TechSpot

Win32 heur, mqrrnsrp.exe, plus Windows keeps crashing

By iti0
Mar 19, 2011
  1. A few days ago AVG found win32 heur and claims to have cleaned it. However, the computer is running slow, Windows periodically crashes, and then has trouble loading when I start the computer. Just this morning AVG removed a process called mqrrnsrp.exe. Malwarebytes doesn't seem to find anything wrong :/

    Here are the logs.

    MBAM:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6102

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019

    3/18/2011 11:19:37 PM
    mbam-log-2011-03-18 (23-19-37).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 394883
    Time elapsed: 2 hour(s), 19 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER:
    GMER 1.0.15.15565 - http://www.gmer.net
    Rootkit scan 2011-03-19 13:34:14
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HTS541612J9SA00 rev.SBDOC7DP
    Running: mqrrnsrp.exe; Driver: C:\Users\User\AppData\Local\Temp\fwtyrpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA21DD780]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA21DD830]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA21DD8D0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA21DD970]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs cbfs3.sys
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----

    dds:

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by User at 19:51:46.19 on Fri 03/18/2011
    Internet Explorer: 8.0.6001.19019
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1039 [GMT -7:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
    C:\Toshiba\IVP\ISM\pinger.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    c:\Toshiba\IVP\swupdate\swupdtmr.exe
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Windows\System32\alg.exe
    C:\Program Files\Toshiba\Utilities\KeNotify.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\sdclt.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
    C:\Windows\System32\mobsync.exe
    C:\Users\User\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.toshibadirect.com/dpdstart
    uURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - c:\windows\system32\CbFsMntNtf3.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
    TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
    TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
    TB: {00000000-0000-0000-0000-000000000000} - No File
    uRun: [TOSCDSPD] TOSCDSPD.EXE
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
    mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Download Using &BitSpirit - c:\program files\bitspirit\bsurl.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: ÓñÈÌؾ«ÁéÏÂÔØ(&B)
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/70.22/uploader2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    AppInit_DLLs: c:\progra~1\google\google~1\GoogleDesktopNetwork3.dll
    SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
    STS: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - c:\windows\system32\CbFsMntNtf3.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\1wsigcw9.default\
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\users\user\appdata\roaming\move networks\plugins\npqmp071505000010.dll
    FF - plugin: c:\users\user\appdata\roaming\move networks\plugins\npqmp071505000011.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\user\appdata\roaming\Move Networks
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2010-10-14 267208]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-31 21504]
    R2 JungleDiskService;JungleDiskService;c:\program files\jungle disk desktop\JungleDiskMonitor.exe [2010-9-24 7199232]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-9-24 206608]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-25 38224]
    S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-9-24 206608]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-03-18 22:39:49 100480 ----a-w- C:\fwtyrpoc.sys
    2011-03-16 03:07:44 652296 ----a-w- c:\progra~2\microsoft\ehome\packages\sportstemplate\sportstemplatecore\Microsoft.MediaCenter.Sports.UI.dll
    2011-03-16 03:07:25 749832 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
    2011-03-16 03:07:13 416128 ----a-w- c:\progra~2\microsoft\ehome\packages\nettv\browse\NetTVResources.dll
    2011-03-16 02:44:13 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{e7033c45-1c48-4b33-a9d2-c9b1932143ea}\mpengine.dll
    2011-03-16 02:30:16 -------- d-----w- c:\users\user\appdata\local\My Games
    2011-03-16 00:33:30 -------- d-----w- c:\program files\common files\Steam
    2011-03-16 00:26:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
    2011-03-16 00:26:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
    2011-03-16 00:26:37 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
    2011-03-16 00:26:35 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
    2011-03-16 00:26:27 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
    2011-03-16 00:26:17 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
    2011-03-16 00:26:14 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
    2011-03-16 00:26:07 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
    2011-03-16 00:26:00 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
    2011-03-16 00:26:00 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
    2011-03-16 00:24:57 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
    2011-03-16 00:24:57 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
    2011-03-16 00:24:54 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
    2011-03-16 00:24:52 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
    2011-03-16 00:24:50 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
    2011-03-16 00:24:50 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
    2011-03-16 00:24:47 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
    2011-03-09 19:22:56 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-09 19:22:55 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-09 19:22:55 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-09 19:22:55 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-09 19:22:29 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-09 19:22:28 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-02 16:56:47 -------- d-----r- c:\program files\Skype
    2011-02-24 17:29:37 -------- d-----w- c:\users\user\appdata\roaming\IObit
    2011-02-24 17:29:36 -------- d-----w- c:\program files\IObit
    2011-02-23 18:08:06 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-02-23 18:07:16 40448 ----a-w- c:\windows\system32\winrs.exe
    2011-02-23 18:07:16 20480 ----a-w- c:\windows\system32\winrshost.exe
    2011-02-23 18:07:16 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-02-23 18:07:10 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
    2011-02-23 18:07:10 10240 ----a-w- c:\windows\system32\winrssrv.dll
    2011-02-23 18:07:06 81408 ----a-w- c:\windows\system32\wevtfwd.dll
    2011-02-23 18:07:06 79872 ----a-w- c:\windows\system32\wecutil.exe
    2011-02-23 18:07:06 56320 ----a-w- c:\windows\system32\wecapi.dll
    2011-02-23 18:07:06 54272 ----a-w- c:\windows\system32\WsmRes.dll
    2011-02-23 18:07:06 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
    2011-02-23 18:07:06 146944 ----a-w- c:\windows\system32\wecsvc.dll
    2011-02-23 18:06:58 201184 ----a-w- c:\windows\system32\winrm.vbs
    2011-02-23 18:06:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
    2011-02-23 18:06:55 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
    2011-02-23 18:06:55 241152 ----a-w- c:\windows\system32\winrscmd.dll
    2011-02-23 18:06:55 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
    2011-02-23 18:06:55 145408 ----a-w- c:\windows\system32\WsmAuto.dll
    2011-02-23 18:06:53 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
    .
    ==================== Find3M ====================
    .
    2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
    2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
    .
    ============= FINISH: 19:53:04.63 ===============

    dds attach:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/19/2007 6:08:54 AM
    System Uptime: 3/18/2011 7:23:00 PM (0 hours ago)
    .
    Motherboard: TOSHIBA | | ISRAA
    Processor: Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz | U2E1 | 1667/mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 110 GiB total, 16.142 GiB free.
    D: is FIXED (NTFS) - 112 GiB total, 30.163 GiB free.
    E: is CDROM (CDFS)
    F: is CDROM ()
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Trend Micro Passthru Ndis Miniport
    Device ID: ROOT\TM_PASSTHRUMP\0000
    Manufacturer: Trend Micro
    Name: Trend Micro Passthru Ndis Miniport
    PNP Device ID: ROOT\TM_PASSTHRUMP\0000
    Service: TMPassthruMP
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    "Sound Reconquista"
    3ivx MPEG-4 5.0.3 (remove only)
    ACDSee
    Ad-Aware Email Scanner for Outlook
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.2
    Adobe Shockwave Player
    Advanced SystemCare 3
    AVerMedia USB Hybrid Capture Device 1.3.0.67
    AVG 2011
    BitSpirit v3.3.2.100 Stable
    Bluetooth Stack for Windows by Toshiba
    Broken Crescent
    calibre
    Camera Assistant Software for Toshiba
    CD/DVD Drive Acoustic Silencer
    Championship Manager 2008
    Chivalry II - The Sicilian Vespers 3.0
    Chivalry II - The Sicilian Vespers 3.3
    Chivalry II - The Sicilian Vespers 3.3 (HotFix2)
    Compatibility Pack for the 2007 Office system
    Core FTP LE 2.1
    Das Heilige Römische Reich - Version 0.7
    Diablo II
    DLV Teutonic Knights 1.0
    DLV Teutonic Knights Upgrade 1.2
    DVD MovieFactory for TOSHIBA
    eFax Messenger
    Eusing Free Registry Cleaner
    Football Manager 2008
    Google Desktop
    Google Toolbar for Internet Explorer
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) PROSet/Wireless Software
    IsoBuster 2.3
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) SE Runtime Environment 6
    Jungle Disk Desktop
    Kingdom of the Scots 3
    Kingdom of the Scots 3 - Beta 3.2
    Kingdom of the Scots 3 Beta 3.1
    LimeWire 5.5.10
    Malwarebytes' Anti-Malware
    mCore
    Medieval II Total War
    Medieval II Total War : Kingdoms : Americas
    Medieval II Total War : Kingdoms : Britannia
    Medieval II Total War : Kingdoms : Crusades
    Medieval II Total War : Kingdoms : Teutonic
    Medieval Total War
    mHelp
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual J# .NET Redistributable Package 1.1
    Microsoft Works
    Microsoft XML Parser
    mMHouse
    Move Media Player
    Mozilla Firefox (3.6.13)
    mPfMgr
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    NVIDIA Drivers
    Octoshape add-in for Adobe Flash Player
    OGA Notifier 2.0.0048.0
    oggcodecs 0.71.0946
    Panzer General 2
    PowerISO
    QuickTime
    Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
    Realtek High Definition Audio Driver
    Reconquista
    Rome - Total War(TM)
    Rusichi TW 1.0
    Rusichi_TW_patch_1_1_Eng
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Sid Meier's Pirates!
    Skype™ 5.1
    Steam
    SupportSoft Assisted Service
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515/xx12 drivers.
    Third Age - Total War 1.0 Part1
    Third Age - Total War 1.0 Part2
    Third Age - Total War 2.0 (Part1of2)
    Third Age - Total War 2.0 (Part2of2)
    Third Age - Total War Patch 1.1
    Third Age - Total War Patch 1.2
    Third Age - Total War Patch 1.3
    Third Age - Total War Patch 1.4
    TIPCI
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Flash Cards Support Utility
    TOSHIBA Game Console
    TOSHIBA Hardware Setup
    TOSHIBA Media Center Game Console
    TOSHIBA Music
    Toshiba Registration
    TOSHIBA SD Memory Utilities
    TOSHIBA Software Modem
    TOSHIBA Software Upgrades
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Utility Common Driver
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Windows Media Encoder 9 Series
    WinRAR archiver
    Xvid 1.2.2 final uninstall
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Welcome aboard [​IMG]

    I strongly suspect, your AVG findings are false positives.
    Unfortunately, this is latest issue with AVG.
    For instance, mqrrnsrp.exe is nothing else, but renamed GMER, as you can see here:

    I don't see anything malicious in your logs, but let's run couple of checks....

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. iti0

    iti0 TS Rookie Topic Starter

    Wow, so uninstalling AVG was a major pain...

    Anyway, here is the combofix log:

    ComboFix 11-03-22.04 - User 03/22/2011 17:09:24.4.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1300 [GMT -7:00]
    Running from: c:\users\User\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
    c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
    c:\users\User\AppData\Roaming\ACD Systems\ACDSee\ImageDB.ddf
    .
    ----- BITS: Possible infected sites -----
    .
    hxxp://au.download.windowsupdate.com
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-23 00:26 . 2011-03-23 00:50 -------- d-----w- c:\users\User\AppData\Local\temp
    2011-03-23 00:26 . 2011-03-23 00:26 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-22 20:42 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-22 20:42 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-22 20:42 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-22 20:16 . 2011-02-23 17:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C6BEA7BF-0214-4908-9744-ADB0E4A9957E}\mpengine.dll
    2011-03-16 02:30 . 2011-03-16 02:30 -------- d-----w- c:\users\User\AppData\Local\My Games
    2011-03-16 00:33 . 2011-03-22 00:53 -------- d-----w- c:\program files\Common Files\Steam
    2011-03-16 00:26 . 2009-09-05 00:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
    2011-03-16 00:26 . 2009-09-05 00:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
    2011-03-16 00:26 . 2009-09-05 00:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
    2011-03-16 00:26 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
    2011-03-16 00:26 . 2009-09-05 00:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
    2011-03-16 00:26 . 2009-09-05 00:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
    2011-03-16 00:26 . 2009-09-05 00:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
    2011-03-16 00:26 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
    2011-03-16 00:26 . 2009-03-09 22:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
    2011-03-16 00:26 . 2009-03-09 22:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
    2011-03-16 00:24 . 2008-05-30 21:19 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
    2011-03-16 00:24 . 2008-05-30 21:17 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
    2011-03-16 00:24 . 2008-05-30 21:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
    2011-03-16 00:24 . 2008-05-30 21:17 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
    2011-03-16 00:24 . 2008-05-30 21:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
    2011-03-16 00:24 . 2008-05-30 21:11 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
    2011-03-16 00:24 . 2008-05-30 21:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
    2011-03-09 19:22 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-09 19:22 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-09 19:22 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-09 19:22 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-09 19:22 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-09 19:22 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-02 16:56 . 2011-03-02 16:56 -------- d-----w- c:\program files\Common Files\Skype
    2011-03-02 16:56 . 2011-03-02 16:56 -------- d-----r- c:\program files\Skype
    2011-02-24 17:29 . 2011-03-01 19:37 -------- d-----w- c:\users\User\AppData\Roaming\IObit
    2011-02-24 17:29 . 2011-02-24 17:29 -------- d-----w- c:\program files\IObit
    2011-02-23 18:08 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-02-23 18:07 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-02-23 18:07 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
    2011-02-23 18:07 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
    2011-02-23 18:07 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
    2011-02-23 18:07 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
    2011-02-23 18:07 . 2009-10-09 21:56 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
    2011-02-23 18:07 . 2009-10-09 21:55 79872 ----a-w- c:\windows\system32\wecutil.exe
    2011-02-23 18:07 . 2009-10-09 21:55 54272 ----a-w- c:\windows\system32\WsmRes.dll
    2011-02-23 18:07 . 2009-10-09 21:55 146944 ----a-w- c:\windows\system32\wecsvc.dll
    2011-02-23 18:07 . 2009-10-09 21:55 81408 ----a-w- c:\windows\system32\wevtfwd.dll
    2011-02-23 18:07 . 2009-10-09 21:55 56320 ----a-w- c:\windows\system32\wecapi.dll
    2011-02-23 18:06 . 2009-08-01 06:27 201184 ----a-w- c:\windows\system32\winrm.vbs
    2011-02-23 18:06 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
    2011-02-23 18:06 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
    2011-02-23 18:06 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
    2011-02-23 18:06 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
    2011-02-23 18:06 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
    2011-02-23 18:06 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-03 01:11 . 2009-10-03 01:54 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 16:37 . 2011-02-10 17:05 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-10 17:05 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-10 17:05 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-10 17:05 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-10 17:05 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:08 . 2011-02-10 17:05 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:07 . 2011-02-10 17:05 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-10 17:05 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-10 17:05 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-10 17:05 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-10 17:05 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-10 17:05 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-10 17:05 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-10 17:05 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-10 17:05 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-10 17:05 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-10 17:05 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-10 17:05 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-10 17:05 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-10 17:05 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-10 17:05 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-10 17:05 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-10 17:05 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-10 17:05 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-10 17:05 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-08 08:47 . 2011-02-10 16:58 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28 . 2011-02-10 16:58 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57 . 2011-02-10 17:05 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:55 . 2011-01-12 17:09 413696 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-27 01:38 . 2011-01-21 01:29 21896 ----a-w- c:\windows\system32\drivers\eufs.sys
    2010-12-27 01:38 . 2011-01-21 01:29 15240 ----a-w- c:\windows\system32\drivers\eudskacs.sys
    2010-12-27 01:38 . 2011-01-21 01:29 31112 ----a-w- c:\windows\system32\drivers\eubakup.sys
    2010-12-27 01:38 . 2011-01-21 01:29 188296 ----a-w- c:\windows\system32\drivers\EuDisk.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
    @="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
    [HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
    2010-06-10 06:16 155416 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk1_Complete]
    @="{78061A12-1E91-4446-8B65-8ED2FF328D4A}"
    [HKEY_CLASSES_ROOT\CLSID\{78061A12-1E91-4446-8B65-8ED2FF328D4A}]
    2010-09-24 19:07 819200 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk2_InProgress]
    @="{700AD13D-E86F-41C9-9A8F-39B4C438806F}"
    [HKEY_CLASSES_ROOT\CLSID\{700AD13D-E86F-41C9-9A8F-39B4C438806F}]
    2010-09-24 19:07 819200 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk3_Conflicted]
    @="{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}"
    [HKEY_CLASSES_ROOT\CLSID\{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}]
    2010-09-24 19:07 819200 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
    "SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
    "KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-31 1862144]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-05-28 4472832]
    "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
    R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\BB95.tmp [x]
    R3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2010-06-10 267208]
    S2 JungleDiskService;JungleDiskService;c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2010-09-24 7199232]
    S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.toshibadirect.com/dpdstart
    IE: Download Using &BitSpirit - c:\program files\BitSpirit\bsurl.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: ÓñÈÌؾ«ÁéÏÂÔØ(&B)
    FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\1wsigcw9.default\
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\User\AppData\Roaming\Move Networks
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
    WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
    WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
    HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
    HKLM-Run-TPwrMain - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-HSON - %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    HKLM-Run-SmoothView - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    HKLM-Run-00TCrdMain - %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 17:49
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\BB95.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(824)
    c:\windows\system32\CbFsMntNtf3.dll
    c:\windows\system32\CbFsNetRdr3.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\toshiba\IVP\ISM\pinger.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\toshiba\IVP\swupdate\swupdtmr.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Toshiba\Power Saver\TPwrMain.exe
    c:\program files\Toshiba\SmoothView\SmoothView.exe
    c:\program files\Toshiba\FlashCards\TCrdMain.exe
    c:\windows\RtHDVCpl.exe
    c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    c:\windows\system32\sdclt.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-22 18:01:00 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-23 00:59
    .
    Pre-Run: 15,159,152,640 bytes free
    Post-Run: 15,177,830,400 bytes free
    .
    - - End Of File - - CA5BD5C9F65610142EAC0C7035783600
     
  4. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Looks clean.

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
  5. iti0

    iti0 TS Rookie Topic Starter

    Thanks.
    There is no log as Eset didn't find anything
     
  6. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    You're clean.
    There is nothing there.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...