 19:03 . 2008-04-13 20:12 66560 c:\windows\system32\mtxclu.dll
+ 2003-05-21 19:16 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2003-05-21 19:16 . 2008-04-13 20:12 58880 c:\windows\system32\msdtclog.dll
+ 2007-10-07 00:23 . 2008-10-16 04:38 34328 c:\windows\system32\dllcache\wups.dll
+ 2003-05-21 19:16 . 2008-10-16 04:39 51224 c:\windows\system32\dllcache\wuauclt.exe
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2009-04-29 04:46 . 2009-04-29 04:46 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2003-05-21 19:03 . 2008-10-16 04:39 92696 c:\windows\system32\dllcache\cdm.dll
+ 2003-05-21 19:03 . 2008-10-16 04:39 92696 c:\windows\system32\cdm.dll
+ 2004-07-14 13:03 . 2004-07-14 13:03 20480 c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW2772\_PerfCounter.dll
+ 2004-07-14 12:20 . 2004-07-14 12:20 69632 c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW2772\_mscorsn.dll
+ 2004-07-14 12:20 . 2004-07-14 12:20 69632 c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW2772\_CORPerfMonExt.dll
+ 2007-01-15 06:41 . 2007-01-15 06:41 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\netfxupdate.exe
- 2004-07-14 12:20 . 2004-07-14 12:20 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
+ 2007-01-02 06:59 . 2007-01-02 06:59 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
+ 2007-01-02 06:59 . 2007-01-02 06:59 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
- 2004-07-14 12:20 . 2004-07-14 12:20 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
+ 2007-01-02 07:04 . 2007-01-02 07:04 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
- 2004-07-14 13:06 . 2004-07-14 13:06 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
+ 2009-06-24 00:02 . 2009-06-24 00:02 32768 c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2009-06-24 00:07 . 2009-06-24 00:07 90112 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing.Design\1.0.3300.0__b03f5f7f11d50a3a_49d72b4b\System.Drawing.Design.dll
+ 2009-06-24 00:07 . 2009-06-24 00:07 61440 c:\windows\assembly\NativeImages1_v1.0.3705\CustomMarshalers\1.0.3300.0__b03f5f7f11d50a3a_98587074\CustomMarshalers.dll
+ 2007-01-02 06:59 . 2007-01-02 06:59 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
+ 2007-10-07 00:23 . 2008-10-16 04:43 202776 c:\windows\system32\wuweb.dll
+ 2007-10-07 00:23 . 2008-10-16 04:42 323608 c:\windows\system32\wucltui.dll
+ 2007-10-07 00:23 . 2008-10-16 04:42 561688 c:\windows\system32\wuapi.dll
+ 2006-10-18 12:17 . 2008-06-24 08:42 295936 c:\windows\system32\wmpeffects.dll
- 2006-10-18 12:17 . 2006-10-18 12:17 295936 c:\windows\system32\wmpeffects.dll
+ 2003-05-21 21:27 . 2008-06-17 19:33 938496 c:\windows\system32\WMNetmgr.dll
+ 2003-05-21 21:27 . 2007-10-27 08:10 222720 c:\windows\system32\wmasf.dll
- 2003-05-21 19:04 . 2008-04-13 20:12 354304 c:\windows\system32\winhttp.dll
+ 2003-05-21 19:04 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
+ 2008-09-05 12:59 . 2009-03-10 12:48 934792 c:\windows\system32\WgaTray.exe
+ 2008-09-05 13:00 . 2009-03-10 12:48 239496 c:\windows\system32\WgaLogon.dll
+ 2003-05-21 19:16 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2003-05-21 19:16 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2003-05-21 19:16 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2003-02-09 00:24 . 2009-04-29 04:46 620032 c:\windows\system32\urlmon.dll
+ 2003-05-21 19:04 . 2008-10-03 10:02 247326 c:\windows\system32\strmdll.dll
+ 2003-05-21 19:04 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2003-05-21 19:04 . 2008-12-05 06:54 144896 c:\windows\system32\schannel.dll
+ 2003-05-21 19:04 . 2009-02-09 12:10 401408 c:\windows\system32\rpcss.dll
+ 2003-05-21 19:04 . 2009-06-24 00:20 396208 c:\windows\system32\perfh009.dat
- 2003-05-21 19:04 . 2009-05-21 11:51 396208 c:\windows\system32\perfh009.dat
+ 2003-05-21 19:04 . 2009-03-06 14:22 284160 c:\windows\system32\pdh.dll
- 2003-05-21 19:04 . 2008-04-13 20:12 284160 c:\windows\system32\pdh.dll
+ 2003-05-21 19:03 . 2009-02-09 12:10 714752 c:\windows\system32\ntdll.dll
+ 2003-05-21 19:03 . 2008-06-20 17:46 245248 c:\windows\system32\mswsock.dll
- 2003-05-21 19:03 . 2008-04-13 20:12 245248 c:\windows\system32\mswsock.dll
+ 2003-05-21 21:22 . 2006-12-04 06:51 414720 c:\windows\system32\msscp.dll
- 2003-05-21 19:16 . 2008-04-13 20:12 161792 c:\windows\system32\msdtcuiu.dll
+ 2003-05-21 19:16 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2003-05-21 19:16 . 2008-04-13 20:12 956928 c:\windows\system32\msdtctm.dll
+ 2003-05-21 19:16 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
+ 2003-05-21 19:16 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
+ 2003-05-21 19:03 . 2009-02-09 12:10 729088 c:\windows\system32\lsasrv.dll
- 2003-05-21 21:27 . 2006-10-18 10:33 100864 c:\windows\system32\logagent.exe
+ 2003-05-21 21:27 . 2008-06-17 15:39 100864 c:\windows\system32\logagent.exe
- 2003-05-21 19:03 . 2008-04-13 20:11 989696 c:\windows\system32\kernel32.dll
+ 2003-05-21 19:03 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
+ 2003-05-21 19:03 . 2008-10-23 12:36 286720 c:\windows\system32\gdi32.dll
- 2003-05-21 12:10 . 2008-11-11 00:12 241536 c:\windows\system32\FNTCACHE.DAT
+ 2003-05-21 12:10 . 2009-06-24 00:15 241536 c:\windows\system32\FNTCACHE.DAT
+ 2003-05-21 19:04 . 2008-06-20 11:08 225856 c:\windows\system32\drivers\tcpip6.sys
+ 2003-05-21 19:04 . 2008-06-20 11:51 361600 c:\windows\system32\drivers\tcpip.sys
+ 2003-05-21 19:04 . 2008-12-11 10:57 333952 c:\windows\system32\drivers\srv.sys
+ 2003-05-21 19:03 . 2008-10-24 11:21 455296 c:\windows\system32\drivers\mrxsmb.sys
+ 2003-05-21 19:03 . 2008-06-20 17:46 147968 c:\windows\system32\dnsapi.dll
- 2003-05-21 19:03 . 2008-04-13 20:11 147968 c:\windows\system32\dnsapi.dll
+ 2007-10-07 00:23 . 2008-10-16 04:43 202776 c:\windows\system32\dllcache\wuweb.dll
+ 2007-10-07 00:23 . 2008-10-16 04:42 323608 c:\windows\system32\dllcache\wucltui.dll
+ 2007-10-07 00:23 . 2008-10-16 04:42 561688 c:\windows\system32\dllcache\wuapi.dll
+ 2008-04-24 01:24 . 2008-06-17 19:33 938496 c:\windows\system32\dllcache\WMNetmgr.dll
+ 2008-04-24 01:24 . 2007-10-27 08:10 222720 c:\windows\system32\dllcache\wmasf.dll
+ 2008-08-20 05:30 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
+ 2008-09-05 12:59 . 2009-03-10 12:48 934792 c:\windows\system32\dllcache\WgaTray.exe
+ 2008-09-05 13:00 . 2009-03-10 12:48 239496 c:\windows\system32\dllcache\wgaLogon.dll
+ 2008-08-20 05:30 . 2009-04-29 04:46 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2008-04-24 01:24 . 2007-06-26 12:40 317440 c:\windows\system32\dllcache\unregmp2.exe
+ 2008-06-20 11:08 . 2008-06-20 11:08 225856 c:\windows\system32\dllcache\tcpip6.sys
+ 2008-06-20 11:51 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
+ 2008-04-24 01:24 . 2008-10-03 10:02 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2008-11-11 00:01 . 2008-12-11 10:57 333952 c:\windows\system32\dllcache\srv.sys
+ 2008-12-05 06:54 . 2008-12-05 06:54 144896 c:\windows\system32\dllcache\schannel.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2008-06-20 17:46 . 2008-06-20 17:46 245248 c:\windows\system32\dllcache\mswsock.dll
+ 2008-04-24 01:24 . 2006-12-04 06:51 414720 c:\windows\system32\dllcache\msscp.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
- 2008-04-24 01:24 . 2006-10-18 10:33 100864 c:\windows\system32\dllcache\logagent.exe
+ 2008-04-24 01:24 . 2008-06-17 15:39 100864 c:\windows\system32\dllcache\logagent.exe
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2009-03-21 14:06 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2008-10-23 12:36 . 2008-10-23 12:36 286720 c:\windows\system32\dllcache\gdi32.dll
+ 2008-06-20 17:46 . 2008-06-20 17:46 147968 c:\windows\system32\dllcache\dnsapi.dll
- 2003-05-21 19:03 . 2008-04-13 20:11 617472 c:\windows\system32\advapi32.dll
+ 2003-05-21 19:03 . 2009-02-09 12:10 617472 c:\windows\system32\advapi32.dll
+ 2002-01-05 10:37 . 2002-01-05 10:37 344064 c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW2772\_msvcr70.dll
+ 2004-07-14 12:18 . 2004-07-14 12:18 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW2772\_mscorjit.dll
+ 2004-07-14 12:18 . 2004-07-14 12:18 233472 c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW2772\_fusion.dll
+ 2004-07-14 13:06 . 2004-07-14 13:06 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW2772\_aspnet_isapi.dll
- 2004-07-14 13:06 . 2004-07-14 13:06 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
+ 2007-01-02 07:04 . 2007-01-02 07:04 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
+ 2003-05-21 21:22 . 2007-06-26 12:40 317440 c:\windows\inf\unregmp2.exe
+ 2009-06-23 04:23 . 2008-10-24 11:21 455296 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2009-06-24 00:07 . 2009-06-24 00:07 847872 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing\1.0.3300.0__b03f5f7f11d50a3a_009bd04c\System.Drawing.dll
+ 2008-09-30 07:12 . 2008-09-30 07:12 1286152 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2003-05-21 19:16 . 2008-10-16 04:43 1809944 c:\windows\system32\wuaueng.dll
+ 2003-05-21 21:27 . 2008-06-17 19:33 2458112 c:\windows\system32\WMVCore.dll
- 2002-11-27 18:50 . 2008-04-13 20:12 8461312 c:\windows\system32\shell32.dll
+ 2002-11-27 18:50 . 2008-06-17 19:02 8461312 c:\windows\system32\shell32.dll
- 2003-01-07 23:37 . 2008-08-20 05:30 1499136 c:\windows\system32\shdocvw.dll
+ 2003-01-07 23:37 . 2009-04-29 04:46 1499136 c:\windows\system32\shdocvw.dll
+ 2002-12-12 07:14 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
- 2002-12-12 07:14 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2003-05-21 19:03 . 2009-02-06 11:08 2189056 c:\windows\system32\ntoskrnl.exe
- 2002-08-29 01:04 . 2008-08-14 09:33 2066048 c:\windows\system32\ntkrnlpa.exe
+ 2002-08-29 01:04 . 2009-02-07 09:32 2066048 c:\windows\system32\ntkrnlpa.exe
+ 2008-04-24 01:29 . 2008-09-10 01:14 1307648 c:\windows\system32\msxml6.dll
+ 2008-09-30 07:13 . 2008-09-30 07:13 1286152 c:\windows\system32\msxml4.dll
+ 2003-05-21 19:03 . 2008-09-04 17:15 1106944 c:\windows\system32\msxml3.dll
+ 2002-12-02 17:06 . 2009-04-29 04:46 3068928 c:\windows\system32\mshtml.dll
+ 2008-03-20 07:36 . 2009-03-10 12:48 1482112 c:\windows\system32\LegitCheckControl.dll
+ 2003-05-21 19:16 . 2008-10-16 04:43 1809944 c:\windows\system32\dllcache\wuaueng.dll
+ 2008-04-24 01:24 . 2008-06-17 19:33 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2008-11-11 00:00 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2008-06-17 19:02 . 2008-06-17 19:02 8461312 c:\windows\system32\dllcache\shell32.dll
- 2008-08-20 05:30 . 2008-08-20 05:30 1499136 c:\windows\system32\dllcache\shdocvw.dll
+ 2008-08-20 05:30 . 2009-04-29 04:46 1499136 c:\windows\system32\dllcache\shdocvw.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-11-11 00:01 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-11-11 00:01 . 2008-08-14 09:33 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-11-11 00:01 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-11-11 00:01 . 2009-02-07 09:32 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-11-11 00:01 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-11-11 00:01 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-11-11 00:01 . 2008-08-14 10:09 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-04-24 01:29 . 2008-09-10 01:14 1307648 c:\windows\system32\dllcache\msxml6.dll
+ 2008-08-20 05:30 . 2009-04-29 04:46 3068928 c:\windows\system32\dllcache\mshtml.dll
- 2004-07-15 00:35 . 2004-07-15 00:35 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
+ 2007-01-02 07:10 . 2007-01-02 07:10 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
+ 2004-07-14 12:19 . 2004-07-14 12:19 2269184 c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW2772\_mscorwks.dll
+ 2004-07-14 12:19 . 2004-07-14 12:19 2265088 c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW2772\_mscorsvr.dll
+ 2004-07-15 00:35 . 2004-07-15 00:35 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\SHADOW2772\_mscorlib.dll
+ 2007-01-02 06:58 . 2007-01-02 06:58 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
+ 2007-01-02 06:58 . 2007-01-02 06:58 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
+ 2007-01-02 06:51 . 2007-01-02 06:51 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
- 2004-07-15 00:35 . 2004-07-15 00:35 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
+ 2003-05-21 21:17 . 2006-08-21 06:27 1077321 c:\windows\Help\SBSI\Training\orun32.exe
+ 2008-11-11 00:01 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-11-11 00:01 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-11-11 00:01 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-11-11 00:01 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-11-11 00:01 . 2009-02-07 09:32 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-11-11 00:01 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-11-11 00:01 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-06-24 00:07 . 2009-06-24 00:07 1855488 c:\windows\assembly\NativeImages1_v1.0.3705\System\1.0.3300.0__b77a5c561934e089_3de4633b\System.dll
+ 2009-06-24 00:07 . 2009-06-24 00:07 2027520 c:\windows\assembly\NativeImages1_v1.0.3705\System.Xml\1.0.3300.0__b77a5c561934e089_0ee7e37c\System.Xml.dll
+ 2009-06-24 00:07 . 2009-06-24 00:07 2953216 c:\windows\assembly\NativeImages1_v1.0.3705\System.Windows.Forms\1.0.3300.0__b77a5c561934e089_6e9d5b16\System.Windows.Forms.dll
+ 2009-06-24 00:07 . 2009-06-24 00:07 1454080 c:\windows\assembly\NativeImages1_v1.0.3705\System.Design\1.0.3300.0__b03f5f7f11d50a3a_3f1b915f\System.Design.dll
+ 2009-06-24 00:07 . 2009-06-24 00:07 3301376 c:\windows\assembly\NativeImages1_v1.0.3705\mscorlib\1.0.3300.0__b77a5c561934e089_d530e96e\mscorlib.dll
+ 2009-06-24 00:07 . 2009-06-24 00:07 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-11-11 00:03 . 2008-11-11 00:03 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2003-05-21 21:22 . 2008-11-11 09:04 10838016 c:\windows\system32\wmp.dll
+ 2008-11-11 00:07 . 2009-06-01 00:21 23635392 c:\windows\system32\MRT.exe
+ 2008-04-24 01:29 . 2008-11-11 09:04 10838016 c:\windows\system32\dllcache\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-06 114688]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 40960]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2003-04-16 258048]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-28 286720]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2005-04-12 368726]
"D-Link AirPlus XtremeG DWL-G122"="c:\program files\D-Link\AirPlus XtremeG DWL-G122\AirGCFG.exe" [2008-12-18 1556480]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-03 73728]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-5-22 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-27 00:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
2005-04-12 15:02 233558 ----a-w- c:\windows\system32\PRISMGNA.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpeedTouch 121g Wireless USB Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpeedTouch 121g Wireless USB Monitor.lnk
backup=c:\windows\pss\SpeedTouch 121g Wireless USB Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [12/01/2009 4:49 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/01/2009 4:49 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/01/2009 4:49 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/01/2009 4:48 PM 298776]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [13/04/2005 12:30 AM 61526]
S3 BT4501G;SpeedTouch 121g Wireless USB Adapter Driver;c:\windows\system32\drivers\BT4501G.sys [21/03/2009 12:06 PM 357568]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.SYS [24/11/2007 10:46 AM 17149]
S3 NETGEAR NETGEAR MA101 USB Adapter(A);NETGEAR NETGEAR MA101 USB Adapter(A) Service for NETGEAR MA101 USB Adapter;c:\windows\system32\DRIVERS\ma1012ka.sys --> c:\windows\system32\DRIVERS\ma1012ka.sys [?]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 04:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 09:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\PRISMGNA.DLL

- - - - - - - > 'explorer.exe'(3456)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-24 9:10
ComboFix-quarantined-files.txt 2009-06-24 23:40

Pre-Run: 65,848,713,216 bytes free
Post-Run: 65,830,793,216 bytes free

385 --- E O F --- 2009-06-24 00:14

ken545 · Jun 25, 2009

Lets run these scans

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

Download Dr.Web CureIt to the desktop:

Doubleclick the drweb-cureit icon to start the program.
press start
Allow the program to run the initial express scan
This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
- Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
Once the scan is complete, on the menu bar, click file and choose report list.
Save the report to your desktop. The report will be called DrWeb.csv
Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
Close Dr.Web Cureit.
Please post the Dr.Web.txt report in your next reply

Post the logs please

Bluesbeat · Jun 25, 2009

It found nothing so there was nothing to remove
------------------------
Malwarebytes' Anti-Malware 1.38
Database version: 2332
Windows 5.1.2600 Service Pack 3

25/06/2009 11:24:30 AM
mbam-log-2009-06-25 (11-24-30).txt

Scan type: Quick Scan
Objects scanned: 93327
Time elapsed: 5 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Bluesbeat · Jun 25, 2009

Sorry, got interrupted, will post the rest shortly

Bluesbeat · Jun 25, 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:30 PM, on 25/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\D-Link\AirPlus XtremeG DWL-G122\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Desktop\c3g2vcuy.exe
C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\sfbxp9.exe
C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\n5297.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG DWL-G122] C:\Program Files\D-Link\AirPlus XtremeG DWL-G122\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1226360786977
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sa.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = sa.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = sa.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sa.bigpond.net.au
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7685 bytes

Bluesbeat · Jun 25, 2009

Dr Web CureIt file

ken545 · Jun 25, 2009

Hello,

Please do not attach any reports, its easier for me to research them when there copied and pasted into the forum.

It looks like Dr Web removed an entry for TDSS.

C:\Documents and Settings\User\Desktop\c3g2vcuy.exe<--This just showed up, is this something you downloaded??

How are things running now??

Bluesbeat · Jun 25, 2009

ken545 said:
Hello,
C:\Documents and Settings\User\Desktop\c3g2vcuy.exe<--This just showed up, is this something you downloaded??

How are things running now??

That was the file I got when I originally downloaded Dr Web Cureit installation file from here http://www.freedrweb.com/download+cureit/

Appears to be going ok, it's just that every few weeks AVG seems to detect a Trojan. Should I be turning system restore on/off to reset?
thanks.

ken545 · Jun 25, 2009

You should flush out all the old restore points as they most likely contain what we just removed, then create a new restore point and leave it enabled. There is not reason to ever disable it.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial <-- If you need it

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Run AVG and let it remove what it finds, reboot and run it again until its clean.

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

Bluesbeat · Jun 26, 2009

Everything appears to be going ok now. A few times in the last few days IE has taken over as default browser from Firefox, maybe this was a result of the tools we used for the cleanup?
Anyway, thank you Ken for the great help and advice.
regards,
Geoff

ken545 · Jun 26, 2009

Geoff ,

Glad things are better :bigthumb:

Open up Firefox and click Tools>Options>Advanced Tab> General and make sure you check "Always Check to see if Firefox is the default browser on Startup"

Take care,
Ken

ken545 · Jun 29, 2009

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Win32.TDSS.rtk

Bluesbeat

New member

ken545

Emeritus-Security Expert

Bluesbeat

New member

Bluesbeat

New member

ken545

Emeritus-Security Expert

Bluesbeat

New member

Bluesbeat

New member

Bluesbeat

New member

Bluesbeat

New member

ken545

Emeritus-Security Expert

Bluesbeat

New member

ken545

Emeritus-Security Expert

Bluesbeat

New member

ken545

Emeritus-Security Expert

ken545

Emeritus-Security Expert