Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Internet Security 2010


  • This topic is locked This topic is locked
12 replies to this topic

#1 Michal_K

Michal_K

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 18 February 2010 - 03:18 AM


DDS (Ver_09-12-01.01) - NTFSx86
Run by Michal at 10:01:09.74 on 17/02/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2814.1194 [GMT 0:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton 360 *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Users\Michal\AppData\Local\av.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Users\Michal\AppData\Local\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Toshiba\HDMICtrlMan\HCMSoundChanger.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Windows\system32\conime.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Users\Michal\Desktop\quotes v.1\Quotes V1.0\Quotes.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Michal\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mytalktalk.co.uk
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {161F6312-F599-45FA-BD04-75747A6B046E} - No File
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\michal\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [Toshiba TEMPO] c:\program files\toshiba tempro\Toshiba.Tempo.UI.TrayApplication.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [HDMICtrlMan] c:\program files\toshiba\hdmictrlman\HDMICtrlMan.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [<NO NAME>]
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: o2.co.uk\*.broadband
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\michal\appdata\roaming\mozilla\firefox\profiles\9be88byn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - The_Pirate_Bay Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://google.co.uk
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\michal\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20100210.001\IDSvix86.sys [2010-2-12 286768]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-8-18 20352]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-1-11 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-1-11 345832]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-16 40960]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-14 102448]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-4-15 51160]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-11-29 27632]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2007-1-9 38200]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-6-14 13224]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-14 38224]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2009-6-14 86696]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2009-6-14 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2009-6-14 114472]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2009-6-14 108328]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2009-6-14 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2009-6-14 104616]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2009-6-14 109736]

=============== Created Last 30 ================

2010-02-14 22:36:57 0 d-----w- c:\users\michal\appdata\roaming\Malwarebytes
2010-02-14 22:36:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-14 22:36:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-14 22:36:46 0 d-----w- c:\programdata\Malwarebytes
2010-02-14 22:36:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-09 19:01:20 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-09 19:01:19 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-09 19:01:10 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-09 19:01:10 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-07 18:46:12 630784 ----a-w- c:\windows\system32\vsflex8u.ocx
2010-02-07 18:46:12 419240 ----a-w- c:\windows\system32\Vsflex7L.ocx
2010-02-07 18:46:12 244416 ----a-w- c:\windows\system32\Msflxgrd.ocx
2010-02-07 18:46:12 1164728 ----a-w- c:\windows\system32\NMSDVDXU.dll
2010-02-03 21:51:02 162 ---ha-w- c:\users\michal\~$chal Kaczmarek CV.doc

==================== Find3M ====================

2010-02-07 18:48:35 86016 ----a-w- c:\windows\inf\infpub.dat
2010-02-07 18:48:35 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-07 18:48:35 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-27 02:29:19 18030130 ----a-w- c:\programdata\vlc-1.0.3-win32.exe
2009-12-04 18:30:05 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29:41 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28:52 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28:51 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28:51 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28:49 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28:27 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28:21 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27:12 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-11-29 12:19:24 148736 ----a-w- c:\programdata\hpeEC41.dll
2009-11-19 20:04:23 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-18 12:38:02 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-10-01 06:56:21 721624 --sha-w- c:\windows\system32\DedLmnnn.ini2

============= FINISH: 10:02:48.26 ===============

I used your removal guide for this malware. I didnt work. I also tried to restore my sestem without success. please help.

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:28 PM

Posted 20 February 2010 - 01:19 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Michal_K

Michal_K
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 05 March 2010 - 02:13 PM

hi, thank you for your response. please find attached required documents. many thanks

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:28 PM

Posted 06 March 2010 - 12:30 PM

Hi,

please run a scan with gmer next:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Michal_K

Michal_K
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 07 March 2010 - 05:09 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-07 21:58:13
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Michal\AppData\Local\Temp\kxtyypow.sys


---- System - GMER 1.0.15 ----

SSDT 87EA0FD0 ZwAlertResumeThread
SSDT 87E9D728 ZwAlertThread
SSDT 87EA0240 ZwAllocateVirtualMemory
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x8F928D42]
SSDT 87D8FC80 ZwConnectPort
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x8F92944E]
SSDT 87EA0D20 ZwCreateMutant
SSDT 87EA03D0 ZwCreateThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x8F92959A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x8F92CD28]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x8F92CD5A]
SSDT 87EA00A0 ZwFreeVirtualMemory
SSDT 87EA0E10 ZwImpersonateAnonymousToken
SSDT 87EA0EF0 ZwImpersonateThread
SSDT 87E9F408 ZwMapViewOfSection
SSDT 87EA0C40 ZwOpenEvent
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x8F9294FE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x8F928E86]
SSDT 87EA0310 ZwOpenProcessToken
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x8F929078]
SSDT 87E9F148 ZwOpenThreadToken
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x8F9291AA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x8F92CE2E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x8F92CD98]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x8F92CDCA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x8F92CDFC]
SSDT 87E963C8 ZwResumeThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x8F928CF0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x8F9295FA]
SSDT 87E9F238 ZwSetInformationProcess
SSDT 87E9DA30 ZwSetInformationThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x8F92CCC8]
SSDT 87EA0B60 ZwSuspendProcess
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x8F928C94]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateProcess [0x8F928BF0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x8F928C38]
SSDT 87E9F328 ZwUnmapViewOfSection
SSDT 87EA0170 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 838B0880 8 Bytes JMP E9D72887
.text ntkrnlpa.exe!KeSetEvent + 131 838B0894 4 Bytes [40, 02, EA, 87]
.text ntkrnlpa.exe!KeSetEvent + 191 838B08F4 4 Bytes [42, 8D, 92, 8F]
.text ntkrnlpa.exe!KeSetEvent + 1C1 838B0924 4 Bytes [80, FC, D8, 87]
.text ntkrnlpa.exe!KeSetEvent + 1D9 838B093C 4 Bytes [4E, 94, 92, 8F]
.text ...
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8B15D000, 0x4036D, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8B1A6000, 0x510, 0x40000040]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E40F000, 0x1FB52A, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1060] ntdll.dll!KiUserApcDispatcher 77DC5D18 5 Bytes JMP 00412480 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1060] USER32.dll!InSendMessageEx + 3B1 774CE6B0 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1060] WS2_32.dll!getaddrinfo 77EA418A 5 Bytes JMP 71640022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1060] WS2_32.dll!gethostbyname 77EB62D4 5 Bytes JMP 71670022
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3400] USER32.dll!InSendMessageEx + 4C9 774CE7C8 7 Bytes JMP 10031D10 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3400] USER32.dll!CreateIconFromResourceEx + 340 774D0E45 7 Bytes JMP 10031C80 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3400] USER32.dll!DdeQueryStringW + 5CE 774EFA2D 7 Bytes JMP 10031CF0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[4048] ntdll.dll!KiUserApcDispatcher 77DC5D18 5 Bytes JMP 004394A0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[4048] WS2_32.dll!getaddrinfo 77EA418A 5 Bytes JMP 71670022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[4048] WS2_32.dll!gethostbyname 77EB62D4 5 Bytes JMP 716E0022
.text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[4248] ntdll.dll!DbgBreakPoint 77DA8B2E 1 Byte [90]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5932] ntdll.dll!LdrLoadDll + 1 77D89391 5 Bytes [22, 00, 67, 71, C3]
.text C:\Program Files\Mozilla Firefox\firefox.exe[5932] ntdll.dll!KiUserApcDispatcher 77DC5D18 5 Bytes JMP 01CA6060 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5932] kernel32.dll!SetUnhandledExceptionFilter 7643A84F 6 Bytes PUSH 71520022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[5932] USER32.dll!DdeInitializeW 774C7921 6 Bytes PUSH 714F0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[5932] USER32.dll!RegisterClassExW 774CDA30 6 Bytes PUSH 716E0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[5932] USER32.dll!GetMessageW 774DFEF7 6 Bytes PUSH 71490022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[5932] USER32.dll!TranslateMessage 774E01AD 6 Bytes PUSH 71420022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[5932] USER32.dll!GetClipboardData 7750715A 6 Bytes PUSH 714C0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[5932] GDI32.dll!BitBlt 771A70A6 6 Bytes PUSH 71550022; RET

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\GDI32.dll [USER32.dll!GetWindowRect] 71460000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\ole32.dll [USER32.dll!GetWindowRect] 71460000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetWindowRect] 71460000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Mozilla Firefox\firefox.exe[5932] @ C:\Windows\system32\WININET.dll [USER32.dll!GetWindowRect] 71460000

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:28 PM

Posted 07 March 2010 - 06:19 PM

Hi,

the good news is that you are not infected by a rootkit. smile.gif Please run a scan with Malwarebytes next, to remove the remnants of malware still active on your PC:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Michal_K

Michal_K
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 08 March 2010 - 05:11 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3838
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

08/03/2010 22:08:19
mbam-log-2010-03-08 (22-08-19).txt

Scan type: Quick Scan
Objects scanned: 115015
Time elapsed: 14 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


could you explain to me please what is that Internet Security 2010 if its not malware program ? its keep popping up and its really annoying...

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:28 PM

Posted 08 March 2010 - 05:50 PM

Hi,

Internet Security 2010 is a so called rogue. It pretends to be a security program, but is in reality malware. It installs itself onto your system, pretends to run a scan for malware and then prompts for your money to remove what it fond.
The infections it finds are either not real or were installed by Internet Security 2010. Do not trust that program and don't give them any of your money.

Please run a scan with ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Michal_K

Michal_K
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 09 March 2010 - 04:01 PM

thank you for your reply. i hope now everything is fixed....

ComboFix 10-03-09.03 - Michal 09/03/2010 20:23:35.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2814.1616 [GMT 0:00]
Running from: c:\users\Michal\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
SP: Norton 360 *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\programdata\hpeEC41.dll
c:\programdata\vlc-1.0.3-win32.exe
c:\users\Michal\vlc-1.0.3-win32.exe
c:\windows\System32\DedLmnnn.ini
c:\windows\System32\DedLmnnn.ini2
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif

.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.

2010-03-09 20:43 . 2010-03-09 20:44 -------- d-----w- c:\users\Michal\AppData\Local\temp
2010-03-09 20:43 . 2010-03-09 20:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-09 20:06 . 2010-03-09 20:06 -------- d-----w- C:\found.000
2010-03-09 18:32 . 2010-02-16 09:31 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\NAVENG.SYS
2010-03-09 18:32 . 2010-02-16 09:31 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\EECTRL.SYS
2010-03-09 18:32 . 2010-02-16 09:31 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\CCERASER.DLL
2010-03-09 18:32 . 2010-02-16 09:31 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\ECMSVR32.DLL
2010-03-09 18:32 . 2010-02-16 09:31 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\NAVENG32.DLL
2010-03-09 18:32 . 2010-02-16 09:31 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\NAVEX32A.DLL
2010-03-09 18:32 . 2010-02-16 09:31 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\NAVEX15.SYS
2010-03-09 18:32 . 2010-02-16 09:31 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\ERASER.SYS
2010-03-09 00:00 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\SymIDSco.sys
2010-03-09 00:00 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\IDSvix86.sys
2010-03-09 00:00 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\SymIDSI.dll
2010-03-09 00:00 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\IDSxpx86.dll
2010-03-09 00:00 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\IDSviA64.sys
2010-03-09 00:00 . 2009-04-04 03:23 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\IDS9xx86.dll
2010-03-08 21:52 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-08 21:52 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-08 20:16 . 2010-03-08 20:16 -------- d-----w- c:\programdata\Norton
2010-03-08 20:16 . 2010-03-08 20:16 -------- d-----w- c:\windows\system32\drivers\NSS
2010-03-08 20:16 . 2010-03-08 20:16 -------- d-----w- c:\program files\Norton Security Scan
2010-03-08 20:16 . 2010-03-08 20:16 -------- d-----w- c:\programdata\NortonInstaller
2010-03-08 20:16 . 2010-03-08 20:16 -------- d-----w- c:\program files\NortonInstaller
2010-03-08 20:01 . 2010-02-16 09:31 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\NAVENG.SYS
2010-03-08 20:01 . 2010-02-16 09:31 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\EECTRL.SYS
2010-03-08 20:01 . 2010-02-16 09:31 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\CCERASER.DLL
2010-03-08 20:01 . 2010-02-16 09:31 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\ECMSVR32.DLL
2010-03-08 20:01 . 2010-02-16 09:31 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\NAVENG32.DLL
2010-03-08 20:01 . 2010-02-16 09:31 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\NAVEX32A.DLL
2010-03-08 20:01 . 2010-02-16 09:31 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\NAVEX15.SYS
2010-03-08 20:01 . 2010-02-16 09:31 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\ERASER.SYS
2010-03-08 19:47 . 2010-03-08 19:47 -------- d-----w- c:\programdata\Azureus
2010-03-08 19:46 . 2010-03-09 19:38 -------- d-----w- c:\users\Michal\AppData\Roaming\Azureus
2010-03-08 19:45 . 2010-03-09 20:11 -------- d-----w- c:\program files\Vuze
2010-03-08 19:45 . 2010-03-08 19:45 52224 ----a-w- c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
2010-03-08 19:45 . 2010-03-08 19:45 101376 ----a-w- c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
2010-03-08 19:45 . 2010-03-08 19:45 -------- d-----w- c:\program files\Conduit
2010-03-08 19:45 . 2010-03-08 19:45 -------- d-----w- c:\program files\Vuze_Remote
2010-03-07 22:24 . 2010-02-16 09:31 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVEX32A.DLL
2010-03-07 22:24 . 2010-02-16 09:31 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVEX15.SYS
2010-03-07 22:24 . 2010-02-16 09:31 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVENG.SYS
2010-03-07 22:24 . 2010-02-16 09:31 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\EECTRL.SYS
2010-03-07 22:24 . 2010-02-16 09:31 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\CCERASER.DLL
2010-03-07 22:24 . 2010-02-16 09:31 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ECMSVR32.DLL
2010-03-07 22:24 . 2010-02-16 09:31 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVENG32.DLL
2010-03-07 22:24 . 2010-02-16 09:31 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ERASER.SYS
2010-02-26 12:50 . 2010-02-26 12:50 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-26 12:50 . 2010-02-26 12:50 390528 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBuka.sys
2010-02-26 12:50 . 2010-02-26 12:50 249856 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll
2010-02-25 23:30 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\SymIDSco.sys
2010-02-25 23:30 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\IDSvix86.sys
2010-02-25 23:30 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\SymIDSI.dll
2010-02-25 23:30 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\IDSxpx86.dll
2010-02-25 23:30 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\IDSviA64.sys
2010-02-25 23:30 . 2009-04-04 03:23 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\IDS9xx86.dll
2010-02-23 20:06 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 20:05 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 20:05 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 20:05 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 20:05 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 20:05 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 20:05 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 20:05 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 20:05 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-23 20:05 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 20:05 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-23 20:05 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-23 20:05 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-18 09:38 . 2010-02-18 09:38 -------- d-----w- c:\program files\Default Company Name
2010-02-18 09:38 . 2010-02-18 09:38 -------- d-----w- c:\program files\Common Files\Business Objects
2010-02-17 10:05 . 2010-02-17 10:05 284915 ----a-w- c:\users\Michal\gmer.zip
2010-02-15 09:23 . 2010-02-15 09:23 -------- d-----w- c:\users\Michal\backups
2010-02-14 22:36 . 2010-02-14 22:36 -------- d-----w- c:\users\Michal\AppData\Roaming\Malwarebytes
2010-02-14 22:36 . 2010-03-08 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-14 22:36 . 2010-02-14 22:36 -------- d-----w- c:\programdata\Malwarebytes
2010-02-09 19:01 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-09 19:01 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-09 19:01 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-09 19:01 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 20:45 . 2008-09-23 18:50 -------- d-----w- c:\users\Michal\AppData\Roaming\uTorrent
2010-03-08 20:16 . 2008-09-11 21:24 -------- d-----w- c:\programdata\Symantec
2010-02-24 23:16 . 2008-08-18 16:50 115848 ----a-w- c:\users\Michal\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-16 10:15 . 2008-06-12 09:57 -------- d-----w- c:\program files\Google
2010-02-14 21:52 . 2010-02-07 12:12 91 ----a-w- c:\users\Michal\AppData\Local\kozgb.bat
2010-02-10 16:55 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-10 06:46 . 2008-06-12 10:03 -------- d-----w- c:\programdata\Microsoft Help
2010-02-07 18:45 . 2009-09-23 20:10 -------- d-----w- c:\program files\LG Electronics
2010-02-07 18:44 . 2008-06-12 09:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 20:53 . 2010-01-16 11:37 89 ----a-w- c:\users\Michal\AppData\Local\eoiqby.bat
2010-02-03 23:01 . 2009-01-18 23:15 -------- d-----w- c:\users\Michal\AppData\Roaming\dvdcss
2010-01-25 11:17 . 2008-08-18 18:50 680 ----a-w- c:\users\Michal\AppData\Local\d3d9caps.dat
2010-01-25 09:39 . 2010-01-25 09:39 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-01-25 00:15 . 2008-12-05 14:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 17:09 . 2010-01-28 20:11 52224 ----a-w- c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\FFExternalAlert.dll
2010-01-21 17:09 . 2010-01-28 20:11 101376 ----a-w- c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\RadioWMPCore.dll
2010-01-15 23:38 . 2009-09-23 20:18 -------- d-----w- c:\program files\DivX
2010-01-15 23:37 . 2009-09-23 20:18 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-15 09:26 . 2009-12-27 12:10 90 ----a-w- c:\users\Michal\AppData\Local\bqguje.bat
2010-01-06 15:38 . 2010-02-23 20:05 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-23 20:05 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-23 20:05 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-23 20:05 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-02 06:38 . 2010-01-25 00:48 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-25 00:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-25 00:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-25 00:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-26 08:12 . 2009-12-07 22:29 90 ----a-w- c:\users\Michal\AppData\Local\nnnnuovf.bat
2009-12-15 11:24 . 2009-12-15 11:24 293376 ----a-w- c:\users\Michal\gmer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-02-22 12:05 2353176 ----a-w- c:\program files\Vuze_Remote\tbVuze.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-29 430080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-19 39408]
"Google Update"="c:\users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-09-19 288560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-12-06 366400]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-03-25 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"HDMICtrlMan"="c:\program files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe" [2008-04-02 716800]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-05 148888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2009-07-21 1045904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:db,0d,96,0d,42,49,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 135664]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-06-14 13224]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-29 937984]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-11-04 86696]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [2008-11-04 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [2008-11-04 114472]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [2008-11-04 108328]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [2008-11-04 26024]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [2008-11-04 104616]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [2008-11-04 109736]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20100304.001\IDSvix86.sys [2009-11-20 286768]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-08-31 20352]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-26 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-02-17 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-02-17 108904]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-16 40960]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-02-17 779496]
S2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [2007-10-12 202016]
S2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\Toshiba TEMPRO\TemproSvc.exe [2009-07-21 116104]
S2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\Supportsoft\bin\tgsrvc.exe [2007-08-02 148768]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-04-15 51160]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2007-04-09 8192]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-24 73728]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2007-01-09 38200]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 10:15]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 10:15]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257048763-4000413911-4164596898-1000Core.job
- c:\users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-24 23:11]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257048763-4000413911-4164596898-1000UA.job
- c:\users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-24 23:11]

2010-03-09 c:\windows\Tasks\Norton Security Scan for Michal.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-08 20:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
FF - ProfilePath - c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - The_Pirate_Bay Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://google.co.uk
FF - component: c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Michal\AppData\Local\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{161F6312-F599-45FA-BD04-75747A6B046E} - (no file)
HKLM-Run-Toshiba TEMPO - c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
AddRemove-HijackThis - c:\users\Michal\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 20:44
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????????b9??X?k???k???k???k?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(19136)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Common Files\Symantec Shared\ccL60U.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\Common Files\Nero\Lib\MediaLibraryNSE.dll
.
Completion time: 2010-03-09 20:58:11
ComboFix-quarantined-files.txt 2010-03-09 20:57

Pre-Run: 55,837,667,328 bytes free
Post-Run: 56,320,466,944 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=41 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41
- - End Of File - - 9B49C187C1540A14D1CC23B0C6D9EC8D


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:28 PM

Posted 09 March 2010 - 05:08 PM

Hi,

this is looking good, there are only a couple of leftovers to remove:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\users\Michal\AppData\Local\eoiqby.bat
c:\users\Michal\AppData\Local\bqguje.bat


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

How's your PC doing now?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Michal_K

Michal_K
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 10 March 2010 - 05:43 AM

Hi Myrti,

Thank you very much for your help and support. I hope the last scan has fixed all the problems and this annoying Internet Security will not pop up again. During scanning with ComboFix my computer crashed twice but after couple attempts I managed to finish this scan. I am attaching results bellow.

Regards
Michal

ComboFix 10-03-09.06 - Michal 10/03/2010 10:06:59.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2814.1723 [GMT 0:00]
Running from: c:\users\Michal\Desktop\ComboFix.exe
Command switches used :: c:\users\Michal\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
SP: Norton 360 *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-02-10 to 2010-03-10 )))))))))))))))))))))))))))))))
.

2010-03-10 10:23 . 2010-03-10 10:24 -------- d-----w- c:\users\Michal\AppData\Local\temp
2010-03-10 10:23 . 2010-03-10 10:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-10 10:23 . 2010-03-10 10:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-09 20:06 . 2010-03-09 20:06 -------- d-----w- C:\found.000
2010-03-09 18:32 . 2010-02-16 09:31 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\NAVENG.SYS
2010-03-09 18:32 . 2010-02-16 09:31 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\EECTRL.SYS
2010-03-09 18:32 . 2010-02-16 09:31 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\CCERASER.DLL
2010-03-09 18:32 . 2010-02-16 09:31 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\ECMSVR32.DLL
2010-03-09 18:32 . 2010-02-16 09:31 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\NAVENG32.DLL
2010-03-09 18:32 . 2010-02-16 09:31 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\NAVEX32A.DLL
2010-03-09 18:32 . 2010-02-16 09:31 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\NAVEX15.SYS
2010-03-09 18:32 . 2010-02-16 09:31 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100309.009\ERASER.SYS
2010-03-09 00:00 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\SymIDSco.sys
2010-03-09 00:00 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\IDSvix86.sys
2010-03-09 00:00 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\SymIDSI.dll
2010-03-09 00:00 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\IDSxpx86.dll
2010-03-09 00:00 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\IDSviA64.sys
2010-03-09 00:00 . 2009-04-04 03:23 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100304.001\IDS9xx86.dll
2010-03-08 21:52 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-08 21:52 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-08 20:16 . 2010-03-08 20:16 -------- d-----w- c:\programdata\Norton
2010-03-08 20:16 . 2010-03-08 20:16 -------- d-----w- c:\windows\system32\drivers\NSS
2010-03-08 20:16 . 2010-03-08 20:16 -------- d-----w- c:\program files\Norton Security Scan
2010-03-08 20:16 . 2010-03-08 20:16 -------- d-----w- c:\programdata\NortonInstaller
2010-03-08 20:16 . 2010-03-08 20:16 -------- d-----w- c:\program files\NortonInstaller
2010-03-08 20:01 . 2010-02-16 09:31 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\NAVENG.SYS
2010-03-08 20:01 . 2010-02-16 09:31 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\EECTRL.SYS
2010-03-08 20:01 . 2010-02-16 09:31 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\CCERASER.DLL
2010-03-08 20:01 . 2010-02-16 09:31 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\ECMSVR32.DLL
2010-03-08 20:01 . 2010-02-16 09:31 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\NAVENG32.DLL
2010-03-08 20:01 . 2010-02-16 09:31 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\NAVEX32A.DLL
2010-03-08 20:01 . 2010-02-16 09:31 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\NAVEX15.SYS
2010-03-08 20:01 . 2010-02-16 09:31 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100308.003\ERASER.SYS
2010-03-08 19:47 . 2010-03-08 19:47 -------- d-----w- c:\programdata\Azureus
2010-03-08 19:46 . 2010-03-09 19:38 -------- d-----w- c:\users\Michal\AppData\Roaming\Azureus
2010-03-08 19:45 . 2010-03-09 20:11 -------- d-----w- c:\program files\Vuze
2010-03-08 19:45 . 2010-03-08 19:45 52224 ----a-w- c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
2010-03-08 19:45 . 2010-03-08 19:45 101376 ----a-w- c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
2010-03-08 19:45 . 2010-03-08 19:45 -------- d-----w- c:\program files\Conduit
2010-03-08 19:45 . 2010-03-08 19:45 -------- d-----w- c:\program files\Vuze_Remote
2010-03-07 22:24 . 2010-02-16 09:31 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVEX32A.DLL
2010-03-07 22:24 . 2010-02-16 09:31 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVEX15.SYS
2010-03-07 22:24 . 2010-02-16 09:31 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVENG.SYS
2010-03-07 22:24 . 2010-02-16 09:31 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\EECTRL.SYS
2010-03-07 22:24 . 2010-02-16 09:31 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\CCERASER.DLL
2010-03-07 22:24 . 2010-02-16 09:31 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ECMSVR32.DLL
2010-03-07 22:24 . 2010-02-16 09:31 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVENG32.DLL
2010-03-07 22:24 . 2010-02-16 09:31 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ERASER.SYS
2010-02-26 12:50 . 2010-02-26 12:50 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-26 12:50 . 2010-02-26 12:50 390528 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBuka.sys
2010-02-26 12:50 . 2010-02-26 12:50 249856 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll
2010-02-25 23:30 . 2009-11-20 03:02 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\SymIDSco.sys
2010-02-25 23:30 . 2009-11-20 03:02 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\IDSvix86.sys
2010-02-25 23:30 . 2009-11-20 03:02 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\SymIDSI.dll
2010-02-25 23:30 . 2009-11-20 03:02 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\IDSxpx86.dll
2010-02-25 23:30 . 2009-11-20 03:02 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\IDSviA64.sys
2010-02-25 23:30 . 2009-04-04 03:23 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\idsdefs\20100224.001\IDS9xx86.dll
2010-02-23 20:06 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 20:05 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 20:05 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 20:05 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 20:05 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 20:05 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 20:05 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 20:05 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 20:05 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-23 20:05 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 20:05 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-23 20:05 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-23 20:05 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-18 09:38 . 2010-02-18 09:38 -------- d-----w- c:\program files\Default Company Name
2010-02-18 09:38 . 2010-02-18 09:38 -------- d-----w- c:\program files\Common Files\Business Objects
2010-02-17 10:05 . 2010-02-17 10:05 284915 ----a-w- c:\users\Michal\gmer.zip
2010-02-15 09:23 . 2010-02-15 09:23 -------- d-----w- c:\users\Michal\backups
2010-02-14 22:36 . 2010-02-14 22:36 -------- d-----w- c:\users\Michal\AppData\Roaming\Malwarebytes
2010-02-14 22:36 . 2010-03-08 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-14 22:36 . 2010-02-14 22:36 -------- d-----w- c:\programdata\Malwarebytes
2010-02-09 19:01 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-09 19:01 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-09 19:01 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-09 19:01 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 10:25 . 2008-09-23 18:50 -------- d-----w- c:\users\Michal\AppData\Roaming\uTorrent
2010-03-08 20:16 . 2008-09-11 21:24 -------- d-----w- c:\programdata\Symantec
2010-02-24 23:16 . 2008-08-18 16:50 115848 ----a-w- c:\users\Michal\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-16 10:15 . 2008-06-12 09:57 -------- d-----w- c:\program files\Google
2010-02-14 21:52 . 2010-02-07 12:12 91 ----a-w- c:\users\Michal\AppData\Local\kozgb.bat
2010-02-10 16:55 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-10 06:46 . 2008-06-12 10:03 -------- d-----w- c:\programdata\Microsoft Help
2010-02-07 18:45 . 2009-09-23 20:10 -------- d-----w- c:\program files\LG Electronics
2010-02-07 18:44 . 2008-06-12 09:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 20:53 . 2010-01-16 11:37 89 ----a-w- c:\users\Michal\AppData\Local\eoiqby.bat
2010-02-03 23:01 . 2009-01-18 23:15 -------- d-----w- c:\users\Michal\AppData\Roaming\dvdcss
2010-01-25 11:17 . 2008-08-18 18:50 680 ----a-w- c:\users\Michal\AppData\Local\d3d9caps.dat
2010-01-25 09:39 . 2010-01-25 09:39 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-01-25 00:15 . 2008-12-05 14:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 17:09 . 2010-01-28 20:11 52224 ----a-w- c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\FFExternalAlert.dll
2010-01-21 17:09 . 2010-01-28 20:11 101376 ----a-w- c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\RadioWMPCore.dll
2010-01-15 23:38 . 2009-09-23 20:18 -------- d-----w- c:\program files\DivX
2010-01-15 23:37 . 2009-09-23 20:18 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-15 09:26 . 2009-12-27 12:10 90 ----a-w- c:\users\Michal\AppData\Local\bqguje.bat
2010-01-06 15:38 . 2010-02-23 20:05 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-23 20:05 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-23 20:05 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-23 20:05 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-02 06:38 . 2010-01-25 00:48 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-25 00:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-25 00:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-25 00:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-26 08:12 . 2009-12-07 22:29 90 ----a-w- c:\users\Michal\AppData\Local\nnnnuovf.bat
2009-12-15 11:24 . 2009-12-15 11:24 293376 ----a-w- c:\users\Michal\gmer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-02-22 12:05 2353176 ----a-w- c:\program files\Vuze_Remote\tbVuze.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-29 430080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-19 39408]
"Google Update"="c:\users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-09-19 288560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-12-06 366400]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-03-25 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"HDMICtrlMan"="c:\program files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe" [2008-04-02 716800]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-05 148888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2009-07-21 1045904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:db,0d,96,0d,42,49,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 135664]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-06-14 13224]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-29 937984]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-11-04 86696]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [2008-11-04 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [2008-11-04 114472]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [2008-11-04 108328]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [2008-11-04 26024]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [2008-11-04 104616]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [2008-11-04 109736]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20100304.001\IDSvix86.sys [2009-11-20 286768]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-08-31 20352]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-26 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-02-17 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-02-17 108904]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-16 40960]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-02-17 779496]
S2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [2007-10-12 202016]
S2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\Toshiba TEMPRO\TemproSvc.exe [2009-07-21 116104]
S2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\Supportsoft\bin\tgsrvc.exe [2007-08-02 148768]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-04-15 51160]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2007-04-09 8192]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-24 73728]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2007-01-09 38200]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 10:15]

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 10:15]

2010-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257048763-4000413911-4164596898-1000Core.job
- c:\users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-24 23:11]

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4257048763-4000413911-4164596898-1000UA.job
- c:\users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-24 23:11]

2010-03-09 c:\windows\Tasks\Norton Security Scan for Michal.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-08 20:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
FF - ProfilePath - c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - The_Pirate_Bay Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://google.co.uk
FF - component: c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\users\Michal\AppData\Roaming\Mozilla\Firefox\Profiles\9be88byn.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Michal\AppData\Local\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-10 10:24
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????????b9??X?k???k???k???k?

scanning hidden files ...


c:\users\Michal\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(16024)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
Completion time: 2010-03-10 10:38:04
ComboFix-quarantined-files.txt 2010-03-10 10:37
ComboFix2.txt 2010-03-09 20:58

Pre-Run: 55,758,376,960 bytes free
Post-Run: 56,394,334,208 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=41 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41
- - End Of File - - 19A4101247F0D646F64FEAF16567B71F


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:28 PM

Posted 10 March 2010 - 09:06 AM

Hi,

the file weren't deleted. Please run another script:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\users\Michal\AppData\Local\nnnnuovf.bat
c:\users\Michal\AppData\Local\bqguje.bat
c:\users\Michal\AppData\Local\kozgb.bat


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:28 PM

Posted 17 March 2010 - 08:23 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users