1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Virus that wont let me update my anti virus and redirects internet

Discussion in 'Malware and Virus Removal Archive' started by rhysaus, 2009/02/15.

  1. 2009/02/15
    rhysaus

    rhysaus Inactive Thread Starter

    Joined:
    2009/02/15
    Messages:
    2
    Likes Received:
    0
    [Active] Virus that wont let me update my anti virus and redirects internet

    Gday all,
    Think i have a virus on my computer that prevents me from updating my trend micro. Also redirect my browser from any page with anything to do with antivirus sofware.

    I read a post in which ianchesh seemed to have a similar problem, and noahdfear helped him out with that. i followed the same sort of steps and ran RootRepeal.

    Got these results :

    ROOTREPEAL (c) AD, 2007-2008
    ==================================================
    Scan Time: 2009/02/15 21:38
    Program Version: Version 1.2.3.0
    Windows Version: Windows Vista SP1
    ==================================================

    Drivers
    -------------------
    Name: dump_iaStor.sys
    Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
    Address: 0x9011F000 Size: 843776 File Visible: No
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\Windows\system32\drivers\rootrepeal.sys
    Address: 0x993F3000 Size: 45056 File Visible: No
    Status: -

    Name: sptd
    Image Path: \Driver\sptd
    Address: 0x00000000 Size: 0 File Visible: No
    Status: -

    Name: spxj.sys
    Image Path: C:\Windows\System32\Drivers\spxj.sys
    Address: 0x80697000 Size: 1048576 File Visible: No
    Status: -

    Hidden/Locked Files
    -------------------
    Path: C:\hiberfil.sys
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{961d1fd8-f2af-11dd-9b3e-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{961d1fe1-f2af-11dd-9b3e-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{b55642df-fa4f-11dd-8038-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{b55642eb-fa4f-11dd-8038-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{b6b88e3a-f8e2-11dd-8fbc-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{b7cae7bb-f9d6-11dd-9616-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{b7cae7c1-f9d6-11dd-9616-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{b7cae7ca-f9d6-11dd-9616-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{c1090bde-f338-11dd-86cb-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{c1090bf7-f338-11dd-86cb-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{c1090c11-f338-11dd-86cb-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{c1090c27-f338-11dd-86cb-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{e4ba359b-f9af-11dd-92ed-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{e4ba35a1-f9af-11dd-92ed-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{c1090c02-f338-11dd-86cb-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\System Volume Information\{3f5f8408-f1a0-11dd-9534-00a0d5ffffa0}{3808876b-c176-4e48-b7ae-04046e6cc752}
    Status: Locked to the Windows API!

    Path: C:\Windows\Media\WINDOW~1.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\Media\WINDOW~2.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\Media\WINDOW~4.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\System32\wfp\wfpdiag.etl
    Status: Allocation size mismatch (API: 65536, Raw: 0)

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.1.0.0_none_6c030d6fdc86522c.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_58b1a5ca663317c4.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_588445e3d272feb1.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_5c400d5e63e93b68.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_dc9917e997f80c63.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_54c1279468b7b84b.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Manifests\6404bc9cb3e4e1c5b38e2b30c572adc4cfa78ac96aea8997b1e713f62b18ca50.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Manifests\3582cf91bea0e0e7b5f4b8a168a2e4bf248a01f764aa3c5d7c4f352ebc681e9d.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Manifests\f8209ee440679adcdab198fe5262dd5ff95c1d654f488816d0f33c8a45d5e8d8.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Manifests\5effcbd6bfe308cd94c31922a126a132ef26282a495f9fc0963000a8e158d866.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\Manifests\70f19edeeb8e3329aad18f744094ea0319d2ecc78dd6a12559a1e765c42418f7.cat
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16711_none_2d71f3a71cdf2247\WINDOW~1.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16711_none_2d71f3a71cdf2247\WINDOW~2.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16711_none_2d71f3a71cdf2247\WINDOW~4.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_2d4cb5b31cfa2a15\WINDOW~1.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_2d4cb5b31cfa2a15\WINDOW~2.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_2d4cb5b31cfa2a15\WINDOW~4.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16764_none_2d3ee4e91d04fa01\WINDOW~1.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16764_none_2d3ee4e91d04fa01\WINDOW~2.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16764_none_2d3ee4e91d04fa01\WINDOW~4.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20868_none_2dcc82dc361eff27\WINDOW~1.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20868_none_2dcc82dc361eff27\WINDOW~2.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20868_none_2dcc82dc361eff27\WINDOW~4.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_2df6c42835ff7333\WINDOW~1.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_2df6c42835ff7333\WINDOW~2.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_2df6c42835ff7333\WINDOW~4.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20937_none_2debf43c36078f24\WINDOW~1.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20937_none_2debf43c36078f24\WINDOW~2.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20937_none_2debf43c36078f24\WINDOW~4.WAV
    Status: Locked to the Windows API!

    Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
    Status: Locked to the Windows API!

    Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
    Status: Locked to the Windows API!

    Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
    Status: Locked to the Windows API!

    Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
    Status: Locked to the Windows API!

    Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
    Status: Locked to the Windows API!

    Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
    Status: Locked to the Windows API!

    Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
    Status: Locked to the Windows API!

    Path: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log
    Status: Allocation size mismatch (API: 131072, Raw: 0)

    Path: C:\Users\Clark\AppData\Local\Trend Micro\TrendSecure\Log\TS-COMSVR-20090214-000901-682.log
    Status: Size mismatch (API: 204240, Raw: 203964)

    Processes
    -------------------
    Path: System
    PID: 4 Status: Locked to the Windows API!

    Path: C:\Windows\System32\audiodg.exe
    PID: 1364 Status: Locked to the Windows API!

    SSDT
    -------------------
    #: 064 Function Name: NtCreateKey
    Status: Hooked by "<unknown>" at address 0x9aa06fa0

    #: 072 Function Name: NtCreateProcess
    Status: Hooked by "<unknown>" at address 0x9aa061e0

    #: 073 Function Name: NtCreateProcessEx
    Status: Hooked by "<unknown>" at address 0x9aa064a0

    #: 075 Function Name: NtCreateSection
    Status: Hooked by "<unknown>" at address 0x9aa07c60

    #: 078 Function Name: NtCreateThread
    Status: Hooked by "<unknown>" at address 0x9aa08140

    #: 123 Function Name: NtDeleteKey
    Status: Hooked by "<unknown>" at address 0x9aa07520

    #: 126 Function Name: NtDeleteValueKey
    Status: Hooked by "<unknown>" at address 0x9aa077e0

    #: 165 Function Name: NtLoadDriver
    Status: Hooked by "<unknown>" at address 0x9aa08480

    #: 194 Function Name: NtOpenProcess
    Status: Hooked by "<unknown>" at address 0x9aa06a20

    #: 197 Function Name: NtOpenSection
    Status: Hooked by "<unknown>" at address 0x9aa07e00

    #: 324 Function Name: NtSetValueKey
    Status: Hooked by "<unknown>" at address 0x9aa07260

    #: 334 Function Name: NtTerminateProcess
    Status: Hooked by "<unknown>" at address 0x9aa06ce0

    #: 358 Function Name: NtWriteVirtualMemory
    Status: Hooked by "<unknown>" at address 0x9aa07fa0

    #: 382 Function Name: NtCreateThreadEx
    Status: Hooked by "<unknown>" at address 0x9aa082e0

    #: 383 Function Name: NtCreateUserProcess
    Status: Hooked by "<unknown>" at address 0x9aa06760

    Stealth Objects
    -------------------
    Object: Hidden Module [Name: WinMgmtR.dll]
    Process: svchost.exe (PID: 1184) Address: 0x00640000 Size: 8192

    Object: Hidden Module [Name: lpksetup.exe]
    Process: svchost.exe (PID: 1184) Address: 0x007c0000 Size: 200704

    Object: Hidden Module [Name: RacAgent.exe]
    Process: svchost.exe (PID: 1184) Address: 0x00790000 Size: 28672

    Object: Hidden Module [Name: winlogon.exe]
    Process: svchost.exe (PID: 1184) Address: 0x024d0000 Size: 323584

    Object: Hidden Module [Name: winlogon.exe]
    Process: svchost.exe (PID: 1184) Address: 0x02a10000 Size: 323584

    Object: Hidden Module [Name: tquery.dll]
    Process: svchost.exe (PID: 1184) Address: 0x71730000 Size: 1589248

    Object: Hidden Module [Name: WinMgmtR.dll]
    Process: svchost.exe (PID: 1184) Address: 0x70ed0000 Size: 8192

    Object: Hidden Module [Name: MpEvMsg.dll]
    Process: svchost.exe (PID: 1184) Address: 0x6cd50000 Size: 57344

    Object: Hidden Module [Name: profsvc.dll]
    Process: svchost.exe (PID: 1184) Address: 0x739d0000 Size: 163840

    Object: Hidden Module [Name: schedsvc.dll]
    Process: svchost.exe (PID: 1184) Address: 0x73af0000 Size: 606208

    Object: Hidden Module [Name: wevtapi.dll]
    Process: svchost.exe (PID: 1184) Address: 0x75240000 Size: 258048

    Object: Hidden Module [Name: VistaFX.dll]
    Process: BigPond_CM.exe (PID: 3364) Address: 0x02ba0000 Size: 114688

    Object: Hidden Module [Name: msvcm80.dll]
    Process: BigPond_CM.exe (PID: 3364) Address: 0x04fb0000 Size: 507904

    Object: Hidden Module [Name: UfSeAgnt.exe.mui]
    Process: UfSeAgnt.exe (PID: 1500) Address: 0x10000000 Size: 110592

    Object: Hidden Module [Name: MOM.Implementation.DLL]
    Process: MOM.exe (PID: 3220) Address: 0x00a10000 Size: 110592

    Object: Hidden Module [Name: LOG.Foundation.DLL]
    Process: MOM.exe (PID: 3220) Address: 0x00a80000 Size: 45056

    Object: Hidden Module [Name: LOG.Foundation.Private.DLL]
    Process: MOM.exe (PID: 3220) Address: 0x01b40000 Size: 45056

    Object: Hidden Module [Name: MOM.Foundation.DLL]
    Process: MOM.exe (PID: 3220) Address: 0x01b70000 Size: 28672

    Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]
    Process: MOM.exe (PID: 3220) Address: 0x01b50000 Size: 69632

    Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]
    Process: MOM.exe (PID: 3220) Address: 0x01ba0000 Size: 28672

    Object: Hidden Module [Name: AEM.Server.DLL]
    Process: MOM.exe (PID: 3220) Address: 0x03d40000 Size: 53248

    Object: Hidden Module [Name: NEWAEM.Foundation.DLL]
    Process: MOM.exe (PID: 3220) Address: 0x03d50000 Size: 36864

    Object: Hidden Module [Name: CCC.Implementation.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x00a00000 Size: 45056

    Object: Hidden Module [Name: MOM.Foundation.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x00dc0000 Size: 28672

    Object: Hidden Module [Name: LOG.Foundation.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x00db0000 Size: 45056

    Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x00de0000 Size: 28672

    Object: Hidden Module [Name: CLI.Foundation.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x00dd0000 Size: 61440

    Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x00df0000 Size: 69632

    Object: Hidden Module [Name: LOG.Foundation.Private.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x00f10000 Size: 45056

    Object: Hidden Module [Name: MOM.Implementation.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x01070000 Size: 110592

    Object: Hidden Module [Name: CLI.Foundation.XManifest.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x01090000 Size: 36864

    Object: Hidden Module [Name: CLI.Component.Runtime.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x01d40000 Size: 28672

    Object: Hidden Module [Name: CLI.Component.Runtime.Shared.Private.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x01d20000 Size: 53248

    Object: Hidden Module [Name: CLI.Component.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x01d00000 Size: 86016

    Object: Hidden Module [Name: CLI.Foundation.Private.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x01d30000 Size: 53248

    Object: Hidden Module [Name: ATICCCom.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x01d50000 Size: 45056

    Object: Hidden Module [Name: AEM.Server.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x03ee0000 Size: 53248

    Object: Hidden Module [Name: AEM.Server.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x03f70000 Size: 28672

    Object: Hidden Module [Name: CLI.Component.Runtime.Extension.EEU.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x03f50000 Size: 28672

    Object: Hidden Module [Name: NEWAEM.Foundation.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x03f40000 Size: 36864

    Object: Hidden Module [Name: AEM.Foundation.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x03f60000 Size: 36864

    Object: Hidden Module [Name: AEM.Plugin.Source.Kit.Server.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x03f80000 Size: 53248

    Object: Hidden Module [Name: AEM.Plugin.Hotkeys.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x03fc0000 Size: 28672

    Object: Hidden Module [Name: AEM.Plugin.DPPE.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x03fb0000 Size: 28672

    Object: Hidden Module [Name: DEM.Graphics.I0601.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x03fd0000 Size: 53248

    Object: Hidden Module [Name: DEM.Foundation.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x03ff0000 Size: 28672

    Object: Hidden Module [Name: DEM.Graphics.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x04a00000 Size: 28672

    Object: Hidden Module [Name: AEM.Plugin.EEU.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x04b40000 Size: 28672

    Object: Hidden Module [Name: DEM.Graphics.I0709.dll]
    Process: CCC.exe (PID: 4892) Address: 0x04fc0000 Size: 28672

    Object: Hidden Module [Name: DEM.OS.I0602.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x04e30000 Size: 28672

    Object: Hidden Module [Name: ATIDEMGX.dll]
    Process: CCC.exe (PID: 4892) Address: 0x04c60000 Size: 380928

    Object: Hidden Module [Name: CLI.Caste.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x04d10000 Size: 61440

    Object: Hidden Module [Name: ACE.Graphics.DisplaysManager.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x04d20000 Size: 36864

    Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x04f50000 Size: 266240

    Object: Hidden Module [Name: DEM.OS.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x04fb0000 Size: 28672

    Object: Hidden Module [Name: AEM.Plugin.GD.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05100000 Size: 28672

    Object: Hidden Module [Name: ATIDEMOS.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x04fd0000 Size: 77824

    Object: Hidden Module [Name: AEM.Actions.CCAA.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05110000 Size: 28672

    Object: Hidden Module [Name: LOCALIZATION.Foundation.Private.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05130000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x056f0000 Size: 53248

    Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x055a0000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05590000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x055b0000 Size: 77824

    Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.Shared.Private.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x056d0000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05840000 Size: 86016

    Object: Hidden Module [Name: DEM.Graphics.I0706.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05720000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.CustomFormats.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05710000 Size: 36864

    Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05700000 Size: 45056

    Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05730000 Size: 45056

    Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05880000 Size: 77824

    Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05c00000 Size: 36864

    Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05ab0000 Size: 53248

    Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05ae0000 Size: 45056

    Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05ad0000 Size: 36864

    Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05c60000 Size: 36864

    Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05c20000 Size: 61440

    Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05c10000 Size: 53248

    Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05c50000 Size: 45056

    Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05c90000 Size: 53248

    Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x05c70000 Size: 69632

    Object: Hidden Module [Name: DEM.Graphics.I0712.dll]
    Process: CCC.exe (PID: 4892) Address: 0x05ca0000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x061c0000 Size: 61440

    Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x061e0000 Size: 69632

    Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06240000 Size: 61440

    Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06450000 Size: 86016

    Object: Hidden Module [Name: CLI.Aspect.PowerPlayDPPE.Graphics.Runtime.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06480000 Size: 53248

    Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Wizard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07050000 Size: 208896

    Object: Hidden Module [Name: CLI.Component.Wizard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06aa0000 Size: 503808

    Object: Hidden Module [Name: APM.Server.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x064b0000 Size: 61440

    Object: Hidden Module [Name: CLI.Aspect.PowerPlayDPPE.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x064a0000 Size: 36864

    Object: Hidden Module [Name: APM.Foundation.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x064c0000 Size: 28672

    Object: Hidden Module [Name: CLI.Component.Client.Shared.Private.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06500000 Size: 53248

    Object: Hidden Module [Name: CLI.Component.Wizard.Shared.Private.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06860000 Size: 36864

    Object: Hidden Module [Name: CLI.Component.Client.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06830000 Size: 28672

    Object: Hidden Module [Name: CLI.Component.Wizard.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06850000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x068a0000 Size: 487424

    Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06880000 Size: 53248

    Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06890000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06920000 Size: 413696

    Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06e00000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06b40000 Size: 53248

    Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Wizard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06b20000 Size: 102400

    Object: Hidden Module [Name: atixclib.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06b50000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Wizard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06c60000 Size: 495616

    Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.Private.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06f20000 Size: 28672

    Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.Shared.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x06f40000 Size: 28672

    Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Wizard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07560000 Size: 413696

    Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07180000 Size: 446464

    Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x070f0000 Size: 86016

    Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07140000 Size: 225280

    Object: Hidden Module [Name: CLI.Aspect.Welcome.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07110000 Size: 143360

    Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07200000 Size: 126976

    Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x073c0000 Size: 1691648

    Object: Hidden Module [Name: CLI.Aspect.PowerPlayDPPE.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07e80000 Size: 159744

    Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07b00000 Size: 913408

    Object: Hidden Module [Name: CLI.Component.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07800000 Size: 1519616

    Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Wizard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07620000 Size: 372736

    Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Wizard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x075d0000 Size: 315392

    Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07980000 Size: 454656

    Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07be0000 Size: 364544

    Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07c40000 Size: 593920

    Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Dashboard.DLL]
    Process: CCC.exe (PID: 4892) Address: 0x07db0000 Size: 815104

    Object: Hidden Module [Name: UfNavi.exe.mui]
    Process: UfNavi.exe (PID: 6052) Address: 0x10000000 Size: 602112

    Object: Hidden Code [ETHREAD: 0x8423e650]
    Process: System Address: 0x88c5ca68 Size: -

    Object: Hidden Code [ETHREAD: 0x84283020]
    Process: System Address: 0xa7e35180 Size: -

    Object:Hidden Services
    -------------------
    Service Name: gaopdxserv.sys
    Image Path: C:\Windows\system32\drivers\gaopdxqcisnwrx.sys
     
    rhysaus,
    #1
  2. 2009/02/15
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Welcome to WindowsBBS :)

    Did you not see the announcement in red, bolded letters at the head of the forum??

    *** READ THIS BEFORE POSTING IN THIS FORUM ***

    Please do so and post the logs requested.

    It is extremely dangerous and foolhardy to follow the cleanup steps used in another thread which are specific to that system and infection.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2009/02/15
    rhysaus

    rhysaus Inactive Thread Starter

    Joined:
    2009/02/15
    Messages:
    2
    Likes Received:
    0
    Oh, sorry about that, i did have a llok at that link but was having trouble getting dds.

    Here are the rsults of those scans


    DDS (Ver_09-02-01.01) - NTFSx86
    Run by Clark at 22:45:01.74 on Sun 15/02/2009
    Internet Explorer: 7.0.6001.18000
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2045.920 [GMT 10:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\TAMSvr.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
    C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
    C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
    C:\Program Files\TrueSuite Access Manager\FpNotifier.exe
    C:\Program Files\TrueSuite Access Manager\usbnotify.exe
    C:\Program Files\TrueSuite Access Manager\PwdBank.exe
    C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Program Files\TrueSuite Access Manager\CssSvr.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
    C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Users\Clark\Desktop\RootRepeal.exe
    C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
    C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
    C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    C:\Windows\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Clark\Desktop\rhys\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://bigpond.com/homepage/
    uSearch Bar = hxxp://www.google.com/ie
    BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
    BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: WinSafe Class: {b6b571fb-b71d-449c-ad70-82e966328795} - c:\windows\iehost.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
    uRun: [Sidebar]
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe "
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [cfFncEnabler.exe] cfFncEnabler.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe "
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
    mRun: [FingerPrintNotifer] "c:\program files\truesuite access manager\FpNotifier.exe "
    mRun: [UsbMonitor] "c:\program files\truesuite access manager\usbnotify.exe "
    mRun: [PwdBank] "c:\program files\truesuite access manager\PwdBank.exe "
    mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
    mRun: [BigPondWirelessBroadbandCM] "c:\program files\telstra\bigpond wireless broadband 2.0\BigPond_CM.exe" -tsr
    mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe "
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: DisableCAD = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
    IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    TCP: NameServer = 85.255.112.39,85.255.112.40
    TCP: {1DC7A2B2-3935-4CD5-A788-F6C987C5F422} = 85.255.112.39,85.255.112.40
    TCP: {8399FE22-3F97-44AA-AA9C-8792FBB53C0B} = 85.255.112.39,85.255.112.40
    TCP: {D0D367DC-A7F3-4B15-821C-A9FC204BEB76} = 85.255.112.39,85.255.112.40
    Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

    ============= SERVICES / DRIVERS ===============

    R0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\drivers\AlfaFF.sys [2008-8-25 42608]
    R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-2-13 145424]
    R2 Authentec memory manager;Authentec memory manager service;c:\windows\system32\TAMSvr.exe [2008-8-25 49152]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
    R2 OpenLibSys;OpenLibSys;c:\program files\nxp\fm radio\OpenLibSys.sys [2008-8-25 14672]
    R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-2-14 181584]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-2-13 49680]
    R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-14 492888]
    R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-14 677128]
    R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-2-13 256528]
    R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-5-6 7168]
    R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
    R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
    R3 SWNC8U55;Sierra Wireless MUX NDIS Driver (UMTS55);c:\windows\system32\drivers\swnc8u55.sys [2007-11-19 164480]
    R3 SWUMX55;Sierra Wireless USB MUX Driver (UMTS55);c:\windows\system32\drivers\swumx55.sys [2007-11-19 140672]

    =============== Created Last 30 ================

    2009-02-15 22:26 <DIR> a-dshr-- C:\autorun.inf
    2009-02-14 22:15 268 a---h--- C:\sqmdata02.sqm
    2009-02-14 22:15 244 a---h--- C:\sqmnoopt02.sqm
    2009-02-14 21:43 268 a---h--- C:\sqmdata01.sqm
    2009-02-14 21:43 244 a---h--- C:\sqmnoopt01.sqm
    2009-02-14 21:38 268 a---h--- C:\sqmdata00.sqm
    2009-02-14 21:38 244 a---h--- C:\sqmnoopt00.sqm
    2009-02-14 20:45 <DIR> --d----- c:\windows\pss
    2009-02-13 23:52 256,528 a------- c:\windows\system32\drivers\tmwfp.sys
    2009-02-13 23:52 145,424 a------- c:\windows\system32\drivers\tmlwf.sys
    2009-02-13 23:52 144,912 a------- c:\windows\system32\drivers\tmcomm.sys
    2009-02-13 23:52 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
    2009-02-13 23:52 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
    2009-02-13 23:52 49,680 a------- c:\windows\system32\drivers\tmevtmgr.sys
    2009-02-13 19:17 19,968 a------- c:\windows\iehost.dll
    2009-02-04 23:56 75,776 a------- c:\windows\system32\drivers\gaopdxqcisnwrx.sys
    2009-02-04 23:56 4 a------- c:\windows\system32\gaopdxcounter
    2009-02-04 21:52 <DIR> --d----- c:\program files\PixiePack Codec Pack
    2009-02-04 21:39 <DIR> --d----- c:\program files\RapidSolution
    2009-02-04 21:22 <DIR> --d----- c:\programdata\RapidSolution
    2009-02-04 21:22 <DIR> --d----- c:\progra~2\RapidSolution
    2009-02-04 19:42 <DIR> --d----- c:\users\clark\appdata\roaming\ABIG
    2009-01-25 17:32 52,736 a------- c:\windows\ipuninst.exe
    2009-01-25 17:31 <DIR> --d----- c:\program files\BlackIsle
    2009-01-23 19:17 410,984 a------- c:\windows\system32\deploytk.dll
    2009-01-23 09:49 38,816 a------- c:\windows\system32\drivers\tbhsd.sys

    ==================== Find3M ====================

    2009-02-15 21:31 143,360 a------- c:\windows\inf\infstrng.dat
    2009-02-15 21:31 51,200 a------- c:\windows\inf\infpub.dat
    2009-02-14 00:06 86,016 a------- c:\windows\inf\infstor.dat
    2009-01-11 16:40 717,296 a------- c:\windows\system32\drivers\sptd.sys
    2008-11-29 16:02 50,017 a------- c:\windows\War3Unin.dat
    2008-11-29 16:02 139,264 a------- c:\windows\War3Unin.exe
    2008-11-29 16:02 2,829 a------- c:\windows\War3Unin.pif
    2008-10-15 03:11 665,600 a------- c:\windows\inf\drvindex.dat
    2008-01-21 12:43 174 a--sh--- c:\program files\desktop.ini
    2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

    ============= FINISH: 22:45:52.40 ===============
     
    rhysaus,
    #3
  5. 2009/02/15
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Thanks :)

    One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

    Thank you for your patience.
     
    PeteC,
    #4
  6. 2009/02/17
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hi rhysaus,

    Please visit the following webpage for instructions for downloading and running ComboFix

    How to use ComboFix


    Download ComboFix by sUBs from here, saving the file to your desktop.


    Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click ComboFix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    **NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.
     
    noahdfear,
    #5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...