Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with ave.exe / Trojan.Zbot / Rootkit.TDSS / svchost


  • This topic is locked This topic is locked
11 replies to this topic

#1 IsaT

IsaT

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 20 April 2010 - 02:43 PM

Hi,

I have been infected with a virus/trojan - I assume - and now I have all sort of issues. Main ones:
- ave.exe appearing - with fake AV screens and blocking my AV and malwarebytes
- Internet randomly connecting to web pages
- svchost.exe appears in Temp folder - which creates some more connection attemps - apparently blocked by Auto Protect.


I have looked as much as possible on the internet but I cannot get rid of the problem. I run the various AV (Symantec + windows tools) and malware removers (malwarebytes and hitman pro 3.5). They regularly pick up some problems with the scans and seem to delete/quarantine problematic files (such as mentioned in the title =for eg Trojan.Zbot). But within a few hours the problems are coming back. I have tried the suggested fixes several times - but it does not remove the problems - which keep coming back.

So I now have run your suggested process - dds and gmer - see logs below. FYI, I could not enable the firewall (as advised in point 5) - even though I could log in as Administrator - message saying an error prevented me to enable the firewall. Also after running gmer my computer completely froze - I just managed to save the file - but then was force to resart the computer (manually).

Many thanks in advance for your help.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Isabelle at 16:59:32.79 on 20/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3582.2685 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bear Stearns\BearScreenLock\BearScreenLock.exe
C:\program files\marimba\Castanet Tuner\Tuner.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_01\bin\javaw.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Uphclean\uphclean.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Isabelle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: DisallowRun = 1 (0x1)
dPolicies-disallowrun: 1 = firefox.exe
dPolicies-disallowrun: 2 = opera.exe
dPolicies-disallowrun: 3 = chrome.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://bba.bloomberg.net/default/Clients_common/ica32/icaweb.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188418525986
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188418516562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://jpmorgan.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn.measurisk.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://216.255.118.171/dana-cached/sc/JuniperSetupClient.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2006-12-4 241815]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2006-12-4 10880]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-25 390528]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-23 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-23 125160]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-20 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-20 54968]
R2 BearScreenLock;BearScreenLock;c:\program files\bear stearns\bearscreenlock\BearScreenLock.exe [2004-11-23 36864]
R2 BearTuner;Bear Tuner;c:\program files\marimba\castanet tuner\Tuner.exe [2006-7-14 32871]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\ocs inventory agent\OcsService.exe [2007-2-27 61440]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-23 779496]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-7-20 6016]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-26 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100419.002\naveng.sys [2010-4-20 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100419.002\navex15.sys [2010-4-20 1324720]
S0 bbqe;bbqe;c:\windows\system32\drivers\naxtj.sys --> c:\windows\system32\drivers\naxtj.sys [?]
S0 bmsirbnv;bmsirbnv;c:\windows\system32\drivers\xapxhorj.sys --> c:\windows\system32\drivers\xapxhorj.sys [?]
S0 cqoqpd;cqoqpd;c:\windows\system32\drivers\pvnvgs.sys --> c:\windows\system32\drivers\pvnvgs.sys [?]
S0 nycmqo;nycmqo;c:\windows\system32\drivers\ygwy.sys --> c:\windows\system32\drivers\ygwy.sys [?]
S0 qepidij;qepidij;c:\windows\system32\drivers\cnnnfuya.sys --> c:\windows\system32\drivers\cnnnfuya.sys [?]
S0 rhnjx;rhnjx;c:\windows\system32\drivers\rujc.sys --> c:\windows\system32\drivers\rujc.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-11 135664]
S2 gupdateAudioSrv;Google Update Service (gupdate) gupdateAudioSrv;c:\windows\system32\acelpdecl.exe srv --> c:\windows\system32\acelpdecl.exe srv [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-04-20 15:59:31 0 d-----w- c:\temp\A.tmp
2010-04-20 15:57:41 0 ----a-w- c:\documents and settings\isabelle\defogger_reenable
2010-04-20 15:55:26 0 d-----w- c:\temp\WPDNSE
2010-04-20 15:54:16 0 d-----w- c:\temp\Google Toolbar
2010-04-20 15:52:03 46640 ----a-w- c:\windows\system32\msln.exe
2010-04-20 15:50:24 16384 ----atw- c:\temp\Perflib_Perfdata_890.dat
2010-04-20 15:24:18 16384 ----atw- c:\temp\Perflib_Perfdata_850.dat
2010-04-20 14:47:00 16384 ----atw- c:\temp\Perflib_Perfdata_394.dat
2010-04-20 14:38:40 5918776 ----a-w- C:\mbam-setup-1.45.exe
2010-04-20 09:30:57 16384 ----atw- c:\temp\Perflib_Perfdata_88c.dat
2010-04-19 17:39:55 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-19 17:27:35 16384 ----atw- c:\temp\Perflib_Perfdata_7e8.dat
2010-04-19 17:12:00 16384 ----atw- c:\temp\Perflib_Perfdata_7a0.dat
2010-04-19 16:49:52 0 d-----w- c:\temp\Acrobat Distiller 7
2010-04-19 16:49:37 16384 ----atw- c:\temp\Perflib_Perfdata_80c.dat
2010-04-19 16:48:28 0 d-----w- c:\temp\hsperfdata_SYSTEM
2010-04-19 16:47:56 0 d-sh--w- c:\temp\Temporary Internet Files
2010-04-19 16:47:56 0 d-----w- C:\Temp
2010-04-19 14:40:38 0 d-----w- c:\docume~1\isabelle\applic~1\Office Genuine Advantage
2010-04-19 14:37:55 0 d-----w- C:\BOtyko
2010-04-15 19:15:53 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-15 19:11:22 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-15 19:10:59 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-15 19:10:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-15 12:02:20 0 ----a-w- c:\windows\system32\acctresm.sys
2010-04-15 08:46:04 55732165 --sha-w- c:\windows\system32\adsnty.sys
2010-04-15 08:44:20 460 --s-a-w- c:\windows\system32\306870100.dat
2010-04-13 21:56:44 0 d-sh--w- c:\documents and settings\isabelle\IECompatCache
2010-04-13 18:13:18 54016 ----a-w- c:\windows\system32\drivers\cfpv.sys
2010-04-13 17:43:40 0 d-----w- c:\program files\Digital ProtectionXX
2010-04-13 17:39:18 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-04-13 17:37:13 0 d-----w- C:\spoolerlogs

==================== Find3M ====================

2010-04-19 11:29:49 32640 ----a-w- c:\windows\system32\drivers\symc8xx.sys
2010-04-19 11:29:49 32640 ----a-w- c:\windows\system32\dllcache\symc8xx.sys
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-05 13:19:27 157540 ----a-w- c:\windows\system32\nvModes.dat
2010-02-25 15:42:13 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-25 10:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys

============= FINISH: 17:01:05.26 ===============




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 19:36:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\Temp\pgtiypow.sys


---- System - GMER 1.0.15 ----

SSDT 8B1D3AE0 ZwAlertResumeThread
SSDT 8AEF0A88 ZwAlertThread
SSDT 8B34DE18 ZwAllocateVirtualMemory
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xA9362D92]
SSDT 8B096E90 ZwConnectPort
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xA936349E]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA96C9310]
SSDT 8B1D2B00 ZwCreateMutant
SSDT 8B1DFBD8 ZwCreateThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xA93635EA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xA9366D58]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xA9366D8A]
SSDT 8AE66AF0 ZwFreeVirtualMemory
SSDT 8B340990 ZwImpersonateAnonymousToken
SSDT 8B1D3270 ZwImpersonateThread
SSDT 8B2186A0 ZwMapViewOfSection
SSDT 8B33F350 ZwOpenEvent
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xA936354E]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xA96C9A60]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xA9362ED6]
SSDT 8AE27E78 ZwOpenProcessToken
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xA93630C8]
SSDT 8B03DA78 ZwOpenThreadToken
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xA93631FA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xA9366E62]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xA9366DCC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xA9366DFE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xA9366E30]
SSDT 8AE1CAB8 ZwResumeThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xA9362D40]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xA936364A]
SSDT 8AFC0A78 ZwSetInformationProcess
SSDT 8B336E68 ZwSetInformationThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xA9366CF0]
SSDT 8B1CF760 ZwSuspendProcess
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xA9362CE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xA9362C40]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xA9362C88]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xA734AA80]
SSDT 8ADDBA78 ZwUnmapViewOfSection
SSDT 8B34D298 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 8 Bytes JMP 58A93635
.rsrc C:\WINDOWS\system32\drivers\symc8xx.sys entry point in ".rsrc" section [0xBA35F954]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7F53360, 0x36E81D, 0xE8000020]
page C:\WINDOWS\System32\Drivers\oz776.sys entry point in "page" section [0xACE5EE34]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1240] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00412220 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1240] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1240] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1240] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006C000C
.text C:\WINDOWS\System32\svchost.exe[1324] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0298000A
.text C:\WINDOWS\System32\svchost.exe[1324] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0297000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!TranslateMessage 7E418BF6 6 Bytes PUSH 71450022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!RegisterClassW 7E41A39A 6 Bytes PUSH 71570022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!RegisterClassExW 7E41AF7F 6 Bytes PUSH 716E0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!DdeInitializeW 7E4206D7 6 Bytes PUSH 714B0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!RegisterClassA 7E42EA5E 6 Bytes PUSH 71620022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!GetClipboardData 7E430DBA 6 Bytes PUSH 71480022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] GDI32.dll!BitBlt 77F16F79 6 Bytes PUSH 71540022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 714E0022
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 71650022
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[4848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\explorer.exe[4848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\explorer.exe[4848] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\explorer.exe[4848] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\WINDOWS\Explorer.EXE[5252] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[5252] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[5252] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[5252] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 01ED1102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[5320] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00439530 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[5320] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[5320] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[5320] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8B29DAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys@imagepath \systemroot\system32\drivers\PRAGMAtwixlvkwgs.sys
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules@PRAGMAc \\?\globalroot\systemroot\system32\PRAGMAqdwjyduiwc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules@PRAGMAd \\?\globalroot\systemroot\system32\drivers\PRAGMAtwixlvkwgs.sys
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules@PRAGMAsrcr \\?\globalroot\systemroot\system32\PRAGMAcoigejudsr.dat
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules@pragmaserf \\?\globalroot\systemroot\system32\PRAGMAylcsxrqoko.dll
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules@pragmabbr \\?\globalroot\systemroot\system32\PRAGMAvxphkqhooj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\USBSTOR@DisplayName USB Mass Storage Device
Reg HKLM\SYSTEM\ControlSet002\Services\USBSTOR@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\USBSTOR@ImagePath system32\DRIVERS\USBSTOR.SYS
Reg HKLM\SYSTEM\ControlSet002\Services\USBSTOR@Start 4
Reg HKLM\SYSTEM\ControlSet002\Services\USBSTOR@Type 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\symc8xx.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:17 PM

Posted 21 April 2010 - 12:14 PM

Hi IsaT,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Please run it again and post the log. No need for the Attach.txt log.

  2. Please download mbr.exe from the following link and put in the C:\Windows directory.
    http://www2.gmer.net/mbr/mbr.exe

  3. Download http://download.bleepingcomputer.com/farbar/TDL-Fix.exe and save it to your desktop.
    • Double-click it to run. A command window opens.
    • Type mbr and press Enter.
    • A log file opens. Please post it to your reply.


#3 IsaT

IsaT
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 23 April 2010 - 08:07 AM

Hi Farbar,

thank you so much for your help - I am really grateful. And of course I am more than happy to making any change to the system as you request.

So since I sent my initial post, I had disconnected the computer from the internet - to try to minimise further problems while waiting for your response. I have only reconnected to run your process in your response:

- I re-ran DDS - see log below
- I re-ran gmer - see log below

While this time it was easier to save the gmer log, it was still a 100% CPU usage even after I ran it. So I resateted the computer - but before restarted I disconnected the computer from Internet - to avoid more probles as it restarts - and only reconnected after it rebooted to continue with you next step.

- so I downloaded mbr and TDL-fix and ran it as requested - see log below.

Now as I am writting this reply I have a pop up window : Windows Defender Warning : Trojan:Win32/Hiloti.gen!D Alert Level = Severe. Not sure what to do with it.

Many thanks again for your help. I look forward to receiving your answer.

IsaT




DDS (Ver_10-03-17.01) - NTFSx86
Run by Isabelle at 11:07:42.42 on 23/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3582.2698 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bear Stearns\BearScreenLock\BearScreenLock.exe
C:\program files\marimba\Castanet Tuner\Tuner.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_01\bin\javaw.exe
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Uphclean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\program files\marimba\Castanet Tuner\lib\jre\bin\java.exe
C:\Documents and Settings\Isabelle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: DisallowRun = 1 (0x1)
dPolicies-disallowrun: 1 = firefox.exe
dPolicies-disallowrun: 2 = opera.exe
dPolicies-disallowrun: 3 = chrome.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://bba.bloomberg.net/default/Clients_common/ica32/icaweb.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188418525986
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188418516562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://jpmorgan.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn.measurisk.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://216.255.118.171/dana-cached/sc/JuniperSetupClient.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2006-12-4 241815]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2006-12-4 10880]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-25 390528]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-23 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-23 125160]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-20 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-20 54968]
R2 BearScreenLock;BearScreenLock;c:\program files\bear stearns\bearscreenlock\BearScreenLock.exe [2004-11-23 36864]
R2 BearTuner;Bear Tuner;c:\program files\marimba\castanet tuner\Tuner.exe [2006-7-14 32871]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\ocs inventory agent\OcsService.exe [2007-2-27 61440]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-23 779496]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-7-20 6016]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-26 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100419.002\naveng.sys [2010-4-20 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100419.002\navex15.sys [2010-4-20 1324720]
S0 bbqe;bbqe;c:\windows\system32\drivers\naxtj.sys --> c:\windows\system32\drivers\naxtj.sys [?]
S0 bmsirbnv;bmsirbnv;c:\windows\system32\drivers\xapxhorj.sys --> c:\windows\system32\drivers\xapxhorj.sys [?]
S0 cqoqpd;cqoqpd;c:\windows\system32\drivers\pvnvgs.sys --> c:\windows\system32\drivers\pvnvgs.sys [?]
S0 nycmqo;nycmqo;c:\windows\system32\drivers\ygwy.sys --> c:\windows\system32\drivers\ygwy.sys [?]
S0 qepidij;qepidij;c:\windows\system32\drivers\cnnnfuya.sys --> c:\windows\system32\drivers\cnnnfuya.sys [?]
S0 rhnjx;rhnjx;c:\windows\system32\drivers\rujc.sys --> c:\windows\system32\drivers\rujc.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-11 135664]
S2 gupdateAudioSrv;Google Update Service (gupdate) gupdateAudioSrv;c:\windows\system32\acelpdecl.exe srv --> c:\windows\system32\acelpdecl.exe srv [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-04-23 10:07:41 0 d-----w- c:\temp\8C.tmp
2010-04-21 00:57:02 0 d-----w- c:\temp\MPTelemetrySubmit
2010-04-20 19:09:49 16384 ----atw- c:\temp\Perflib_Perfdata_8a4.dat
2010-04-20 19:09:14 0 d-----w- c:\temp\WPDNSE
2010-04-20 15:57:41 0 ----a-w- c:\documents and settings\isabelle\defogger_reenable
2010-04-20 15:54:16 0 d-----w- c:\temp\Google Toolbar
2010-04-20 15:50:24 16384 ----atw- c:\temp\Perflib_Perfdata_890.dat
2010-04-20 15:24:18 16384 ----atw- c:\temp\Perflib_Perfdata_850.dat
2010-04-20 14:47:00 16384 ----atw- c:\temp\Perflib_Perfdata_394.dat
2010-04-20 14:38:40 5918776 ----a-w- C:\mbam-setup-1.45.exe
2010-04-20 09:30:57 16384 ----atw- c:\temp\Perflib_Perfdata_88c.dat
2010-04-19 17:39:55 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-19 17:27:35 16384 ----atw- c:\temp\Perflib_Perfdata_7e8.dat
2010-04-19 17:12:00 16384 ----atw- c:\temp\Perflib_Perfdata_7a0.dat
2010-04-19 16:49:52 0 d-----w- c:\temp\Acrobat Distiller 7
2010-04-19 16:49:37 16384 ----atw- c:\temp\Perflib_Perfdata_80c.dat
2010-04-19 16:48:28 0 d-----w- c:\temp\hsperfdata_SYSTEM
2010-04-19 16:47:56 0 d-sh--w- c:\temp\Temporary Internet Files
2010-04-19 16:47:56 0 d-----w- C:\Temp
2010-04-19 14:40:38 0 d-----w- c:\docume~1\isabelle\applic~1\Office Genuine Advantage
2010-04-19 14:37:55 0 d-----w- C:\BOtyko
2010-04-15 19:15:53 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-15 19:11:22 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-15 19:10:59 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-15 19:10:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-15 12:02:20 0 ----a-w- c:\windows\system32\acctresm.sys
2010-04-15 08:46:04 55732165 --sha-w- c:\windows\system32\adsnty.sys
2010-04-15 08:44:20 460 --s-a-w- c:\windows\system32\306870100.dat
2010-04-13 21:56:44 0 d-sh--w- c:\documents and settings\isabelle\IECompatCache
2010-04-13 18:13:18 54016 ----a-w- c:\windows\system32\drivers\cfpv.sys
2010-04-13 17:43:40 0 d-----w- c:\program files\Digital ProtectionXX
2010-04-13 17:39:18 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-04-13 17:37:13 0 d-----w- C:\spoolerlogs

==================== Find3M ====================

2010-04-22 13:44:44 32640 ----a-w- c:\windows\system32\drivers\symc8xx.sys
2010-04-22 13:44:44 32640 ----a-w- c:\windows\system32\dllcache\symc8xx.sys
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-05 13:19:27 157540 ----a-w- c:\windows\system32\nvModes.dat
2010-02-25 15:42:13 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-25 10:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys

============= FINISH: 11:09:12.14 ===============






GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-23 13:43:52
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\Temp\pgtiypow.sys


---- System - GMER 1.0.15 ----

SSDT 8AFD5A78 ZwAlertResumeThread
SSDT 8B382370 ZwAlertThread
SSDT 8B1A9828 ZwAllocateVirtualMemory
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xA58A6D92]
SSDT 8B39BBC8 ZwConnectPort
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xA58A749E]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA9009310]
SSDT 8B03AA78 ZwCreateMutant
SSDT 8B1AA9A0 ZwCreateThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xA58A75EA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xA58AAD58]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xA58AAD8A]
SSDT 8B266670 ZwFreeVirtualMemory
SSDT 8B00CD58 ZwImpersonateAnonymousToken
SSDT 8B011A78 ZwImpersonateThread
SSDT 8AFD2A80 ZwMapViewOfSection
SSDT 8B038A78 ZwOpenEvent
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xA58A754E]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xA9009A60]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xA58A6ED6]
SSDT 8AF68BF0 ZwOpenProcessToken
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xA58A70C8]
SSDT 8AFA3DF0 ZwOpenThreadToken
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xA58A71FA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xA58AAE62]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xA58AADCC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xA58AADFE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xA58AAE30]
SSDT 8B046A80 ZwResumeThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xA58A6D40]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xA58A764A]
SSDT 8B082DE0 ZwSetInformationProcess
SSDT 8B030CF0 ZwSetInformationThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xA58AACF0]
SSDT 8B01FCC8 ZwSuspendProcess
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xA58A6CE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xA58A6C40]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xA58A6C88]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xA2A84A80]
SSDT 8B00AA78 ZwUnmapViewOfSection
SSDT 8B1A79B0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 8 Bytes JMP 58A58A75
.rsrc C:\WINDOWS\system32\drivers\symc8xx.sys entry point in ".rsrc" section [0xBA35F954]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5521360, 0x36E81D, 0xE8000020]
page C:\WINDOWS\System32\Drivers\oz776.sys entry point in "page" section [0xBA222E34]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1244] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00412220 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1244] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1244] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1244] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022
.text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1320] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006C000C
.text C:\WINDOWS\System32\svchost.exe[1320] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0393000A
.text C:\WINDOWS\System32\svchost.exe[1320] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 038A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!TranslateMessage 7E418BF6 6 Bytes PUSH 71420022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!RegisterClassW 7E41A39A 6 Bytes PUSH 71570022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!RegisterClassExW 7E41AF7F 6 Bytes PUSH 716E0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!DdeInitializeW 7E4206D7 6 Bytes PUSH 71480022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!RegisterClassA 7E42EA5E 6 Bytes PUSH 71620022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!GetClipboardData 7E430DBA 6 Bytes PUSH 71450022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] GDI32.dll!BitBlt 77F16F79 6 Bytes PUSH 71510022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 714B0022
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 71650022
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[2860] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[2860] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[2860] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[2860] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 02961102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3024] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00439530 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3024] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3024] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3024] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022
.text C:\WINDOWS\system32\wuauclt.exe[5036] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[5036] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\wuauclt.exe[5036] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8B2DDAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys@imagepath \systemroot\system32\drivers\PRAGMAtwixlvkwgs.sys
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules@PRAGMAc \\?\globalroot\systemroot\system32\PRAGMAqdwjyduiwc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules@PRAGMAd \\?\globalroot\systemroot\system32\drivers\PRAGMAtwixlvkwgs.sys
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules@PRAGMAsrcr \\?\globalroot\systemroot\system32\PRAGMAcoigejudsr.dat
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules@pragmaserf \\?\globalroot\systemroot\system32\PRAGMAylcsxrqoko.dll
Reg HKLM\SYSTEM\ControlSet001\Services\PRAGMAd.sys\modules@pragmabbr \\?\globalroot\systemroot\system32\PRAGMAvxphkqhooj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\USBSTOR@DisplayName USB Mass Storage Device
Reg HKLM\SYSTEM\ControlSet002\Services\USBSTOR@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\USBSTOR@ImagePath system32\DRIVERS\USBSTOR.SYS
Reg HKLM\SYSTEM\ControlSet002\Services\USBSTOR@Start 4
Reg HKLM\SYSTEM\ControlSet002\Services\USBSTOR@Type 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\symc8xx.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----





Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B2E2AC8]<<
kernel: MBR read successfully
user & kernel MBR OK


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:17 PM

Posted 23 April 2010 - 09:52 AM

Thanks for the detailed feedback.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#5 IsaT

IsaT
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 26 April 2010 - 05:32 AM

Hi Farbar,

thank you very much for your response and your help. So I have tried to follow the steps you suggested - see below the details

- I reconnected to computer to Internet (was disconnected before to limit futher problems) to download ComboFix
- I tried to disable all AV/Malware Utillities - not sure I did all right though but did what looked like it
- Downloaded ComboFix and ran
- After a few minutes I had a message saying that a rootkit was detected and had to restart the computer
- Then looks liked it was trying to close and resart windows - but nothing really happened for long - waited several hours.
- So I had to manually switch off the computer and restart
- Before doing that I also disconected again the computer from Internet
- Once I resarted/log-in the ComboFix window was open and it launched the process automatically
- At some point the computer resarted again and this time without problem
- Log-in back and after a few minutes - I had a message it was preparing the Log - which I have copied below.
- Then I reconnected to computer to Internet to pot my reply.

Let me know what you think I should do next - or maybe if the problem is solved! :-) Many many thanks again for your help.

Cheers
IsaT




ComboFix 10-04-21.01 - Isabelle 26/04/2010 11:00:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3582.2894 [GMT 1:00]
Running from: c:\documents and settings\Isabelle\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\windows\Feb 2007 MS Hotfix Security Assessment .doc
c:\windows\kbsfr32.dll
c:\windows\system32\306870100.dat
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\Temp

Infected copy of c:\windows\system32\drivers\symc8xx.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GUPDATEAUDIOSRV
-------\Service_gupdateAudioSrv


((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))
.

2010-04-26 10:08 . 2010-04-26 10:08 -------- d-----w- c:\temp\WPDNSE
2010-04-26 10:07 . 2010-04-26 10:07 16384 ----atw- c:\temp\Perflib_Perfdata_328.dat
2010-04-26 09:59 . 2010-04-26 09:59 16384 ----atw- c:\temp\Perflib_Perfdata_2a4.dat
2010-04-21 00:57 . 2010-04-23 00:57 -------- d-----w- c:\temp\MPTelemetrySubmit
2010-04-21 00:57 . 2010-04-21 00:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-04-20 15:54 . 2010-04-26 10:04 -------- d-----w- c:\temp\Google Toolbar
2010-04-20 15:54 . 2010-04-20 15:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-04-20 14:38 . 2010-04-19 11:05 5918776 ----a-w- C:\mbam-setup-1.45.exe
2010-04-19 17:42 . 2010-04-19 17:42 -------- d-----w- c:\program files\Windows Defender
2010-04-19 17:39 . 2010-02-24 09:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-19 16:49 . 2010-04-26 10:08 -------- d-----w- c:\temp\Acrobat Distiller 7
2010-04-19 16:48 . 2010-04-26 10:07 -------- d-----w- c:\temp\hsperfdata_SYSTEM
2010-04-19 16:47 . 2010-04-26 10:08 -------- d-----w- C:\Temp
2010-04-19 16:47 . 2010-04-26 10:06 -------- d-sh--w- c:\temp\Temporary Internet Files
2010-04-19 14:40 . 2010-04-19 14:40 -------- d-----w- c:\documents and settings\Isabelle\Application Data\Office Genuine Advantage
2010-04-19 14:37 . 2010-04-19 14:47 -------- d-----w- C:\BOtyko
2010-04-19 09:36 . 2010-04-19 09:36 417792 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\RapportMR.dll
2010-04-19 09:36 . 2010-04-19 09:36 73728 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\ncqo.exe
2010-04-16 16:38 . 2010-04-16 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-15 19:15 . 2010-04-19 09:42 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-15 19:11 . 2010-04-20 09:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-15 19:10 . 2010-04-15 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-15 19:10 . 2010-04-15 19:10 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-15 17:32 . 2010-04-15 17:32 77312 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\16032\jcmqu.exe
2010-04-15 17:32 . 2010-04-15 17:32 73728 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\16032\ncqo.exe
2010-04-15 17:32 . 2010-04-15 17:32 417792 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\16032\RapportMR.dll
2010-04-15 12:02 . 2010-04-15 17:30 0 ----a-w- c:\windows\system32\acctresm.sys
2010-04-15 08:46 . 2010-04-16 13:48 55732165 --sha-w- c:\windows\system32\adsnty.sys
2010-04-15 08:43 . 2010-04-15 10:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-13 21:56 . 2010-04-13 21:56 -------- d-sh--w- c:\documents and settings\Isabelle\IECompatCache
2010-04-13 18:46 . 2010-04-13 18:46 -------- d-sh--w- c:\documents and settings\LocalService\Temporary Internet Files
2010-04-13 18:38 . 2010-04-13 18:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-13 18:13 . 2010-04-13 18:13 54016 ----a-w- c:\windows\system32\drivers\cfpv.sys
2010-04-13 17:43 . 2010-04-13 21:21 -------- d-----w- c:\program files\Digital ProtectionXX
2010-04-13 17:39 . 2010-04-19 09:41 0 ----a-w- c:\documents and settings\Isabelle\Application Data\Trusteer\Rapport\RapportBukaExt.dll
2010-04-13 17:39 . 2010-04-13 17:39 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-04-13 17:38 . 2010-04-13 17:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-13 17:37 . 2010-04-13 17:37 -------- d-----w- C:\spoolerlogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 10:10 . 2008-10-16 20:10 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-26 09:59 . 2008-10-16 18:43 -------- d-----w- c:\program files\OCS Inventory Agent
2010-04-22 13:44 . 2006-12-07 12:01 32640 ----a-w- c:\windows\system32\drivers\symc8xx.sys
2010-04-20 15:22 . 2010-01-20 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 09:31 . 2007-07-20 18:10 -------- d-----w- c:\program files\UltraVNC
2010-04-16 17:14 . 2010-03-20 10:26 -------- d-----w- c:\documents and settings\Isabelle\Application Data\Suig
2010-04-13 21:24 . 2010-01-20 22:22 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-29 23:46 . 2010-01-20 22:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2010-01-20 22:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 03:20 . 2010-03-10 17:18 -------- d-----w- c:\program files\Google
2010-03-10 17:18 . 2010-03-10 17:16 -------- d-----w- c:\program files\Zylom Games
2010-03-10 17:16 . 2010-03-10 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2010-03-10 06:15 . 2004-08-04 16:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 15:25 . 2010-03-05 16:25 -------- d-----w- c:\documents and settings\Isabelle\Application Data\U3
2010-03-05 15:17 . 2010-03-05 15:17 -------- d-----w- c:\documents and settings\Isabelle\Application Data\Malwarebytes
2010-03-05 13:51 . 2010-03-05 13:51 -------- d-----w- c:\documents and settings\Isabelle\Application Data\AdobeUM
2010-03-05 13:21 . 2010-03-05 13:21 95672 ----a-w- c:\documents and settings\Isabelle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-05 13:19 . 2008-10-15 22:17 157540 ----a-w- c:\windows\system32\nvModes.dat
2010-03-04 17:47 . 2008-10-16 20:05 256 ----a-w- c:\windows\system32\pool.bin
2010-03-04 14:53 . 2010-03-04 14:23 -------- d-----w- c:\program files\Unlocker
2010-03-04 14:24 . 2006-12-04 14:03 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-03 19:04 . 2010-03-03 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-03 18:38 . 2010-03-03 18:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2010-03-03 17:41 . 2010-03-03 17:41 95672 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 17:40 . 2010-03-03 17:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Research In Motion
2010-03-03 17:39 . 2010-03-03 17:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Trusteer
2010-03-01 12:11 . 2010-03-05 13:18 -------- d-----w- c:\documents and settings\Isabelle\Application Data\Trusteer
2010-02-27 08:23 . 2010-02-27 08:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-02-25 19:49 . 2010-02-25 19:49 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-02-25 17:35 . 2010-02-25 16:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-25 17:13 . 2006-12-04 12:21 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-25 15:42 . 2010-02-25 15:42 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-25 15:42 . 2010-02-25 15:42 390528 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBuka.sys
2010-02-25 15:42 . 2010-02-25 15:42 249856 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll
2010-02-25 06:24 . 2004-08-04 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 16:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-04 16:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 02:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-02-25 17:40 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-04 16:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 16:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"nwiz"="nwiz.exe" [2008-02-22 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-01-07 98304]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-15 5650240]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2007-8-29 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= firefox.exe
"2"= opera.exe
"3"= chrome.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acro User Config]
2005-03-03 15:35 122734 ----a-w- c:\acroread\Reader\Acro_user_config.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flash User Config]
2004-05-04 20:19 121465 -c--a-w- c:\windows\system32\Macromed\Shockwave 10\Xtras\Flash_user_config.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 21:07 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-07-21 22:50 86016 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-21 22:48 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPlager User Config]
2005-04-08 16:52 123426 ----a-w- c:\program files\Windows Media Player\WMP_USER_CONFIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-07-21 22:47 81920 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RightFaxClient]
2001-03-13 21:36 139264 ----a-w- c:\program files\RightFAX\FaxCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-05-01 14:07 843776 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 07:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zie_user_config]
2006-04-28 16:04 123639 ----a-w- c:\program files\Internet Explorer\ie_user_config.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Tb2Launch"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [04/12/2006 13:34 241815]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [04/12/2006 13:34 10880]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [25/02/2010 16:42 390528]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [23/03/2010 16:39 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [23/03/2010 16:39 125160]
R2 BearScreenLock;BearScreenLock;c:\program files\Bear Stearns\BearScreenLock\BearScreenLock.exe [23/11/2004 22:19 36864]
R2 BearTuner;Bear Tuner;c:\program files\marimba\Castanet Tuner\Tuner.exe [14/07/2006 16:21 32871]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [27/02/2007 20:32 61440]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [23/03/2010 16:39 779496]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [15/06/2006 06:40 115952]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [20/07/2007 19:10 6016]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/02/2010 15:58 102448]
S0 bbqe;bbqe;c:\windows\system32\drivers\naxtj.sys --> c:\windows\system32\drivers\naxtj.sys [?]
S0 bmsirbnv;bmsirbnv;c:\windows\system32\drivers\xapxhorj.sys --> c:\windows\system32\drivers\xapxhorj.sys [?]
S0 cqoqpd;cqoqpd;c:\windows\system32\drivers\pvnvgs.sys --> c:\windows\system32\drivers\pvnvgs.sys [?]
S0 nycmqo;nycmqo;c:\windows\system32\drivers\ygwy.sys --> c:\windows\system32\drivers\ygwy.sys [?]
S0 qepidij;qepidij;c:\windows\system32\drivers\cnnnfuya.sys --> c:\windows\system32\drivers\cnnnfuya.sys [?]
S0 rhnjx;rhnjx;c:\windows\system32\drivers\rujc.sys --> c:\windows\system32\drivers\rujc.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/03/2010 04:20 135664]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 03:20]

2010-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 03:20]

2010-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2010-04-26 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://216.255.118.171/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKU-Default-Run-Xlecinagogu - c:\windows\kbsfr32.dll
HKU-Default-Run-SVCHOST.EXE - c:\windows\system32\drivers\svchost.exe
MSConfigStartUp-TLogonPath - c:\program files\Timbuktu Pro\Tb2Logon.exe
AddRemove-eBay Icon - c:\documents and settings\tykoczi\Application Data\Desktopicon\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 11:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7488)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Hummingbird\Connectivity\7.00\HostExplorer\Ftp\HESHELL.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\marimba\Castanet Tuner\lib\jre\bin\java.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
c:\windows\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre1.6.0_01\bin\javaw.exe
c:\windows\System32\snmp.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\progra~1\Uphclean\uphclean.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-04-26 11:12:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-26 10:12

Pre-Run: 119,995,191,296 bytes free
Post-Run: 120,617,566,208 bytes free

Current=4 Default=4 Failed=1 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 529345E407F78EC23D23BE31631DE8AF



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:17 PM

Posted 26 April 2010 - 11:42 AM

Hi and well done IsaT. thumbup2.gif

The rootkit is taken care of.
  1. I don't think there is anything left, but to make sure allow internet connection while ComboFix is running in case it wanted to upload the bad files.
    Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    http://www.bleepingcomputer.com/forums/t/311308/infected-with-aveexe-trojanzbot-rootkittdss-svchost/

    collect::
    c:\windows\system32\drivers\PRAGMAtwixlvkwgs.sys
    c:\windows\system32\PRAGMAqdwjyduiwc.dll
    c:\windows\system32\drivers\PRAGMAtwixlvkwgs.sys
    c:\windows\system32\PRAGMAcoigejudsr.dat
    c:\windows\system32\PRAGMAylcsxrqoko.dll
    c:\windows\system32\PRAGMAvxphkqhooj.dll
    registry::
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "DisallowRun"=-
    [-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]

    driver::
    bbqe
    bmsirbnv
    cqoqpd
    nycmqo
    qepidij
    rhnjx

    RegLockDel::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAd.sys]


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  4. Tell me how is the computer running now.


#7 IsaT

IsaT
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 26 April 2010 - 02:15 PM

Hi Farbar,
Thanks a lot again for your help with this. And from what you say it looks like we are making progress. smile.gif

So I have done as you instructed:

- reconected to Internet
- Re-ran Combo Fix as you said
- At some point it rebooted the computer.
- I logged-in but it looks like something when wrong ( maybe I did something without realising it) and I had a Window error message (about memory...) - so had to click OK and then shortly after I had a blue sreen with an Error Message sying it had to close Windows. ohmy.gif
- So i resarted maunally the computer and did the same thing again - and this time it works all fine.
- i have copied the log below.

- then unistalled the older java version and installed the new one as recommended.

- then I ran MBAM - it found one trojan to remore - see log below - and i was asked to resart the computer which I did
- and here i am!

Let me know if you think I should do anything else at this stage.


many thanks again for your help - really appreciated.

Cheers
IsaT



ComboFix 10-04-26.01 - Isabelle 26/04/2010 18:44:15.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3582.2841 [GMT 1:00]
Running from: c:\documents and settings\Isabelle\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Isabelle\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\Drivers\cfpv.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bbqe
-------\Service_bmsirbnv
-------\Service_cqoqpd
-------\Service_nycmqo
-------\Service_qepidij
-------\Service_rhnjx


((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))
.

2010-04-26 17:44 . 2010-04-26 17:44 -------- d-----w- c:\temp\WPDNSE
2010-04-26 17:39 . 2010-04-26 17:39 16384 ----atw- c:\temp\Perflib_Perfdata_7bc.dat
2010-04-21 00:57 . 2010-04-23 00:57 -------- d-----w- c:\temp\MPTelemetrySubmit
2010-04-21 00:57 . 2010-04-21 00:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-04-20 15:54 . 2010-04-26 10:04 -------- d-----w- c:\temp\Google Toolbar
2010-04-20 15:54 . 2010-04-20 15:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-04-20 14:38 . 2010-04-19 11:05 5918776 ----a-w- C:\mbam-setup-1.45.exe
2010-04-19 17:42 . 2010-04-19 17:42 -------- d-----w- c:\program files\Windows Defender
2010-04-19 17:39 . 2010-02-24 09:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-19 16:49 . 2010-04-26 17:45 -------- d-----w- c:\temp\Acrobat Distiller 7
2010-04-19 16:48 . 2010-04-26 17:38 -------- d-----w- c:\temp\hsperfdata_SYSTEM
2010-04-19 16:47 . 2010-04-26 17:48 -------- d-----w- C:\Temp
2010-04-19 16:47 . 2010-04-26 17:47 -------- d-sh--w- c:\temp\Temporary Internet Files
2010-04-19 14:40 . 2010-04-19 14:40 -------- d-----w- c:\documents and settings\Isabelle\Application Data\Office Genuine Advantage
2010-04-19 14:37 . 2010-04-19 14:47 -------- d-----w- C:\BOtyko
2010-04-19 09:36 . 2010-04-19 09:36 417792 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\RapportMR.dll
2010-04-19 09:36 . 2010-04-19 09:36 73728 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\ncqo.exe
2010-04-16 16:38 . 2010-04-16 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-15 19:15 . 2010-04-19 09:42 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-15 19:11 . 2010-04-26 17:40 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-15 19:10 . 2010-04-15 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-15 19:10 . 2010-04-15 19:10 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-15 17:32 . 2010-04-15 17:32 77312 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\16032\jcmqu.exe
2010-04-15 17:32 . 2010-04-15 17:32 73728 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\16032\ncqo.exe
2010-04-15 17:32 . 2010-04-15 17:32 417792 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\16032\RapportMR.dll
2010-04-15 12:02 . 2010-04-15 17:30 0 ----a-w- c:\windows\system32\acctresm.sys
2010-04-15 08:46 . 2010-04-16 13:48 55732165 --sha-w- c:\windows\system32\adsnty.sys
2010-04-15 08:43 . 2010-04-15 10:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-13 21:56 . 2010-04-13 21:56 -------- d-sh--w- c:\documents and settings\Isabelle\IECompatCache
2010-04-13 18:46 . 2010-04-13 18:46 -------- d-sh--w- c:\documents and settings\LocalService\Temporary Internet Files
2010-04-13 18:38 . 2010-04-13 18:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-13 17:43 . 2010-04-13 21:21 -------- d-----w- c:\program files\Digital ProtectionXX
2010-04-13 17:39 . 2010-04-19 09:41 0 ----a-w- c:\documents and settings\Isabelle\Application Data\Trusteer\Rapport\RapportBukaExt.dll
2010-04-13 17:39 . 2010-04-13 17:39 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-04-13 17:38 . 2010-04-13 17:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-13 17:37 . 2010-04-13 17:37 -------- d-----w- C:\spoolerlogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 17:40 . 2008-10-16 20:10 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-26 09:59 . 2008-10-16 18:43 -------- d-----w- c:\program files\OCS Inventory Agent
2010-04-22 13:44 . 2006-12-07 12:01 32640 ----a-w- c:\windows\system32\drivers\symc8xx.sys
2010-04-20 15:22 . 2010-01-20 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 09:31 . 2007-07-20 18:10 -------- d-----w- c:\program files\UltraVNC
2010-04-16 17:14 . 2010-03-20 10:26 -------- d-----w- c:\documents and settings\Isabelle\Application Data\Suig
2010-04-13 21:24 . 2010-01-20 22:22 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-29 23:46 . 2010-01-20 22:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2010-01-20 22:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 03:20 . 2010-03-10 17:18 -------- d-----w- c:\program files\Google
2010-03-10 17:18 . 2010-03-10 17:16 -------- d-----w- c:\program files\Zylom Games
2010-03-10 17:16 . 2010-03-10 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2010-03-10 06:15 . 2004-08-04 16:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 15:25 . 2010-03-05 16:25 -------- d-----w- c:\documents and settings\Isabelle\Application Data\U3
2010-03-05 15:17 . 2010-03-05 15:17 -------- d-----w- c:\documents and settings\Isabelle\Application Data\Malwarebytes
2010-03-05 13:51 . 2010-03-05 13:51 -------- d-----w- c:\documents and settings\Isabelle\Application Data\AdobeUM
2010-03-05 13:21 . 2010-03-05 13:21 95672 ----a-w- c:\documents and settings\Isabelle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-05 13:19 . 2008-10-15 22:17 157540 ----a-w- c:\windows\system32\nvModes.dat
2010-03-04 17:47 . 2008-10-16 20:05 256 ----a-w- c:\windows\system32\pool.bin
2010-03-04 14:53 . 2010-03-04 14:23 -------- d-----w- c:\program files\Unlocker
2010-03-04 14:24 . 2006-12-04 14:03 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-03 19:04 . 2010-03-03 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-03 18:38 . 2010-03-03 18:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2010-03-03 17:41 . 2010-03-03 17:41 95672 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 17:40 . 2010-03-03 17:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Research In Motion
2010-03-03 17:39 . 2010-03-03 17:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Trusteer
2010-03-01 12:11 . 2010-03-05 13:18 -------- d-----w- c:\documents and settings\Isabelle\Application Data\Trusteer
2010-02-27 08:23 . 2010-02-27 08:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-02-25 19:49 . 2010-02-25 19:49 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-02-25 17:13 . 2006-12-04 12:21 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-25 15:42 . 2010-02-25 15:42 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-25 15:42 . 2010-02-25 15:42 390528 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBuka.sys
2010-02-25 15:42 . 2010-02-25 15:42 249856 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll
2010-02-25 06:24 . 2004-08-04 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 16:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-04 16:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 02:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-02-25 17:40 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-04 16:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 16:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"nwiz"="nwiz.exe" [2008-02-22 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-01-07 98304]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2007-8-29 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acro User Config]
2005-03-03 15:35 122734 ----a-w- c:\acroread\Reader\Acro_user_config.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flash User Config]
2004-05-04 20:19 121465 -c--a-w- c:\windows\system32\Macromed\Shockwave 10\Xtras\Flash_user_config.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 21:07 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-07-21 22:50 86016 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-21 22:48 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPlager User Config]
2005-04-08 16:52 123426 ----a-w- c:\program files\Windows Media Player\WMP_USER_CONFIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-07-21 22:47 81920 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RightFaxClient]
2001-03-13 21:36 139264 ----a-w- c:\program files\RightFAX\FaxCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-05-01 14:07 843776 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 07:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zie_user_config]
2006-04-28 16:04 123639 ----a-w- c:\program files\Internet Explorer\ie_user_config.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Tb2Launch"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [04/12/2006 13:34 241815]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [04/12/2006 13:34 10880]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [25/02/2010 16:42 390528]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [23/03/2010 16:39 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [23/03/2010 16:39 125160]
R2 BearScreenLock;BearScreenLock;c:\program files\Bear Stearns\BearScreenLock\BearScreenLock.exe [23/11/2004 22:19 36864]
R2 BearTuner;Bear Tuner;c:\program files\marimba\Castanet Tuner\Tuner.exe [14/07/2006 16:21 32871]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [27/02/2007 20:32 61440]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [23/03/2010 16:39 779496]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [15/06/2006 06:40 115952]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [20/07/2007 19:10 6016]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/02/2010 15:58 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/03/2010 04:20 135664]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 03:20]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 03:20]

2010-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2010-04-26 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://216.255.118.171/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(15216)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Hummingbird\Connectivity\7.00\HostExplorer\Ftp\HESHELL.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-26 18:49:48
ComboFix-quarantined-files.txt 2010-04-26 17:49
ComboFix2.txt 2010-04-26 10:12

Pre-Run: 118,938,877,952 bytes free
Post-Run: 118,889,971,712 bytes free

Current=4 Default=4 Failed=1 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 877CAF060F006D318E22FD6D4A9C00B2






Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4040

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

26/04/2010 19:55:59
mbam-log-2010-04-26 (19-55-59).txt

Scan type: Quick scan
Objects scanned: 124123
Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ESUGMSI.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:17 PM

Posted 26 April 2010 - 03:40 PM

Good job and thanks for the feedback. smile.gif

We need a full checkup now.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push




#9 IsaT

IsaT
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 27 April 2010 - 06:17 AM

Hi Farbar,

So happy to see we are getting great results. I have let the Internet connection open ovrnight and nothing has happend so far - smile.gif
i have also run the scan as requested - see log below. let me know what you think.

And a really huge thank you for all your help.
cheers
IsaT



C:\BOtyko\unlocker1.8.8.exe Win32/Adware.ADON application deleted - quarantined
C:\Documents and Settings\Isabelle\Application Data\Sun\Java\Deployment\cache\6.0\25\5c82fb99-673bcd1e Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined
C:\Documents and Settings\Isabelle\Application Data\Sun\Java\Deployment\cache\6.0\8\16d10208-743a34e9 Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\13\d7d440d-426d8af1 Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\56\68894b8-7e2180d8 Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\kbsfr32.dll.vir a variant of Win32/Cimag.CH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\svchost.exe.vir a variant of Win32/Kryptik.DPC trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\symc8xx.sys.vir Win32/Olmarik.XG trojan cleaned - quarantined
C:\System Volume Information\_restore{326926CE-5CDE-4DC6-86F7-B2AB753CB442}\RP1\A0001026.sys Win32/Olmarik.XG trojan cleaned - quarantined
C:\System Volume Information\_restore{326926CE-5CDE-4DC6-86F7-B2AB753CB442}\RP1\A0001308.dll a variant of Win32/Cimag.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{326926CE-5CDE-4DC6-86F7-B2AB753CB442}\RP1\A0001309.exe a variant of Win32/Kryptik.DPC trojan cleaned by deleting - quarantined



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:17 PM

Posted 27 April 2010 - 08:14 AM

You are most welcome IsaT. smile.gif

Everything looks good. thumbup2.gif
  1. Clear the Java Plug-in cache:
    • Click Start > Control Panel.
    • Double-click the Java icon in the control panel to open Java Control Panel.
    • Under Temporary Internet Files Click Settings to open Temporary Files dialog box.
    • Click Delete Files to open the Delete Temporary Files dialog box.
    • Make sure all the options are checked. Click OK.

  2. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  3. Delete TDL-Fix and any other log or tool we used.


Happy Surfing IsaT. smile.gif


#11 IsaT

IsaT
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 27 April 2010 - 08:35 AM

Hi Farbar,
all done! A massive thank you for taking me through the process and cleaning my computer - I am so happy and relieved now.
You are a star!!! thumbup.gif
All the best.
Cheers
IsaT


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:17 PM

Posted 27 April 2010 - 05:36 PM

You are most welcome IsaT and thanks for your kind words. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users