Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vitumonde , Bulletproof !


  • Please log in to reply
23 replies to this topic

#1 Madsparrow

Madsparrow

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 11 January 2010 - 05:36 PM

HiAll
I have spent the weekend trying to remove virtumonde from my Acer PC but to no avail. Tried Spybot,Vundifox,Malware blaster, Safe Mode too- nowt. This thing is like the star of the 1978 film 'Alien!'

Thanks in anticipation clapping.gif


DDS (Ver_09-12-01.01) - NTFSx86
Run by MaRk at 22:02:48.37 on 11/01/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.340 [GMT 0:00]

FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\MicroNEXT\MN-WD542T Wireless Utility\ZDWlan.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\O2\agent\bin\bcont.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MaRk\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AGSearchHook Class: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - c:\program files\agi\common\agcutils.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: : {0bc2ab55-12fe-4336-8088-2fce83068c2d} - c:\windows\system32\atraces.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {2663BCFC-7A27-4F15-A611-659CC95BEB4C} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5177364F-F2D3-499E-9F91-DE4C15381283} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6FFFDA11-559E-4533-B0A0-80886C8B1D4F} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: {c839f003-ec27-4ca5-ae03-48b5a4fb2484} - c:\windows\system32\authzq.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files\kiwee toolbar\2.8.167\KiweeIEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CES_V4]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mn-wd5~1.lnk - c:\program files\micronext\mn-wd542t wireless utility\ZDWlan.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4}
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16}
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC}
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file://c:\program files\autocad lt 2000i\AcDcToday.ocx
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-9191e7016e841229.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE}
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://c:\program files\autocad lt 2000i\InstFred.ocx
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://cid-4c76422c0422c8fd.skydrive.live.com/Microsoft.Live.Folders.RichUpload.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://c:\program files\autocad lt 2000i\AcPreview.ocx
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: khfecdc - khfecdc.dll
Notify: xsxpopfn - atraces.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\njzchey5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.metcheck.com/V40/UK/FREE/7days.asp?zipcode=L23|https://www.zurichcorporatepensions.co.uk/asp/zwlogin.asp|http://uk.finance.yahoo.com/q/bc?s=%5EFTSE&t=1d&l=on&z=m&q=l&c=|http://webfund6.financialexpress.net/clients/royallondon/perfChart.aspx?UnitCode=AQM&FundType=LF|http://www.timesonline.co.uk/tol/news/|http://stores.shop.ebay.co.uk/cybox-exhausts_Alfa-Romeo--Exhausts_W0QQLHQ5fSellerWithStoreZ1QQLHQ5fTitleDescZ1QQ_fsubZ2QQ_sasiZ1QQ_sidZ163064708QQ_trksidZp4634Q2ec0Q2em322
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29193&sbs=1&sc=2&f=web&vernum=1.0&uid=&did=f8d4a70c-98e2-4081-901d-01bf93043ede&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 cqegybhz;cqegybhz;c:\windows\system32\drivers\cqegybhz.sys [2004-8-10 23424]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-11-19 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-11-19 334568]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-7 54752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-11-19 967912]
R3 ZD1211BU(MicroNEXT);MN-WD542T Wireless USB Adapter Driver(MicroNEXT);c:\windows\system32\drivers\ZD1211BU.sys [2005-10-28 500736]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2005-6-9 20608]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [2005-2-24 162176]
S3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\drivers\capt930b.sys --> c:\windows\system32\drivers\Capt930b.sys [?]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-7-5 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-7-5 85696]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2005-10-28 500736]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]

=============== Created Last 30 ================

2010-01-10 23:56:29 0 d-----w- c:\program files\CES V4 Chameleon
2010-01-10 23:26:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-10 23:26:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-10 21:56:55 24576 ----a-w- c:\windows\system32\VundoFixSVC.exe
2010-01-10 21:31:45 0 d-----w- C:\VundoFix Backups
2010-01-10 17:35:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 00:17:46 0 d-----w- c:\program files\BlueSquare Poker
2010-01-03 21:31:08 0 d-----w- c:\program files\HP
2009-12-27 17:17:53 5869568 ----a-r- C:\EBUB5.DLL
2009-12-27 17:17:27 778240 ------w- C:\EBUB3.EXE
2009-12-21 00:04:19 3255 ----a-w- c:\windows\system32\wbem\Outlook_01ca81d12457fe98.mof
2009-12-19 16:43:25 29869659 ----a-w- c:\documents and settings\mark\191209-3.doc
2009-12-19 12:34:09 0 d-----w- c:\program files\MSECache

==================== Find3M ====================

2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2008-05-28 19:51:21 2671704 ----a-w- c:\program files\RegSupremePro_setup.exe
2007-02-27 23:02:53 316642 ----a-w- c:\program files\TRIPEAKS.zip
2007-02-17 16:47:10 251656 ----a-w- c:\program files\jre-1_5_0_11-windows-i586-p-iftw.exe
2007-01-06 23:28:20 4033792 ----a-w- c:\program files\channel4_on_demand.exe
2006-12-28 23:54:04 15001752 ----a-w- c:\program files\GoogleEarthWin.exe
1999-08-13 06:00:00 4820 ----a-w- c:\program files\CAMUNWISE.INI
2007-11-05 16:10:04 88 --sha-w- c:\windows\system32\005227F68E.sys
2007-11-05 16:10:58 2672 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 22:03:33.27 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:48 AM

Posted 16 January 2010 - 09:38 PM

Hi Madsparrow,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed !
This is somewhat suicidal in today's digital world. wacko.gif
That's why I want you to install one!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus !

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.

Edited by SifuMike, 16 January 2010 - 09:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Madsparrow

Madsparrow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 17 January 2010 - 06:50 PM

Hi Mike
I've gone down the Avira route and enclose the Avira Report file.
I also created anew Hijack This request at
http://www.bleepingcomputer.com/forums/top...ml#entry1586881
Cheers
Mark






Avira AntiVir Personal
Report file date: 17 January 2010 15:04

Scanning for 1265407 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ACER-511EBA12DF

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 11:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:35:52
VBASE001.VDF : 7.10.0.1 2048 Bytes 11/6/2009 07:35:56
VBASE002.VDF : 7.10.0.2 2048 Bytes 11/6/2009 07:35:58
VBASE003.VDF : 7.10.0.3 2048 Bytes 11/6/2009 07:36:02
VBASE004.VDF : 7.10.0.4 2048 Bytes 11/6/2009 07:36:04
VBASE005.VDF : 7.10.0.5 2048 Bytes 11/6/2009 07:36:08
VBASE006.VDF : 7.10.0.6 2048 Bytes 11/6/2009 07:36:12
VBASE007.VDF : 7.10.0.7 2048 Bytes 11/6/2009 07:36:16
VBASE008.VDF : 7.10.0.8 2048 Bytes 11/6/2009 07:36:18
VBASE009.VDF : 7.10.0.9 2048 Bytes 11/6/2009 07:36:22
VBASE010.VDF : 7.10.0.10 2048 Bytes 11/6/2009 07:36:30
VBASE011.VDF : 7.10.0.11 2048 Bytes 11/6/2009 07:36:34
VBASE012.VDF : 7.10.0.12 2048 Bytes 11/6/2009 07:36:38
VBASE013.VDF : 7.10.0.13 2048 Bytes 11/6/2009 07:36:40
VBASE014.VDF : 7.10.0.14 2048 Bytes 11/6/2009 07:36:44
VBASE015.VDF : 7.10.0.15 2048 Bytes 11/6/2009 07:36:46
VBASE016.VDF : 7.10.0.16 2048 Bytes 11/6/2009 07:36:48
VBASE017.VDF : 7.10.0.17 2048 Bytes 11/6/2009 07:36:50
VBASE018.VDF : 7.10.0.18 2048 Bytes 11/6/2009 07:36:54
VBASE019.VDF : 7.10.0.19 2048 Bytes 11/6/2009 07:36:56
VBASE020.VDF : 7.10.0.20 2048 Bytes 11/6/2009 07:36:58
VBASE021.VDF : 7.10.0.21 2048 Bytes 11/6/2009 07:37:00
VBASE022.VDF : 7.10.0.22 2048 Bytes 11/6/2009 07:37:04
VBASE023.VDF : 7.10.0.23 2048 Bytes 11/6/2009 07:37:06
VBASE024.VDF : 7.10.0.24 2048 Bytes 11/6/2009 07:37:10
VBASE025.VDF : 7.10.0.25 2048 Bytes 11/6/2009 07:37:12
VBASE026.VDF : 7.10.0.26 2048 Bytes 11/6/2009 07:37:14
VBASE027.VDF : 7.10.0.27 2048 Bytes 11/6/2009 07:37:16
VBASE028.VDF : 7.10.0.28 2048 Bytes 11/6/2009 07:37:18
VBASE029.VDF : 7.10.0.29 2048 Bytes 11/6/2009 07:37:20
VBASE030.VDF : 7.10.0.30 2048 Bytes 11/6/2009 07:37:22
VBASE031.VDF : 7.10.0.33 2048 Bytes 11/6/2009 07:37:24
Engineversion : 8.2.1.59
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 07:38:52
AESCRIPT.DLL : 8.1.2.43 528764 Bytes 11/8/2009 07:38:48
AESCN.DLL : 8.1.2.5 127346 Bytes 11/8/2009 07:38:46
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 07:38:44
AERDL.DLL : 8.1.3.2 479604 Bytes 11/8/2009 07:38:42
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 07:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 07:38:38
AEHEUR.DLL : 8.1.0.178 2093431 Bytes 11/8/2009 07:38:34
AEHELP.DLL : 8.1.7.0 237940 Bytes 11/8/2009 07:38:30
AEGEN.DLL : 8.1.1.71 364916 Bytes 11/8/2009 07:38:28
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 07:38:26
AECORE.DLL : 8.1.8.2 184694 Bytes 11/8/2009 07:38:24
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 07:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 15:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 12:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 17 January 2010 15:04

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cqegybhz\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123
[INFO] The registry entry is invisible.
'80610' objects were checked, '1' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'cidaemon.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'ZDWlan.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'RapportService.exe' - '0' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RapportMgmtService.exe' - '0' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'cisvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
35 processes with 35 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
C:\WINDOWS\system32\atraces.dll
[DETECTION] Is the TR/Trash.Gen Trojan

The registry was scanned ( '69' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27535874.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27535874.exe
[DETECTION] Is the TR/StartPage.WD.1 Trojan
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\Preview-T-2550591-connis francis - best track ever.wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.X Trojan
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\Preview-T-3877632-alexandra burke - hallelujah.mp3
[DETECTION] Is the TR/Dldr.WMA.Wimad.N Trojan
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\Preview-T-4223976-halleluja lennord cohen CD quality.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\T-1010769-gabrielle clime.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\T-3877632-alexandra burke - hallelujah.mp3
[DETECTION] Is the TR/Dldr.WMA.Wimad.N Trojan
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\T-4223976-halleluja lennord cohen CD quality.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\T-5223633-rosemary clooney [new single].au
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\My Music\connis francis - best track ever.wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.X Trojan
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\My Music\halleluja lennord cohen.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\My Music\welcome to my world (256k 44800).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\FIXER\Local Settings\Temp\mmriaaym.dat
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Documents and Settings\MaRk\Desktop\FROM LAPTOP\EVON610C\My Own Docs\Software\crack\regmech.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\VundoFix Backups\smqaujtf.dll.bad
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\atraces.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\atraces.dll.bak
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\WINDOWS\system32\authzq.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\lrvbrgv.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\smqaujtf.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\drivers\bywafhpq.dat
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\WINDOWS\system32\drivers\cqegybhz.dat
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\WINDOWS\system32\drivers\yfyxvpim.dat
[DETECTION] Is the TR/Rootkit.Gen Trojan
Begin scan in 'D:\'
D:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.

Beginning disinfection:
C:\WINDOWS\system32\atraces.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4bc53757.qua'!
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27535874.exe
[NOTE] The file was moved to '4b88371b.qua'!
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\Preview-T-2550591-connis francis - best track ever.wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.X Trojan
[NOTE] The file was moved to '4bb83756.qua'!
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\Preview-T-3877632-alexandra burke - hallelujah.mp3
[DETECTION] Is the TR/Dldr.WMA.Wimad.N Trojan
[NOTE] The file was moved to '4a3c001f.qua'!
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\Preview-T-4223976-halleluja lennord cohen CD quality.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '49754917.qua'!
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\T-1010769-gabrielle clime.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4b843711.qua'!
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\T-3877632-alexandra burke - hallelujah.mp3
[DETECTION] Is the TR/Dldr.WMA.Wimad.N Trojan
[NOTE] The file was moved to '4b863711.qua'!
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\T-4223976-halleluja lennord cohen CD quality.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4b873712.qua'!
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\Incomplete\T-5223633-rosemary clooney [new single].au
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4b883712.qua'!
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\My Music\connis francis - best track ever.wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.X Trojan
[NOTE] The file was moved to '4bc13754.qua'!
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\My Music\halleluja lennord cohen.mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4bbf3747.qua'!
C:\Documents and Settings\Carol.ACER-511EBA12DF\My Documents\My Music\welcome to my world (256k 44800).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was moved to '4bbf374b.qua'!
C:\Documents and Settings\FIXER\Local Settings\Temp\mmriaaym.dat
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4bc53754.qua'!
C:\Documents and Settings\MaRk\Desktop\FROM LAPTOP\EVON610C\My Own Docs\Software\crack\regmech.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4bba3759.qua'!
C:\VundoFix Backups\smqaujtf.dll.bad
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4bc43761.qua'!
C:\WINDOWS\system32\atraces.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4bc53769.qua'!
C:\WINDOWS\system32\atraces.dll.bak
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4bc5376f.qua'!
C:\WINDOWS\system32\authzq.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '49250a32.qua'!
C:\WINDOWS\system32\lrvbrgv.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[WARNING] The file could not be marked for deleting after reboot. Error description: Access is denied.

C:\WINDOWS\system32\smqaujtf.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '486cb7cf.qua'!
C:\WINDOWS\system32\drivers\bywafhpq.dat
[DETECTION] Is the TR/Rootkit.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4bca3794.qua'!
C:\WINDOWS\system32\drivers\cqegybhz.dat
[DETECTION] Is the TR/Rootkit.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4bb8378c.qua'!
C:\WINDOWS\system32\drivers\yfyxvpim.dat
[DETECTION] Is the TR/Rootkit.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4bcc3781.qua'!


End of the scan: 17 January 2010 16:13
Used time: 59:31 Minute(s)

The scan has been done completely.

13466 Scanned directories
496769 Files were scanned
23 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
22 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
496743 Files not concerned
12004 Archives were scanned
13 Warnings
26 Notes
80610 Objects were scanned with rootkit scan
1 Hidden objects were found









#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:48 AM

Posted 17 January 2010 - 07:13 PM

Hi Madsparrow,

QUOTE
I also created a new Hijack This request at
http://www.bleepingcomputer.com/forums/top...ml#entry1586881


DO NOT open multiple posts!
I closed the above post.
Post only to this thread.

**********************


Please do the following.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :dir
    %programfiles% /n*crack*      
    %userprofile%\My Documents /s /n*crack*
    :filefind
    *keygen*
    *crack*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


**********************


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************


We need to scan for Rootkits with GMER
  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Close any and all open programs, as this process may crash your computer.
  3. Double click or on your desktop.
  4. Allow the gmer.sys driver to load if asked.
  5. You may see this window. If you do, click No.

    [field name="Additional Instructions" lines=20]
  6. Click on and wait for the scan to finish.
  7. If you see a rootkit warning window, click OK.
  8. Push and save the logfile to your desktop.
  9. Copy and Paste the contents of that file in your next post.


**********************

Note: If you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan" and post the log.

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 17 January 2010 - 09:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Madsparrow

Madsparrow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 18 January 2010 - 03:51 AM

OK Thanks Mike, I misundrerstood the posting protocol dry.gif
Here's the System Look text :-

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:25 on 18/01/2010 by MaRk (Administrator - Elevation successful)

========== dir ==========

C:\Program Files - Parameters: "/n*crack* "

---Files---
None found.

---Folders---
ABBYY FineReader 8.0 Professional Edition d----- [14:11 28/09/2008]
Acer WLAN 11g USB Dongle d----- [21:05 11/08/2006]
Adobe d----- [21:03 11/08/2006]
AutoCAD LT 2000i d----- [11:12 15/02/2007]
AVG d----- [10:12 13/04/2007]
AVIRA d----- [14:40 17/01/2010]
Axis Communications d----- [21:23 22/04/2007]
Balwarebytes' Anti-Malware d----- [23:18 27/11/2009]
BearShare Applications d----- [22:57 17/02/2007]
Belarc d----- [08:10 26/12/2006]
BlueSquare Poker d----- [00:17 10/01/2010]
blueyonder d----- [07:57 26/12/2006]
Bonjour d----- [14:16 30/04/2008]
Broderbund d----- [20:13 25/09/2007]
CCLEANER d----- [21:34 01/07/2007]
CES V4 Chameleon d----- [23:56 10/01/2010]
Channel4 d----- [18:12 28/10/2007]
Common Files d----- [21:04 11/08/2006]
ComPlus Applications d----- [20:38 11/08/2006]
CS Project Pro v34 d----- [22:14 07/02/2009]
CyberLink d----- [21:05 11/08/2006]
DestinatorApps d----- [22:40 23/07/2007]
DIFX d----- [21:05 11/08/2006]
directx d----- [19:04 14/06/2007]
DivX d----- [19:57 09/02/2009]
Electronic Arts d----- [16:42 29/09/2007]
Empire Interactive d----- [15:22 07/08/2008]
EyetoyOnComputer Project d----- [21:37 02/11/2007]
Fiat d----- [11:30 27/10/2007]
GemMaster d----- [20:56 11/08/2006]
GIMP d----- [15:06 23/06/2007]
GIMP-2.0 d----- [15:21 23/06/2007]
Google d----- [23:54 28/12/2006]
Grisoft d----- [22:25 02/07/2008]
HP d----- [21:31 03/01/2010]
InstallShield Installation Information d--h-- [21:04 11/08/2006]
InterActual d----- [21:04 05/02/2007]
Internet Explorer d----- [20:54 11/08/2006]
iPod d----- [20:17 02/03/2007]
iTunes d----- [14:16 30/04/2008]
Jasc Image Robot d----- [20:03 09/11/2007]
Java d----- [21:06 25/12/2006]
Jawbreaker d----- [08:48 04/08/2007]
Kontiki d----- [15:18 30/07/2008]
LEGO Company d----- [10:03 29/09/2007]
Lexmark X1100 Series d----- [23:35 28/12/2006]
LG Electronics d----- [20:12 28/12/2007]
LGGSM d----- [20:11 28/12/2007]
LimeWire d----- [19:38 13/07/2008]
Malwarebytes' Anti-Malware d----- [17:35 10/01/2010]
Maxis d----- [16:24 29/05/2008]
Messenger d----- [20:43 11/08/2006]
Messenger Plus! Live d----- [21:46 13/09/2007]
MessengerPlus! 3 d----- [23:24 06/01/2007]
MicroNEXT d----- [16:14 23/01/2009]
Microsoft d----- [16:15 06/05/2007]
Microsoft ActiveSync d----- [22:29 28/12/2006]
microsoft frontpage d----- [20:40 11/08/2006]
Microsoft Games d----- [17:04 27/12/2006]
Microsoft Office d----- [22:28 28/12/2006]
Microsoft Office Outlook Connector d----- [14:41 07/11/2009]
Microsoft Silverlight d----- [21:15 08/05/2008]
Microsoft SQL Server Compact Edition d----- [14:40 07/11/2009]
Microsoft Works d----- [15:30 08/10/2007]
Microsoft.NET d----- [22:28 28/12/2006]
Motive d----- [07:55 26/12/2006]
Motorola d----- [22:07 17/03/2007]
Movie Maker d----- [20:39 11/08/2006]
Mozilla Firefox d----- [22:53 12/12/2007]
MSBuild d----- [00:27 08/12/2009]
MSECache d----- [12:34 19/12/2009]
MSN d----- [20:37 11/08/2006]
MSN Gaming Zone d----- [20:38 11/08/2006]
MSN Messenger d----- [19:22 07/05/2007]
MSXML 4.0 d----- [23:36 18/03/2007]
MSXML 6.0 d----- [17:16 12/06/2008]
NCH Swift Sound d----- [07:52 03/09/2007]
NetMeeting d----- [20:39 11/08/2006]
NewTech Infosystems d----- [21:04 11/08/2006]
Nokia d----- [17:06 12/06/2008]
O2 d----- [18:29 17/07/2009]
OBD-DIAG d----- [21:27 11/12/2009]
Oca History Tool d----- [20:48 11/08/2006]
Online Services d----- [20:39 11/08/2006]
Outlook Express d----- [20:49 11/08/2006]
Paint Shop Pro 6 d----- [16:59 03/12/2007]
PC Connectivity Solution d----- [17:07 12/06/2008]
Philips d----- [20:22 28/12/2007]
PhoTags Express d----- [10:36 12/07/2009]
Photoshop 6.0 Tryout d----- [21:53 20/06/2007]
ProcessExplorer d----- [09:58 13/07/2008]
Program Files d----- [12:04 30/06/2007]
QuickTime d----- [14:14 30/04/2008]
QuoteTracker d----- [21:56 17/03/2009]
Real d----- [22:24 23/06/2007]
Realtek d----- [20:52 11/08/2006]
Reference Assemblies d----- [00:27 08/12/2009]
Registry Mechanic d----- [19:17 04/07/2007]
RegSupreme d----- [22:01 29/06/2008]
Samsung d----- [20:02 12/02/2008]
Sony d----- [11:50 21/01/2007]
Sony Corporation d----- [11:54 21/01/2007]
Spybot - Search & Destroy d----- [21:55 03/07/2008]
Startup Inspector for Windows d----- [22:06 02/07/2008]
Sun d----- [22:17 09/12/2007]
Trend Micro d----- [13:19 13/12/2008]
TRIPEAKS d----- [23:03 27/02/2007]
Trust d----- [20:00 01/11/2007]
Trusteer d----- [11:05 18/04/2009]
TypingMaster dr---- [18:39 02/10/2007]
Ubi Soft d----- [19:02 14/06/2007]
Uninstall Information d--h-- [20:51 11/08/2006]
Virtual Earth 3D d----- [17:44 23/11/2007]
Vodafone PC Assistant d----- [18:55 20/05/2009]
Windows Live d----- [22:36 07/11/2008]
Windows Live SkyDrive d----- [14:36 07/11/2009]
Windows Live Toolbar d----- [17:07 23/02/2007]
Windows Media Connect 2 d----- [21:19 14/03/2007]
Windows Media Player d----- [20:59 11/08/2006]
Windows NT d----- [20:38 11/08/2006]
Windows Plus d----- [20:38 11/08/2006]
WindowsUpdate d--h-- [20:39 11/08/2006]
xerox d----- [20:40 11/08/2006]
Yahoo! d----- [14:39 28/02/2007]

C:\Documents and Settings\MaRk\My Documents - Parameters: "/s /n*crack*"

---Files---
None found.

C:\Documents and Settings\MaRk\My Documents\ALFA 156 d----- [17:45 02/09/2007]

C:\Documents and Settings\MaRk\My Documents\CAD d----- [17:44 02/09/2007]

C:\Documents and Settings\MaRk\My Documents\Computer Electronics d----- [22:04 02/07/2008]

C:\Documents and Settings\MaRk\My Documents\CyberLink d----- [14:04 28/12/2006]

C:\Documents and Settings\MaRk\My Documents\CyberLink\PowerDVD d----- [14:04 28/12/2006]

C:\Documents and Settings\MaRk\My Documents\Ext Data d----- [18:51 13/05/2009]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks d----- [07:25 29/07/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\040907 d----- [17:17 04/09/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\Cam52to55 d----- [21:08 20/08/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\Downloaded Cameras d----- [08:05 15/08/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\Downloaded CamerasALL d----- [09:05 15/08/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\New Folder d----- [17:32 20/12/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\OrmsForm_files d----- [18:27 05/08/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\SOUNDS d----- [12:41 02/09/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\SOUNDS\Originals d----- [19:23 01/10/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\SOUNDS\WAVEPAD d----- [06:51 03/09/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\SOUNDS\WAVEPAD\NCH Swift Sound d----- [07:00 03/09/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\SOUNDS\WAVEPAD\NCH Swift Sound\Components d----- [07:16 03/09/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\SOUNDS\WAVEPAD\NCH Swift Sound\Components\mp3el d----- [07:16 03/09/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\SOUNDS\WAVEPAD\NCH Swift Sound\Switch d----- [07:16 03/09/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\SOUNDS\WAVEPAD\NCH Swift Sound\Switch\Help d----- [07:16 03/09/2007]

C:\Documents and Settings\MaRk\My Documents\GPS Tracks\SOUNDS\WAVEPAD\NCH Swift Sound\WavePad d----- [07:00 03/09/2007]

C:\Documents and Settings\MaRk\My Documents\Limewire d----- [06:02 05/10/2007]

C:\Documents and Settings\MaRk\My Documents\Limewire\Incomplete d----- [21:36 16/08/2009]

C:\Documents and Settings\MaRk\My Documents\Limewire\Saved d----- [21:36 16/08/2009]

C:\Documents and Settings\MaRk\My Documents\Limewire\Shared d----- [19:21 13/07/2008]

C:\Documents and Settings\MaRk\My Documents\Limewire\Store Purchased d----- [19:21 13/07/2008]

C:\Documents and Settings\MaRk\My Documents\More Pictures d----- [21:09 03/07/2008]

C:\Documents and Settings\MaRk\My Documents\Morpheus Playlists d----- [20:56 04/10/2007]

C:\Documents and Settings\MaRk\My Documents\Morpheus Shared d----- [20:56 04/10/2007]

C:\Documents and Settings\MaRk\My Documents\Morpheus Shared\Downloads d----- [20:56 04/10/2007]

C:\Documents and Settings\MaRk\My Documents\Morpheus Shared\Downloads\.btdownloads d----- [09:39 03/11/2007]

C:\Documents and Settings\MaRk\My Documents\Morpheus Shared\Downloads\Partials d----- [20:56 04/10/2007]

C:\Documents and Settings\MaRk\My Documents\Morpheus Shared\Downloads\Torrents d----- [20:56 04/10/2007]

C:\Documents and Settings\MaRk\My Documents\Morpheus Shared\Podcasts d----- [20:56 04/10/2007]

C:\Documents and Settings\MaRk\My Documents\Morpheus Shared\Shared d--hs- [05:58 05/10/2007]

C:\Documents and Settings\MaRk\My Documents\My Albums d----- [20:22 26/06/2007]

C:\Documents and Settings\MaRk\My Documents\My Chat Logs d----- [16:33 17/02/2007]

C:\Documents and Settings\MaRk\My Documents\My Chat Logs\August 2007 d----- [20:44 01/09/2007]

C:\Documents and Settings\MaRk\My Documents\My Chat Logs\July 2007 d----- [18:28 05/08/2007]

C:\Documents and Settings\MaRk\My Documents\My Chat Logs\March 2007 d----- [20:26 04/04/2007]

C:\Documents and Settings\MaRk\My Documents\My Data Sources d---s- [18:52 13/05/2009]

C:\Documents and Settings\MaRk\My Documents\My Music dr---- [08:20 26/12/2006]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes d----- [23:23 23/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes\Album Artwork d----- [23:23 23/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes\Album Artwork\Local d----- [23:23 23/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes\Album Artwork\Local\6A268BAD44A03785 d----- [23:24 23/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes\Album Artwork\Local\6A268BAD44A03785\11 d----- [23:24 23/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes\Album Artwork\Local\6A268BAD44A03785\11\11 d----- [23:24 23/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes\Album Artwork\Local\6A268BAD44A03785\11\11\07 d----- [23:24 23/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes\iTunes Music d----- [23:23 23/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes\iTunes Music\Ludwig van Beethoven, composer. Seattle d----- [23:24 23/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes\iTunes Music\Ludwig van Beethoven, composer. Seattle\Beethoven's Symphony No. 9 (Scherzo) d----- [23:24 23/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Music\iTunes\Previous iTunes Libraries d----- [21:48 16/08/2009]

C:\Documents and Settings\MaRk\My Documents\My Pictures dr---- [08:20 26/12/2006]

C:\Documents and Settings\MaRk\My Documents\My Pictures\103NIKON d----- [19:27 08/07/2007]

C:\Documents and Settings\MaRk\My Documents\My Pictures\10ManorRoad d----- [09:18 13/05/2007]

C:\Documents and Settings\MaRk\My Documents\My Pictures\130507 d----- [08:03 13/05/2007]

C:\Documents and Settings\MaRk\My Documents\My Pictures\2007 d----- [19:24 08/06/2007]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Adobe d----- [21:25 05/07/2007]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Adobe\Digital Camera Photos d----- [21:25 05/07/2007]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Adobe\Digital Camera Photos\2008-03-03-2242-47 d----- [22:43 03/03/2008]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Adobe\Outgoing E-mail Attachments d----- [21:25 05/07/2007]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Adobe\Scanned Photos d----- [21:25 05/07/2007]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Alfa d----- [20:09 05/11/2007]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Alfa\156 Console d----- [20:54 03/08/2008]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Alfa\PHOTOSHOP d----- [00:05 10/12/2007]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Gails d----- [19:31 07/10/2008]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Italy d----- [22:52 27/04/2009]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Neil d----- [23:03 31/01/2008]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Nerja d----- [14:27 02/08/2008]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Picture d----- [21:05 07/03/2008]

C:\Documents and Settings\MaRk\My Documents\My Pictures\Slides d----- [16:41 27/12/2009]

C:\Documents and Settings\MaRk\My Documents\My Pictures\WATCH d----- [22:51 12/01/2008]

C:\Documents and Settings\MaRk\My Documents\My Pictures\WATCH\TEMPFORZIPPING01 d----- [22:52 12/01/2008]

C:\Documents and Settings\MaRk\My Documents\My Pictures\WATCH\TEMPFORZIPPING03 d----- [22:52 12/01/2008]

C:\Documents and Settings\MaRk\My Documents\My Pictures\WATCH\Watch d----- [22:52 12/01/2008]

C:\Documents and Settings\MaRk\My Documents\My PSP Files d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Brushes d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Bump Maps d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\CMYK Profiles d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Deformation Maps d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Displacement Maps d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Environment Maps d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Gradients d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Masks d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Mixer Pages d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Monitor Profiles d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Palettes d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Patterns d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Picture Frames d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Picture Tubes d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Preset Shapes d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Presets d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Print Templates d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Scripts-Restricted d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Scripts-Trusted d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Selections d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Styled Lines d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Swatches d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Textures d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My PSP Files\Workspaces d----- [17:54 28/09/2007]

C:\Documents and Settings\MaRk\My Documents\My Received Files d----- [19:21 06/10/2007]

C:\Documents and Settings\MaRk\My Documents\My Stationery dr--s- [22:10 30/11/2009]

C:\Documents and Settings\MaRk\My Documents\My Videos dr---- [17:34 26/12/2006]

C:\Documents and Settings\MaRk\My Documents\Pocket_PC My Documents d----- [22:41 02/12/2009]

C:\Documents and Settings\MaRk\My Documents\Protected d----- [20:56 20/06/2007]

C:\Documents and Settings\MaRk\My Documents\Short Cams JAN08 d----- [23:32 15/01/2008]

C:\Documents and Settings\MaRk\My Documents\WM_MaRk1 My Documents d----- [13:46 18/08/2007]

C:\Documents and Settings\MaRk\My Documents\WM_MaRk1 My Documents\Annotations d----- [13:46 18/08/2007]

C:\Documents and Settings\MaRk\My Documents\WM_MaRk1 My Documents\Business d----- [13:46 18/08/2007]

C:\Documents and Settings\MaRk\My Documents\WM_MaRk1 My Documents\My Documents d----- [07:50 10/09/2007]

C:\Documents and Settings\MaRk\My Documents\WM_MaRk1 My Documents\My Pictures d----- [13:46 18/08/2007]

C:\Documents and Settings\MaRk\My Documents\WM_MaRk1 My Documents\odgps d----- [13:58 18/08/2007]

C:\Documents and Settings\MaRk\My Documents\WM_MaRk1 My Documents\odgps\tracks d----- [13:58 18/08/2007]

C:\Documents and Settings\MaRk\My Documents\WM_MaRk1 My Documents\Personal d----- [13:46 18/08/2007]

C:\Documents and Settings\MaRk\My Documents\WM_MaRk1 My Documents\Templates d----- [13:46 18/08/2007]

C:\Documents and Settings\MaRk\My Documents\Work d----- [10:39 28/02/2007]

C:\Documents and Settings\MaRk\My Documents\Work\CPR d----- [10:39 28/02/2007]

C:\Documents and Settings\MaRk\My Documents\Work\Dukes Dock d----- [10:39 28/02/2007]

C:\Documents and Settings\MaRk\My Documents\wsInspector d----- [22:08 02/07/2008]

C:\Documents and Settings\MaRk\My Documents\wsInspector\Quick Profiles d----- [22:08 02/07/2008]

========== filefind ==========

Searching for "*keygen*"
No files found.

Searching for "*crack*"
C:\Program Files\Paint Shop Pro 6\Patterns\Cracked Emerald.pat --a--- 120054 bytes [16:59 03/12/2007] [06:00 13/08/1999] C8992D2DF674C484F67C8865B0484B86
C:\Program Files\Paint Shop Pro 6\Textures\Cracked Cement.tex --a--- 11078 bytes [16:59 03/12/2007] [06:00 13/08/1999] 09D39C19E6EFF3D2507707451E20A303

-=End Of File=-




Here's Checkup.txt

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:

RegSupreme
HijackThis 2.0.2
CCleaner (remove only)
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.1
``````````````````````````````
Process Check:
objlist.exe by Laurent

Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````





Following your instructions, I now ned to close all programmes for the next GMER stage, so I will shut this browser and post the text file in another reply to this thread.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:48 AM

Posted 18 January 2010 - 01:55 PM

Hi,

OK. smile.gif Post only to this thread. Do not open another thread.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Madsparrow

Madsparrow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 18 January 2010 - 05:18 PM

Hi Mike
I have had a day off work today and spent a lot of time trying to run GMER. I never got the dialog box offering the choice of a full system scan or not. In fact GMER kept shutting the PC down on it's default setting. I have only managed to retreive the enclosed file from Safe Mode. From a little background reading, we're looking for rootkits and I understand that any that don't run in safe mode will not be found.Hope it helps. If not, there are many tick boxes in GMER, perhaps we can be quite specific if my current ofering is not up to scratch ?

Regards

Mark

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-18 21:55:03
Windows 5.1.2600 Service Pack 3
Running: 35ll30mc.exe; Driver: C:\DOCUME~1\MaRk\LOCALS~1\Temp\agloapob.sys


---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ExAcquireRundownProtection + 1AF 80570279 7 Bytes JMP 8A75A090

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be@001a8a95d2f5 0x09 0xF9 0x5F 0x63 ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af0bf24e 0x81 0xB6 0x51 0x40 ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be@001700af28a4 0xB2 0x96 0x81 0x38 ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af063aea 0x65 0xB8 0x7A 0x4C ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be@001ea317d957 0x79 0xD8 0xB2 0xBD ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af0bf24e 0x81 0xB6 0x51 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001ea317d957 0x79 0xD8 0xB2 0xBD ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@0005c9f57869 0x3C 0x3D 0xA2 0x6E ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001a8a95d2f5 0x38 0x97 0x84 0xB3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001c4304fd4d 0x11 0x78 0x85 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001a6b802a75 0x6F 0xBA 0x92 0xFF ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@0003190d11c5 0xCD 0x0C 0x06 0xA5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001700af28a4 0x26 0x9B 0x49 0x55 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af063aea 0x4F 0xC0 0x1D 0x3F ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001f0058c699 0x6D 0x56 0x6D 0xF6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001e101381f5 0xA0 0x5F 0xDD 0x12 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af0bf24e 0x81 0xB6 0x51 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001ea317d957 0x79 0xD8 0xB2 0xBD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@0005c9f57869 0x3C 0x3D 0xA2 0x6E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001a8a95d2f5 0x38 0x97 0x84 0xB3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001c4304fd4d 0x11 0x78 0x85 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001a6b802a75 0x6F 0xBA 0x92 0xFF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@0003190d11c5 0xCD 0x0C 0x06 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001700af28a4 0x26 0x9B 0x49 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af063aea 0x4F 0xC0 0x1D 0x3F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001f0058c699 0x6D 0x56 0x6D 0xF6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001e101381f5 0xA0 0x5F 0xDD 0x12 ...

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by SifuMike, 18 January 2010 - 05:32 PM.
insert GMER for ease of reading


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:48 AM

Posted 18 January 2010 - 05:54 PM

Hi MadSparrow,

Going over your logs I noticed that you have LimeWire installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


************

Mozilla Firefox (3.0.15) is out of date.
Go to Mozilla Firefix and update it to the latest version Mozilla Firefox 3.5.7.

************


I see you previously downloaded RegSupreme.

I DO NOT recommend registry cleaners, as they may damage rather than fix your registry.
Use a "registry cleaner" only if you have a good knowledge of registry and know if a certian key/value is safe to remove.
Cleaning registry will not improve system performance even though there is a lot of orphaned keys.

IMHO, if Microsoft thought a registry cleaner was necessary, it would have built one in to Windows XP.

In summary, use a registry cleaner at your own risk. If you corrupt the registry, then you corrupt Windows.

Read this: Should I use a Registry Cleaner: http://aumha.net/viewtopic.php?t=28099

QUOTE
Mark Russinovich wrote:
No, even if the registry was massively bloated there would be little impact on the performance of anything other than exhaustive searches (ed. of the registry itself).

On Win2K Terminal Server systems, however, there is a limit on the total amount of Registry data that can be loaded and so large profile hives can limit the number of users that can be logged on simultaneously.

I haven't and never will implement a Registry cleaner since it's of little practical use on anything other than Win2K terminal servers and developing one that's both safe and effective requires a huge amount of application-specific knowledge.



**************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    Please download Java Version 6 Update 17
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ SE Runtime Environment 6 Update 1
    Java™ 6 Update 2
    Java™ 6 Update 3

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.


Please make sure you turn on the Java Automatic Update Feature
http://java.com/en/download/help/java_update.xml#howto

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.
Then you will not have to remember to update it when Java introduces a new version.

**************

Do you have any CD Emulator Software (Daemon Tools, Alcohol Alchohol 120%, Astroburn, AnyDVD, etc etc) installed?

Try running GMER again with these instructions.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply. Do not attach your logs, as that makes them hard to read.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Madsparrow

Madsparrow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 19 January 2010 - 07:43 AM

Hi Mike
I deleted limewire yesterday but still need to update some software. GMER shuts the machine down when I run it , but managed to get this in safe mode as posted in previous


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-18 21:55:03
Windows 5.1.2600 Service Pack 3
Running: 35ll30mc.exe; Driver: C:\DOCUME~1\MaRk\LOCALS~1\Temp\agloapob.sys


---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ExAcquireRundownProtection + 1AF 80570279 7 Bytes JMP 8A75A090

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be@001a8a95d2f5 0x09 0xF9 0x5F 0x63 ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af0bf24e 0x81 0xB6 0x51 0x40 ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be@001700af28a4 0xB2 0x96 0x81 0x38 ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af063aea 0x65 0xB8 0x7A 0x4C ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000cbf0137be@001ea317d957 0x79 0xD8 0xB2 0xBD ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af0bf24e 0x81 0xB6 0x51 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001ea317d957 0x79 0xD8 0xB2 0xBD ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@0005c9f57869 0x3C 0x3D 0xA2 0x6E ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001a8a95d2f5 0x38 0x97 0x84 0xB3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001c4304fd4d 0x11 0x78 0x85 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001a6b802a75 0x6F 0xBA 0x92 0xFF ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@0003190d11c5 0xCD 0x0C 0x06 0xA5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001700af28a4 0x26 0x9B 0x49 0x55 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af063aea 0x4F 0xC0 0x1D 0x3F ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001f0058c699 0x6D 0x56 0x6D 0xF6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000cbf0137be@001e101381f5 0xA0 0x5F 0xDD 0x12 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af0bf24e 0x81 0xB6 0x51 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001ea317d957 0x79 0xD8 0xB2 0xBD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@0005c9f57869 0x3C 0x3D 0xA2 0x6E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001a8a95d2f5 0x38 0x97 0x84 0xB3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001c4304fd4d 0x11 0x78 0x85 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001a6b802a75 0x6F 0xBA 0x92 0xFF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@0003190d11c5 0xCD 0x0C 0x06 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001700af28a4 0x26 0x9B 0x49 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@0018af063aea 0x4F 0xC0 0x1D 0x3F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001f0058c699 0x6D 0x56 0x6D 0xF6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000cbf0137be@001e101381f5 0xA0 0x5F 0xDD 0x12 ...

---- EOF - GMER 1.0.15 ----


#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:48 AM

Posted 19 January 2010 - 01:14 PM

Hi Madsparrow,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: )
You succesfully disabled the AntiVir Guard.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop. <==IMPORTANT

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. The log will be save as C:\ComboFix.txt

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Madsparrow

Madsparrow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 19 January 2010 - 07:04 PM

Here we go :-
I noticed a few of the usual suspects in the log that have been causing problems. Looks promising !!


ComboFix 10-01-19.03 - MaRk 19/01/2010 23:33:00.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.824 [GMT 0:00]
Running from: c:\documents and settings\MaRk\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Carol.ACER-511EBA12DF\Application Data\Mozilla\Firefox\Profiles\52t4nyyo.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}
c:\documents and settings\Carol.ACER-511EBA12DF\Application Data\Mozilla\Firefox\Profiles\52t4nyyo.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\chrome.manifest
c:\documents and settings\Carol.ACER-511EBA12DF\Application Data\Mozilla\Firefox\Profiles\52t4nyyo.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\chrome\xulcache.jar
c:\documents and settings\Carol.ACER-511EBA12DF\Application Data\Mozilla\Firefox\Profiles\52t4nyyo.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\defaults\preferences\xulcache.js
c:\documents and settings\Carol.ACER-511EBA12DF\Application Data\Mozilla\Firefox\Profiles\52t4nyyo.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\install.rdf
c:\documents and settings\MaRk\Application Data\Mozilla\Firefox\Profiles\njzchey5.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}
c:\documents and settings\MaRk\Application Data\Mozilla\Firefox\Profiles\njzchey5.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\chrome.manifest
c:\documents and settings\MaRk\Application Data\Mozilla\Firefox\Profiles\njzchey5.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\chrome\xulcache.jar
c:\documents and settings\MaRk\Application Data\Mozilla\Firefox\Profiles\njzchey5.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\defaults\preferences\xulcache.js
c:\documents and settings\MaRk\Application Data\Mozilla\Firefox\Profiles\njzchey5.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\install.rdf
c:\documents and settings\MiChAeL\Application Data\Mozilla\Firefox\Profiles\o3f42olx.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}
c:\documents and settings\MiChAeL\Application Data\Mozilla\Firefox\Profiles\o3f42olx.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\chrome.manifest
c:\documents and settings\MiChAeL\Application Data\Mozilla\Firefox\Profiles\o3f42olx.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\chrome\xulcache.jar
c:\documents and settings\MiChAeL\Application Data\Mozilla\Firefox\Profiles\o3f42olx.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\defaults\preferences\xulcache.js
c:\documents and settings\MiChAeL\Application Data\Mozilla\Firefox\Profiles\o3f42olx.default\extensions\{90cc88d1-351e-4543-b887-5936369e86db}\install.rdf
c:\windows\EventSystem.log
c:\windows\kb913800.exe
c:\windows\system32\atraces.dll
c:\windows\system32\authzq.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\drivers\cqegybhz.sys
c:\windows\system32\drivers\yplckece.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\faaedd0_g.dll
c:\windows\system32\lrvbrgv.dll
c:\windows\system32\Process.exe
c:\windows\system32\smqaujtf.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
D:\AUTORUN.INF

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CQEGYBHZ
-------\Service_cqegybhz


((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-19 22:39 . 2010-01-19 22:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-19 22:38 . 2010-01-19 22:38 152576 ----a-w- c:\documents and settings\MaRk\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-19 22:37 . 2010-01-19 22:37 79488 ----a-w- c:\documents and settings\MaRk\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-17 14:43 . 2010-01-19 17:45 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-17 14:43 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-17 14:43 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-17 14:43 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-17 14:43 . 2010-01-17 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-17 14:40 . 2010-01-17 14:43 -------- d-----w- c:\program files\AVIRA
2010-01-13 23:39 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 23:56 . 2010-01-10 23:59 -------- d-----w- c:\program files\CES V4 Chameleon
2010-01-10 23:26 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-10 23:26 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-10 21:56 . 2010-01-10 21:56 24576 ----a-w- c:\windows\system32\VundoFixSVC.exe
2010-01-10 21:31 . 2010-01-17 16:12 -------- d-----w- C:\VundoFix Backups
2010-01-10 17:35 . 2010-01-10 23:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 16:39 . 2010-01-10 16:39 -------- d-----w- c:\documents and settings\MaRk\Local Settings\Application Data\Threat Expert
2010-01-10 00:17 . 2010-01-10 00:18 -------- d-----w- c:\program files\BlueSquare Poker
2010-01-03 21:31 . 2010-01-03 21:31 -------- d-----w- c:\program files\HP
2009-12-27 17:17 . 2009-12-27 17:18 5869568 ----a-r- C:\EBUB5.DLL
2009-12-27 17:17 . 1999-01-19 17:40 778240 ------w- C:\EBUB3.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 23:42 . 2007-07-04 22:15 12 ----a-w- c:\windows\bthservsdp.dat
2010-01-19 22:39 . 2006-12-25 21:06 -------- d-----w- c:\program files\Java
2010-01-18 22:06 . 2007-10-02 18:39 -------- d-----r- c:\program files\TypingMaster
2010-01-18 22:06 . 2008-07-30 15:18 -------- d-----w- c:\program files\Kontiki
2010-01-18 22:06 . 2007-10-28 18:12 -------- d-----w- c:\program files\Channel4
2010-01-18 22:03 . 2007-02-28 14:39 -------- d-----w- c:\program files\Yahoo!
2010-01-17 16:14 . 2008-07-03 21:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-17 15:03 . 2007-12-29 09:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-10 17:17 . 2009-11-27 23:18 -------- d-----w- c:\program files\Balwarebytes' Anti-Malware
2010-01-10 16:52 . 2007-07-04 19:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-19 21:20 . 2006-12-26 09:21 87928 ----a-w- c:\documents and settings\MaRk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-19 12:34 . 2009-12-19 12:34 -------- d-----w- c:\program files\MSECache
2009-12-13 19:32 . 2009-12-11 21:27 -------- d-----w- c:\program files\OBD-DIAG
2009-12-13 12:57 . 2006-12-26 07:48 84040 ----a-w- c:\documents and settings\MiChAeL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-08 20:45 . 2009-12-08 20:45 -------- d-----w- c:\documents and settings\Carol.ACER-511EBA12DF\Application Data\Malwarebytes
2009-12-08 20:41 . 2008-05-08 21:15 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-08 00:27 . 2009-12-08 00:27 -------- d-----w- c:\program files\MSBuild
2009-12-08 00:27 . 2009-12-08 00:27 -------- d-----w- c:\program files\Reference Assemblies
2009-12-05 00:30 . 2009-12-05 00:30 -------- d-----w- c:\documents and settings\MiChAeL\Application Data\Malwarebytes
2009-11-29 23:07 . 2009-11-29 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\vo3d0aDikSN
2009-11-29 20:28 . 2008-10-30 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-27 23:19 . 2009-11-27 23:19 -------- d-----w- c:\documents and settings\MaRk\Application Data\Malwarebytes
2009-11-27 23:18 . 2009-11-27 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-22 11:22 . 2007-04-13 10:12 -------- d-----w- c:\program files\AVG
2009-11-21 15:51 . 2004-08-10 20:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 05:38 . 2006-03-04 03:58 667136 ----a-w- c:\windows\system32\wininet.dll
2008-05-28 19:51 . 2008-05-28 19:51 2671704 ----a-w- c:\program files\RegSupremePro_setup.exe
2007-02-27 23:02 . 2007-02-27 23:02 316642 ----a-w- c:\program files\TRIPEAKS.zip
2007-02-17 16:47 . 2007-02-17 16:47 251656 ----a-w- c:\program files\jre-1_5_0_11-windows-i586-p-iftw.exe
2006-12-28 23:54 . 2006-12-28 23:53 15001752 ----a-w- c:\program files\GoogleEarthWin.exe
1999-08-13 06:00 . 2008-03-16 21:19 4820 ----a-w- c:\program files\CAMUNWISE.INI
2007-11-05 16:10 . 2007-09-28 18:52 88 --sha-w- c:\windows\system32\005227F68E.sys
2007-11-05 16:10 . 2007-09-28 18:52 2672 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
CODE
<pre>
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Messenger\msmsgs .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-11 7626752]
"CES_V4"="" [N/A]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-19 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MN-WD542T Wireless Utility.lnk - c:\program files\MicroNEXT\MN-WD542T Wireless Utility\ZDWlan.exe [2009-10-5 499712]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photags AutoDetect.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photags AutoDetect.lnk.disabled
backup=c:\windows\pss\Photags AutoDetect.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
2007-04-23 10:23 1032640 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 17:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CES_V4]
2009-09-10 14:53 1312080 ----a-w- c:\program files\Balwarebytes' Anti-Malware\mbammmm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 14:53 1312080 ----a-w- c:\program files\Balwarebytes' Anti-Malware\mbammmm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-07-11 22:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-07-11 22:19 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 22:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
c:\windows\Temp\RecoverFromReboot.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
c:\program files\Spybot - Search & Destroy\TeaTimer.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Workflow]
E:\Workflow.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xbk5uqay61e]
c:\windows\system32\xbk5uqay61e.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MpfService"=2 (0x2)
"McNASvc"=2 (0x2)
"AGWinService"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"SPTISRV"=3 (0x3)
"RapportMgmtService"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"LightScribeService"=2 (0x2)
"LexBceS"=3 (0x3)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"avg8wd"=2 (0x2)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
"CryptSvc"=3 (0x3)
"AcerMemUsageCheckService"=2 (0x2)
"ERSvc"=2 (0x2)
"BITS"=3 (0x3)
"usnjsvc"=3 (0x3)
"SupportSoft RemoteAssist"=3 (0x3)
"idsvc"=3 (0x3)
"STI Simulator"=2 (0x2)
"sprtsvc_O2"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"wuauserv"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Rapportexe"="c:\program files\Trusteer\Rapport\bin\RapportService.exe" -start -after_boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Workflow"=E:\Workflow.exe
"PowerDVD"=c:\program files\CyberLink\PowerDVD\PowerDVD.exe /autostart
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"O2"="c:\program files\O2\bin\sprtcmd.exe" /P O2
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Balwarebytes' Anti-Malware\mbammmm.exe" /runcleanupscript

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [19/11/2009 09:50 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [19/11/2009 09:50 334568]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\AVIRA\AntiVir Desktop\sched.exe [17/01/2010 14:43 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [07/11/2009 14:41 54752]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [19/11/2009 09:50 967912]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [09/06/2005 01:44 20608]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]
S3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\Drivers\Capt930b.sys --> c:\windows\system32\Drivers\Capt930b.sys [?]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [05/07/2007 11:34 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [05/07/2007 11:34 85696]
S3 ZD1211BU(MicroNEXT);MN-WD542T Wireless USB Adapter Driver(MicroNEXT);c:\windows\system32\drivers\ZD1211BU.sys [28/10/2005 18:38 500736]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [28/10/2005 18:38 500736]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 15:19 202280]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
uevvuuzf
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4}
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16}
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://cid-4c76422c0422c8fd.skydrive.live.com/Microsoft.Live.Folders.RichUpload.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\MaRk\Application Data\Mozilla\Firefox\Profiles\njzchey5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.metcheck.com/V40/UK/FREE/7days.asp?zipcode=L23|https://www.zurichcorporatepensions.co.uk/asp/zwlogin.asp|http://uk.finance.yahoo.com/q/bc?s=%5EFTSE&t=1d&l=on&z=m&q=l&c=|http://webfund6.financialexpress.net/clients/royallondon/perfChart.aspx?UnitCode=AQM&FundType=LF|http://www.timesonline.co.uk/tol/news/|http://stores.shop.ebay.co.uk/cybox-exhausts_Alfa-Romeo--Exhausts_W0QQLHQ5fSellerWithStoreZ1QQLHQ5fTitleDescZ1QQ_fsubZ2QQ_sasiZ1QQ_sidZ163064708QQ_trksidZp4634Q2ec0Q2em322
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29193&sbs=1&sc=2&f=web&vernum=1.0&uid=&did=f8d4a70c-98e2-4081-901d-01bf93043ede&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0BC6E3FA-78EF-4886-842C-5A1258C4455A} - c:\program files\AGI\common\agcutils.dll
BHO-{2663BCFC-7A27-4F15-A611-659CC95BEB4C} - (no file)
BHO-{5177364F-F2D3-499E-9F91-DE4C15381283} - (no file)
BHO-{6FFFDA11-559E-4533-B0A0-80886C8B1D4F} - (no file)
Toolbar-ID - (no file)
WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - c:\program files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
Notify-khfecdc - khfecdc.dll
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 23:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2402644219-3017275194-2930370854-1008\Software\SecuROM\License information*]
"datasecu"=hex:96,5f,b8,da,9a,a0,35,68,90,a0,47,c8,40,53,ab,54,01,dd,cb,12,ae,
30,6b,75,cd,5a,bf,af,60,d6,62,b8,48,dd,b3,36,a6,0b,40,a0,3f,2f,ae,40,70,8d,\
"rkeysecu"=hex:ed,bc,6f,a3,0e,ec,68,60,21,12,17,2e,63,87,40,54
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1472)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-01-19 23:51:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 23:51
ComboFix2.txt 2007-12-30 16:44

Pre-Run: 8,980,447,232 bytes free
Post-Run: 9,793,888,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 017DD1A6E3B1F7A3476F5D4D099873FC


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:48 AM

Posted 19 January 2010 - 10:18 PM

Hi MadSparrow,

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: )
You succesfully disabled the AntiVir Guard.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

CODE
RenV::
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Messenger\msmsgs .exe

File::
c:\windows\system32\VundoFixSVC.exe
c:\windows\system32\xbk5uqay61e.exe

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xbk5uqay61e]

Driver::
uevvuuzf

NetSvc::
uevvuuzf


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
The combofix log can also be found at C:\ComboFix.txt.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Madsparrow

Madsparrow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 20 January 2010 - 03:45 PM

Hi Mike
Got there in the end.


ComboFix 10-01-19.03 - MaRk 20/01/2010 20:19:42.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.862 [GMT 0:00]
Running from: c:\documents and settings\MaRk\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MaRk\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\windows\system32\VundoFixSVC.exe"
"c:\windows\system32\xbk5uqay61e.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
c:\windows\system32\VundoFixSVC.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UEVVUUZF


((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-19 22:39 . 2010-01-19 22:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-19 22:38 . 2010-01-19 22:38 152576 ----a-w- c:\documents and settings\MaRk\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-19 22:37 . 2010-01-19 22:37 79488 ----a-w- c:\documents and settings\MaRk\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-17 14:43 . 2010-01-19 17:45 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-17 14:43 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-17 14:43 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-17 14:43 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-17 14:43 . 2010-01-17 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-17 14:40 . 2010-01-17 14:43 -------- d-----w- c:\program files\AVIRA
2010-01-13 23:39 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 23:56 . 2010-01-10 23:59 -------- d-----w- c:\program files\CES V4 Chameleon
2010-01-10 23:26 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-10 23:26 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-10 17:35 . 2010-01-10 23:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 16:39 . 2010-01-10 16:39 -------- d-----w- c:\documents and settings\MaRk\Local Settings\Application Data\Threat Expert
2010-01-10 00:17 . 2010-01-10 00:18 -------- d-----w- c:\program files\BlueSquare Poker
2010-01-03 21:31 . 2010-01-03 21:31 -------- d-----w- c:\program files\HP
2009-12-27 17:17 . 2009-12-27 17:18 5869568 ----a-r- C:\EBUB5.DLL
2009-12-27 17:17 . 1999-01-19 17:40 778240 ------w- C:\EBUB3.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 20:26 . 2007-07-04 22:15 12 ----a-w- c:\windows\bthservsdp.dat
2010-01-19 22:39 . 2006-12-25 21:06 -------- d-----w- c:\program files\Java
2010-01-18 22:06 . 2007-10-02 18:39 -------- d-----r- c:\program files\TypingMaster
2010-01-18 22:06 . 2008-07-30 15:18 -------- d-----w- c:\program files\Kontiki
2010-01-18 22:06 . 2007-10-28 18:12 -------- d-----w- c:\program files\Channel4
2010-01-18 22:03 . 2007-02-28 14:39 -------- d-----w- c:\program files\Yahoo!
2010-01-17 16:14 . 2008-07-03 21:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-17 15:03 . 2007-12-29 09:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-10 17:17 . 2009-11-27 23:18 -------- d-----w- c:\program files\Balwarebytes' Anti-Malware
2010-01-10 16:52 . 2007-07-04 19:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-19 21:20 . 2006-12-26 09:21 87928 ----a-w- c:\documents and settings\MaRk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-19 12:34 . 2009-12-19 12:34 -------- d-----w- c:\program files\MSECache
2009-12-13 19:32 . 2009-12-11 21:27 -------- d-----w- c:\program files\OBD-DIAG
2009-12-13 12:57 . 2006-12-26 07:48 84040 ----a-w- c:\documents and settings\MiChAeL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-08 20:45 . 2009-12-08 20:45 -------- d-----w- c:\documents and settings\Carol.ACER-511EBA12DF\Application Data\Malwarebytes
2009-12-08 20:41 . 2008-05-08 21:15 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-08 00:27 . 2009-12-08 00:27 -------- d-----w- c:\program files\MSBuild
2009-12-08 00:27 . 2009-12-08 00:27 -------- d-----w- c:\program files\Reference Assemblies
2009-12-05 00:30 . 2009-12-05 00:30 -------- d-----w- c:\documents and settings\MiChAeL\Application Data\Malwarebytes
2009-11-29 23:07 . 2009-11-29 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\vo3d0aDikSN
2009-11-29 20:28 . 2008-10-30 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-27 23:19 . 2009-11-27 23:19 -------- d-----w- c:\documents and settings\MaRk\Application Data\Malwarebytes
2009-11-27 23:18 . 2009-11-27 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-22 11:22 . 2007-04-13 10:12 -------- d-----w- c:\program files\AVG
2009-11-21 15:51 . 2004-08-10 20:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 05:38 . 2006-03-04 03:58 667136 ------w- c:\windows\system32\wininet.dll
2008-05-28 19:51 . 2008-05-28 19:51 2671704 ----a-w- c:\program files\RegSupremePro_setup.exe
2007-02-27 23:02 . 2007-02-27 23:02 316642 ----a-w- c:\program files\TRIPEAKS.zip
2007-02-17 16:47 . 2007-02-17 16:47 251656 ----a-w- c:\program files\jre-1_5_0_11-windows-i586-p-iftw.exe
2006-12-28 23:54 . 2006-12-28 23:53 15001752 ----a-w- c:\program files\GoogleEarthWin.exe
1999-08-13 06:00 . 2008-03-16 21:19 4820 ----a-w- c:\program files\CAMUNWISE.INI
2007-11-05 16:10 . 2007-09-28 18:52 88 --sha-w- c:\windows\system32\005227F68E.sys
2007-11-05 16:10 . 2007-09-28 18:52 2672 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-01-19_23.47.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 1601-01-01 00:00 . 1601-01-01 00:00 0 c:\windows\TEMP\Perflib_Perfdata_c40.dat
+ 2010-01-20 20:27 . 2010-01-20 20:27 16384 c:\windows\TEMP\Perflib_Perfdata_7d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-11 7626752]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-19 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MN-WD542T Wireless Utility.lnk - c:\program files\MicroNEXT\MN-WD542T Wireless Utility\ZDWlan.exe [2009-10-5 499712]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photags AutoDetect.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photags AutoDetect.lnk.disabled
backup=c:\windows\pss\Photags AutoDetect.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
2007-04-23 10:23 1032640 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 17:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CES_V4]
2009-09-10 14:53 1312080 ----a-w- c:\program files\Balwarebytes' Anti-Malware\mbammmm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 14:53 1312080 ----a-w- c:\program files\Balwarebytes' Anti-Malware\mbammmm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-07-11 22:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-07-11 22:19 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 22:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MpfService"=2 (0x2)
"McNASvc"=2 (0x2)
"AGWinService"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"SPTISRV"=3 (0x3)
"RapportMgmtService"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"LightScribeService"=2 (0x2)
"LexBceS"=3 (0x3)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"avg8wd"=2 (0x2)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
"CryptSvc"=3 (0x3)
"AcerMemUsageCheckService"=2 (0x2)
"ERSvc"=2 (0x2)
"BITS"=3 (0x3)
"usnjsvc"=3 (0x3)
"SupportSoft RemoteAssist"=3 (0x3)
"idsvc"=3 (0x3)
"STI Simulator"=2 (0x2)
"sprtsvc_O2"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"wuauserv"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Rapportexe"="c:\program files\Trusteer\Rapport\bin\RapportService.exe" -start -after_boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Workflow"=E:\Workflow.exe
"PowerDVD"=c:\program files\CyberLink\PowerDVD\PowerDVD.exe /autostart
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"O2"="c:\program files\O2\bin\sprtcmd.exe" /P O2
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Balwarebytes' Anti-Malware\mbammmm.exe" /runcleanupscript

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [19/11/2009 09:50 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [19/11/2009 09:50 334568]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\AVIRA\AntiVir Desktop\sched.exe [17/01/2010 14:43 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [07/11/2009 14:41 54752]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [19/11/2009 09:50 967912]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [09/06/2005 01:44 20608]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]
S3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\Drivers\Capt930b.sys --> c:\windows\system32\Drivers\Capt930b.sys [?]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [05/07/2007 11:34 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [05/07/2007 11:34 85696]
S3 ZD1211BU(MicroNEXT);MN-WD542T Wireless USB Adapter Driver(MicroNEXT);c:\windows\system32\drivers\ZD1211BU.sys [28/10/2005 18:38 500736]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [28/10/2005 18:38 500736]
S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 15:19 202280]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4}
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16}
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://cid-4c76422c0422c8fd.skydrive.live.com/Microsoft.Live.Folders.RichUpload.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\MaRk\Application Data\Mozilla\Firefox\Profiles\njzchey5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.metcheck.com/V40/UK/FREE/7days.asp?zipcode=L23|https://www.zurichcorporatepensions.co.uk/asp/zwlogin.asp|http://uk.finance.yahoo.com/q/bc?s=%5EFTSE&t=1d&l=on&z=m&q=l&c=|http://webfund6.financialexpress.net/clients/royallondon/perfChart.aspx?UnitCode=AQM&FundType=LF|http://www.timesonline.co.uk/tol/news/|http://stores.shop.ebay.co.uk/cybox-exhausts_Alfa-Romeo--Exhausts_W0QQLHQ5fSellerWithStoreZ1QQLHQ5fTitleDescZ1QQ_fsubZ2QQ_sasiZ1QQ_sidZ163064708QQ_trksidZp4634Q2ec0Q2em322
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29193&sbs=1&sc=2&f=web&vernum=1.0&uid=&did=f8d4a70c-98e2-4081-901d-01bf93043ede&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CES_V4 - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-RecoverFromReboot - c:\windows\Temp\RecoverFromReboot.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-Workflow - E:\Workflow.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 20:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2402644219-3017275194-2930370854-1008\Software\SecuROM\License information*]
"datasecu"=hex:96,5f,b8,da,9a,a0,35,68,90,a0,47,c8,40,53,ab,54,01,dd,cb,12,ae,
30,6b,75,cd,5a,bf,af,60,d6,62,b8,48,dd,b3,36,a6,0b,40,a0,3f,2f,ae,40,70,8d,\
"rkeysecu"=hex:ed,bc,6f,a3,0e,ec,68,60,21,12,17,2e,63,87,40,54
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(548)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-01-20 20:35:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-20 20:35
ComboFix2.txt 2010-01-19 23:51
ComboFix3.txt 2007-12-30 16:44

Pre-Run: 9,860,108,288 bytes free
Post-Run: 9,811,324,928 bytes free

- - End Of File - - 7CF20BAB50A00BAFD90ABB770DAF8004



#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:48 AM

Posted 20 January 2010 - 05:08 PM

Hi Madsparrow,


Please do an online scan with Kaspersky WebScanner

Attention!
Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.


Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Madsparrow

Madsparrow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 21 January 2010 - 06:10 PM

Here's the Kaspersky log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, January 21, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, January 21, 2010 19:12:18
Records in database: 3354698
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 81715
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:32:32


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_cqegybhz_.sys.zip Infected: Trojan.Win32.BHO.ext 1
D:\Backup.bkf Infected: not-a-virus:PSWTool.Win32.FirePass.a 1

Selected area has been scanned.



Not quite there yet Mike ! cool.gif

Best Regards
Mark





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users